1. Developing Extensible Applications for Oracle Web Services Manager
  2. Custom Assertions Schema Reference

A Custom Assertions Schema Reference

You can use the XML schema in this appendix as a reference when creating a WS-Policy file that contains custom web service assertions.

This appendix includes the following topics:

A.1 Element Hierarchy of Custom Assertions in a WS-Policy File

The following figure illustrates the element hierarchy of the custom assertions in a WS-Policy file:

Figure A-1 Element Hierarchy of Custom Assertion

Description of Figure A-1 follows
Description of "Figure A-1 Element Hierarchy of Custom Assertion"

A.2 Custom Assertion Elements

A custom assertion contains the following elements:

A.2.1 wsp:Policy

Follow the table and the example given below to know about the <wsp:Policy> element and its attributes.

The <wsp:Policy> element groups nested policy assertions.

Attributes

The following table summarizes the Oracle extensions to the WS-Policy attributes.

Table A-1 Oracle Extensions to WS-Policy Attributes

Attribute Description

attachTo

Policy subjects to which the policy can be attached. Valid values include:binding.client, binding.server, binding.any.

category

Category of the policy. Valid values include: security and management.

description

Description of the policy.

status

Status of the policy reference. Valid values include: enabled and disabled.

Example

The following example illustrates the <wsp:Policy> element:

<wsp:Policy xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy" 
  orawsp:status="enabled"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-util
ity-1.0.xsd" 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  orawsp:category="security" 
  orawsp:attachTo="binding.server" 
  wsu:Id="ip_assertion_policy" 
  xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" 
  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
  wsp:Name="oracle/ip_assertion_policy">

A.2.2 orasp:Assertion

Follow the tables and the example given below to know about the attributes of the <orasp:Assertion> element.

The <orasp:Assertion> element is the main element of the custom assertion.

Attributes

The following table summarizes the attributes of the <orasp:Assertion> element.

Table A-2 Attributes of <orasp:Assertion> Element

Attribute Description

Optional

Flag that specifies whether the assertion is optional or required.

Silent

Flag that specifies whether the assertion is advertised. If set to true, the assertion is not advertised.

Enforced

Flag that specifies whether the assertion is currently enabled.

name

Name of the assertion.

description

Description of the assertion.

category

Category to which the assertion applies. Valid values include: security/authentication, security/msg-protection, security/authorization, security/logging and management.

provides

Web service endpoint type to which this policy can be attached.

Note: This attribute is required for RESTful endpoints.

For example, to specify RESTful web services:

orawsp:provides="{http://schemas.oracle.com/ws/2006/01/policy}REST_HTTP"

Example

The following example illustrates the <orasp:Assertion> element:

<orasp:ipAssertion orawsp:Silent="true" orawsp:Enforced="true"
orawsp:name="WSSecurity IpAssertion Validator"
orawsp:category="security/authentication"
orawsp:provides="{http://schemas.oracle.com/ws/2006/01/policy}REST_HTTP">
...
</orasp:ipAssertion>

Update the provides Attribute to Secure SOAP Web Service Endpoints

To secure a SOAP Web Service endpoints, you must add the intents to the provides attribute in the custom policy file.

Table A-3 Intents for provides Attribute to Secure the SOAP Web Service Endpoints

Intent Type Description

serverAuthentication

Security Policy

When specified, an SCA runtime ensures that the server is authenticated by the client.

clientAuthentication

Security Policy

When specified, an SCA runtime ensures that the client is authenticated by the server.

authentication

Security Policy

This is a profile intent that requires only clientAuthentication. It is required for backwards compatibility.

mutualAuthentication

Security Policy

This is a profile intent that includes the serverAuthentication and the clientAuthentication intents.

confidentiality

Security Policy

This intent indicates that the message contents are accessible only to those authorized to have access (For example, the service client and the service provider). When the confidentiality intent is specified, an SCA runtime ensures that only authorized entities can view the contents of a message.

integrity

Security Policy

This intent is used to ensure that the messages are not tampered with and altered between the sender and the receiver. This is done generally by digitally signing the message or other methods. When the integrity intent is specified, an SCA runtime ensures that the message contents are not altered.

This intent can have the following qualifiers:

  • transport – the transport qualifier specifies that the qualified intent is realized at the transport or transfer layer of the communication protocol, such as HTTPS. When a serverAuthentication, clientAuthentication, confidentiality, or integrity intent is qualified by message, an SCA runtime delegates serverAuthentication, clientAuthentication, confidentiality and integrity, respectively to the message layer of the communication protocol.

  • message – the message qualifier specifies that the qualified intent is realized at the message level of the communication protocol. When a serverAuthentication, clientAuthentication, confidentiality, or integrity intent is qualified by message, an SCA runtime delegates serverAuthentication, clientAuthentication, confidentiality and integrity respectively to the message layer of the communication protocol.

atLeastOnce

Reliability Policy Intents

The binding implementation ensures that a message that is successfully sent by a service consumer or service implementation is delivered to the destination (service implementation or service consumer). The message can be delivered multiple times to the service implementation or service consumer. When atLeastOnce intent is specified, an SCA Runtime ensures deliverering of message to the destination service implementation or service consumer.

atMostOnce

Reliability Policy Intents

The binding implementation ensures that a message that is successfully sent by a service consumer or service implementation is not delivered more than once to the service implementation or service consumer. The binding implementation does not ensure that the message is delivered to the service implementation or service consumer. When atMostOnce intent is specified, an SCA Runtime should not deliver duplicates of a message to the service implementation.

ordered

Reliability Policy Intents

The binding implementation ensures that the messages sent by a service client via a single service reference are delivered to the target service implementation in the order in which they were sent by the service client. This intent does not ensure the messages that are sent by a service client are delivered to the service implementation and the ordering of messages sent via different service references by a single service client, even if the same service implementation is targeted by each of the service references.

When ordered intent is specified, an SCA Runtime deliver messages sent by a single source to a single destination service implementation in the order that the messages were sent by that source.

For service interfaces that involve messages being sent back from the service implementation to the service client (For example, a service with a callback interface), for the ordered intent, the binding implementation ensures that the messages sent by the service implementation over a given wire are delivered to the service client in the order in which they were sent by the service implementation. This intent does not ensure that messages that are sent by the service implementation are delivered to the service consumer.

exactlyOnce

Reliability Policy Intents

The binding implementation ensures that a message sent by a service consumer is delivered to the service implementation and it also ensures that the message is not delivered more than once to the service implementation. When the exactlyOnce intent is specified, an SCA Runtime delivers a message to the destination service implementation and not deliver duplicates of a message to the service implementation.

Example

The following example illustrates the intents added to the provides attribute to secure a SOAP web service endpoint: 

<orasp:ipAssertion orawsp:Silent="true" orawsp:Enforced="true"
    orawsp:name="WSSecurity IpAssertion Validator"
    orawsp:category="security/authentication"
    orawsp:provides="{http://schemas.oracle.com/ws/2006/01/policy}SOAP_HTTP,
    {http://docs.oasis-open.org/ns/opencsa/sca/200912}serverAuthentication,
    {http://docs.oasis-open.org/ns/opencsa/sca/200912}clientAuthentication,
    {http://docs.oasis-open.org/ns/opencsa/sca/200912}authentication,
    {http://docs.oasis-open.org/ns/opencsa/sca/200912}mutualAuthentication,
    {http://docs.oasis-open.org/ns/opencsa/sca/200912}confidentiality,
    {http://docs.oasis-open.org/ns/opencsa/sca/200912}integrity,
    {http://docs.oasis-open.org/ns/opencsa/sca/200912}atLeastOnce,
    {http://docs.oasis-open.org/ns/opencsa/sca/200912}atMostOnce,
    {http://docs.oasis-open.org/ns/opencsa/sca/200912}ordered,
    {http://docs.oasis-open.org/ns/opencsa/sca/200912}exactlyOnce">
</orasp:ipAssertion>

A.2.3 orawsp:bindings

Follow the example given below to know about the <oraswsp:bindings> element.

The <oraswsp:bindings> element defines the bindings in the custom assertion.

Example

The following example illustrates the <oraswsp:bindings> element:

<orawsp:bindings>
...
</orawsp:bindings>

A.2.4 orawsp:Implementation

Follow the example given below to know about the <oraswsp:Implementation> element.

The <oraswsp:Implementation> element defines the custom assertion implementation class.

Example

The following example illustrates the <oraswsp:Implementation> element:

<orawsp:Implementation>sampleassertion.IpAssertionExecutor</orawsp
:Implementation>

A.2.5 orawsp:Config

Follow the table and the example given below to know about the <oraswsp:Config> element and its attributes.

The <oraswsp:Config> element defines the configuration for the custom assertion.

Attributes

The following table summarizes the attributes of the <orawsp:Config> element.

Table A-4 Attributes of <orawsp:Config> Element

Attribute Description

name

Name of the configuration.

type

Category to which the configuration applies.

configType

Configuration type. Valid values include: declarative and programmatic.

  • declarative—Use deployment descriptors and configuration files to describe authentication and authorization requirements.

  • programmatic—Embed security enforcement within the application.

Example

The following example illustrates the <oraswsp:Config> element:

<orawsp:Config orawsp:name="ipassertion" orawsp:configType="declarative">

A.2.6 orawsp:PropertySet

Follow the table and example given below to know about the <oraswsp:PropertySet> element and its attributes.

The <oraswsp:PropertySet> element groups nested properties.

Attributes

The following table summarizes the attributes of the <orawsp:PropertySet> element.

Table A-5 Attributes of <orawsp:PropertySet> Element

Attribute Description

name

Name of the property set.

Example

The following example illustrates the <oraswsp:PropertySet> element:

<orawsp:PropertySet orawsp:name="valid_ips">

A.2.7 orawsp:Property

Follow the table and example given below to know about the <oraswsp:Property> element and its attributes.

The <oraswsp:Property> element defines a single property.

Attributes

The following table summarizes the attributes of the <orawsp:Property> element.

Table A-6 Attributes of <orawsp:Property> Element

Attribute Description

name

Name of the property.

type

Type of the property. For example, string.

contentType

Specifies whether the property is required and can be overridden. Valid values include:

  • constant—Property is a constant value and cannot be overridden.

  • required—Property is required and can be overridden.

  • optional—Property is optional and can be overridden.

For information about overriding policies, see "Overriding Policy Configuration Overrides" in Administering Web Services.

Example

The following example illustrates the <orawsp:Property> element:

<orawsp:Property orawsp:name="valid_ips" orawsp:type="string"
 orawsp:contentType="constant">

A.2.8 orawsp:Description

Follow the example given below to know about the <oraswsp:Description> element.

The <oraswsp:Description> element provides a description of the property.

Example

The following example illustrates the <oraswsp:Description> element:

<orawsp:Description>Valid IP Values</orawsp:Description>

A.2.9 orawsp:Value

Follow the example given below to know about the <oraswsp:Value> element.

The <oraswsp:Value> element provides a list of valid values for the property.

Example

The following example illustrates the <oraswsp:Value> element:

<orawsp:Value>140.87.6.143,10.178.93.107</orawsp:Value>