1.1.7.2.2 Using WS-Security Policy Files
SALT includes a number of WS-Security Policy 1.0 and 1.2 files you can use for message level security use cases.
The WS-Policy files can be found at
$TUXDIR/udataobj/salt/policy once you have
successfully installed SALT.
Table 1-10 WS-Security Policy Files Provided By SALT
| File Name | Purpose |
|---|---|
wssp1.0-username-auth.xml |
WS-Security Policy 1.0. Plain Text Username Token for Service Authentication |
wssp1.0-x509v3-auth.xml
|
WS-Security Policy 1.0. X.509 V3 Certificate Token for Service Authentication |
wssp1.0-signbody.xml
|
WS-Security Policy 1.0. Signature on SOAP:Body for verification of X.509 Certificate Token
|
wssp1.2-Wss1.0-UsernameToken-plain-auth.xml
|
WS-Security Policy 1.2. Plain Text Username Token for Service Authentication |
wssp1.2-Wss1.1-X509V3-auth.xml
|
WS-Security Policy 1.2. X.509 V3 Certificate Token for Service Authentication |
wssp1.2-signbody.xml
|
WS-Security Policy 1.2. Signature on SOAP:Body for verification of X.509 Certificate Token
|
The above policy files (with the exception of the WS-Security Policy 1.2 UserToken file), can be referenced using<Servicegroup> or <Service> elements in the native WSDF file. The WSSP 1.2 UserToken file can only be referenced using <Servicegroup>
The following is an example of policy assignment making that the service “TOUPPER” requires client send a UsernameToken (in plain text format) and an X509v3Token in request, and also requires the SOAP:Body part of message to be signed with the X.509 token. The sample “wsseapp” shows how to clip the WSSP 1.2 UserToken file used in the <Service> element .
Example 1-22 WS-Security Policy Usage
<Definition ...>
<WSBinding id="simpapp_binding">
<Servicegroup id="simpapp">
<Policy location="salt:wssp1.2-Wss1.1-X509V3-auth.xml"/>
<Service name="TOUPPER" >
<Policy location="D:/wsseapp/wssp1.2-UsernameToken-Plain.xml"/>
<Policy location="salt:wssp1.2-signbody.xml" use="input"/>
</Service>
</Servicegroup>
....
</WSBinding>
......
</Definition>Policy is referred using the “location”
attribute of the <Policy> element. A prefix
“salt:” means an SALT default bundled policy file is
used. User-defined policy file can be used by directly specifying
the file path.
Note:
If a policy is referred at the<Servicegroup> level, it applies to all services in this service group.
The “signbody” policy must be used with the attribute “use” set as “input”, which specifies the policy applied only for input message. This is necessary because the SOAP:Body of the output message is not signed.
Parent topic: Configuring Message-Level Web Service Security