17 Oracle Web Services Manager Predefined Policies
This chapter includes the following sections:
Note:
-
The predefined policies and assertion templates distributed with the current release are read only. You must copy the policy or assertion template before modifying it; you can copy policies in the security and management categories only. You also have the option of configuring the attributes in an assertion after you have added it to a policy. For information about managing the assertion templates and adding them to policies, see "Managing Policy Assertion Templates".
-
When attaching OWSM 14c predefined policies, if you specify a value of blank (" ") in the Value field, the default value will be in effect. If you have imported 11g policies or any custom policies, ensure that the policy has a valid value in the Default field to achieve the same effect; otherwise, the specified value will be picked up.
17.1 Addressing Policies
You can use the OWSM predefined addressing policies to checks inbound messages for the presence of WS-Addressing headers and effectively disables a globally attached WS Addressing policy at a higher scope.
Topics:
-
oracle/wsaddr_policy checks inbound messages for the presence of WS-Addressing headers conforming to the W3C 2005 Final WS-Addressing Policy standard.
-
oracle/no_addressing_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached WS Addressing policy at a higher scope.
For more information about attaching web services addressing policies, see:
-
"Configuring Addressing Using Fusion Middleware Control" in Administering Web Services
-
"Configuring Addressing Using WLST" in Administering Web Services
17.2 Atomic Transaction Policies
You can use the predefined OWSM atomic transaction policies to enable and configure support for atomic transactions.
Topics:
-
oracle/atomic_transaction_policy enables and configures support for atomic transactions.
-
oracle/no_atomic_transaction_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached atomic transaction web service policy at a higher scope.
For more information about attaching web services atomic transaction policies, see:
-
"Configuring Atomic Transactions Using Fusion Middleware Control" in Administering Web Services
-
"Configuring Atomic Transactions Using WLST" in Administering Web Services
17.3 Configuration Policies
You can use the OWSM predefined configuration policies to enable and configure web services.
Topics:
Note:
Please note the following:
-
Configuration policies cannot be duplicated.
-
The assertion templates associated with configuration policies are not available for generating new policies.
-
Configuration policies are not supported for SOA composite or Java EE (WebLogic) web services.
-
oracle/async_web_service_policy enables and configures an asynchronous web service.
-
oracle/cache_binary_content_policy enables and configures support for binary caching of content..
-
oracle/fast_infoset_client_policy enables and configures Fast Infoset on the web service client
-
oracle/fast_infoset_service_policy enables Fast Infoset on the web service.
-
oracle/max_request_size_policy configures the maximum size, in bytes, of the request message that can be sent to the web service.
-
oracle/mex_request_processing_service_policy enables the exchange of web service metadata.
-
oracle/mtom_encode_fault_service_policy enables the creation of MTOM-enabled SOAP fault messages when MTOM is enabled.
-
oracle/no_async_web_service_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached asynchronous web service policy at a higher scope.
-
oracle/no_cache_binary_content_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached binary caching policy at a higher scope.
-
oracle/no_fast_infoset_client_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Fast Infoset client policy at a higher scope.
-
oracle/no_fast_infoset_service_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Fast Infoset service policy at a higher scope.
-
oracle/no_max_request_size_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached maximum request size policy at a higher scope.
-
oracle/no_mex_request_processing_service_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached web service metadata exchange policy at a higher scope.
-
oracle/no_mtom_encode_fault_service_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached SOAP fault MTOM encoding policy at a higher scope.
-
oracle/no_persistence_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached persistence policy at a higher scope.
-
oracle/no_pox_http_binding_service_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Plain Old XML (POX) policy at a higher scope.
-
oracle/no_request_processing_service_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached request processing policy at a higher scope.
-
oracle/no_schema_validation_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached schema validation policy at a higher scope.
-
oracle/no_soap_request_processing_service_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached SOAP request processing policy at a higher scope.
-
oracle/no_test_page_processing_service_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached test page processing policy at a higher scope.
-
oracle/no_ws_logging_level_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached logging policy at a higher scope.
-
oracle/no_wsdl_request_processing_service_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached WSDL request processing policy at a higher scope.
-
oracle/persistence_policy configures the secure conversation persistence mechanism for the web service.
-
oracle/pox_http_binding_service_policy enables an endpoint to receive non-SOAP XML messages that are processed by a user defined
javax.xml.ws.Provider<T>.invoke
method. -
oracle/request_processing_service_policy enables the web service endpoint to process incoming requests.
-
oracle/schema_validation_policy enables the validation of request messages against the schema.
-
oracle/soap_request_processing_service_policy enables the processing of SOAP requests on the web service endpoint.
-
oracle/test_page_processing_policy enables the Web Service Test Client, as described in "Using the Web Services Test Client" in Administering Web Services.
-
oracle/ws_logging_level_policy sets the logging level for diagnostic logs for the web service endpoint.
-
oracle/wsdl_request_processing_service_policy enables access to the WSDL for the web service.
For more information about attaching configuration policies, see:
-
"Configuring Web Services Using Fusion Middleware Control" in Administering Web Services
-
"Configuring Web Services Using WLST" in Administering Web Services
17.4 Management Policies
You can use the predefined management policies to log the entire SOAP message for the request and just the SOAP body information for the response.
oracle/log_policy causes the request, response, and fault messages to be sent to a message log.
17.5 MTOM Policies
You can use the predefined Message Transmission Optimization Mechanism (MTOM) policies to effectively disable a globally attached WS MTOM policy at a higher scope, reject inbound messages that are not in MTOM format, and verifies that outbound messages are in MTOM format..
Topics:
-
oracle/no_mtom_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached WS MTOM policy at a higher scope.
-
oracle/wsmtom_policy rejects inbound messages that are not in MTOM format and verifies that outbound messages are in MTOM format.
For more information about attaching MTOM policies, see:
-
"Configuring MTOM Using Fusion Middleware Control" in Administering Web Services
-
"Configuring MTOM Using WLST" in Administering Web Services
17.6 Reliable Messaging Policies
You can use the predefined reliable messaging policies to effectively disables a globally attached Web Services Reliable Messaging policy, configure web services reliable messaging on the web service and client, and configure Web Services Reliable Messaging protocol.
Topics:
-
oracle/no_reliable_messaging_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Web Services Reliable Messaging policy at a higher scope.
-
oracle/no_wsrm_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Web Services Reliable Messaging policy at a higher scope.
-
oracle/reliable_messaging_policy configures web services reliable messaging on the web service and client.
-
oracle/wsrm10_policy configures version 1.0 of the Web Services Reliable Messaging protocol.
-
oracle/wsrm11_policy configures version 1.1 of the Web Services Reliable Messaging protocol.
For more information about attaching reliable messaging policies, see:
-
"Configuring Reliable Messaging Using Fusion Middleware Control" in Administering Web Services
-
"Configuring Reliable Messaging Using WLST" in Administering Web Services
17.7 Security Policies-Authentication Only
You can use the predefined security policies for authentication only scenarios.
Topics:
Note:
There are no predefined policies for two authentication only scenarios: Kerberos over SSL and SPNEGO. To use these scenarios, create your own policies that use the Kerberos over SSL and SPNEGO assertion templates described in "Oracle Web Services Manager Predefined Assertion Templates".
-
oracle/wss_saml_bearer_or_username_token_service_policy enforces one of the following authentication policies, based on whether the client uses a SAML or username token, respectively:
-
SAML token within WS-Security SOAP header using the bearer confirmation type.
-
WS-Security UsernameToken SOAP header to authenticate users against the configured identity store.
-
-
oracle/wss_saml_or_username_token_service_policy enforces one of the following authentication policies, based on whether the client uses a SAML or username token, respectively:
-
SAML token within WS-Security SOAP header using the sender-vouches confirmation type.
-
WS-Security UsernameToken SOAP header to authenticate users against the configured identity store.
-
-
oracle/wss_saml_token_bearer_client_policy includes SAML tokens in outbound SOAP request messages.
-
oracle/http_oam_token_service_policy verifies that the OAM agent has authenticated the user and has established an identity.
-
oracle/http_saml20_token_bearer_client_policy includes a SAML Bearer V2.0 token in the HTTP header.
-
oracle/http_saml20_token_bearer_service_policy authenticates users using credentials provided in the SAML v2.0 token with confirmation method Bearer in the HTTP header.
-
oracle/multi_token_rest_service_policy enforces one of the following authentication policies, based on the token sent by the client:
-
HTTP Basic-Extracts username and password credentials from the HTTP header.
-
SAML v2.0 Bearer token in the HTTP header-Extracts SAML 2.0 Bearer assertion in the HTTP header.
-
HTTP OAM security-Verifies that the OAM agent has authenticated user and establishes identity.
-
SPNEGO over HTTP security-Extracts Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) token from the HTTP header.
-
-
oracle/no_authentication_client_policy when directly attached to a client endpoint or globally attached at a lower scope, effectively disables a globally attached authentication policy at a higher scope.
-
oracle/no_authentication_service_policy when directly attached to a service endpoint or globally attached at a lower scope, effectively disables a globally attached authentication policy at a higher scope.
-
oracle/wss_http_token_client_policy includes credentials in the HTTP header for outbound client requests.
-
oracle/wss_http_token_service_policy uses the credentials in the HTTP header to authenticate users against the OPSS identity store.
-
oracle/wss_username_token_client_policy includes credentials in the WS-Security UsernameToken header for all outbound SOAP request messages.
-
oracle/wss_username_token_service_policy uses the credentials in the UsernameToken WS-Security SOAP header to authenticate users.
-
oracle/wss10_saml_token_client_policy includes SAML tokens in outbound SOAP request messages.
-
oracle/wss10_saml_token_service_policy authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header.
-
oracle/wss10_saml20_token_client_policy includes SAML tokens in outbound SOAP request messages.
-
oracle/wss10_saml20_token_service_policy authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header.
-
oracle/wss11_kerberos_token_client_policy includes a Kerberos token in the WS-Security header in accordance with the WS-Security Kerberos Token Profile v1.1 standard.
-
oracle/wss11_kerberos_token_service_policy extracts the Kerberos token from the SOAP header and authenticates the user.
-
oracle/multi_token_rest_access_service_policy allows access to endpoint with anonymous subject when there is no security token in the request. Also, masks 403 response from service if security token is not present in the request.
-
oracle/multi_token_rest_access_over_ssl_service_policy allows access to endpoint over SSL with anonymous subject when there is no security token in the request. Also, masks 403 response from service if security token is not present in request.
-
oracle/http_anonymous_rest_service_policy allows access to endpoint with anonymous subject in context..
-
oracle/http_anonymous_rest_over_ssl_service_policy allows access to endpoint over SSL with anonymous subject in context.
-
oracle/multi_token_sso_over_ssl_rest_service_policy enforces one of the following authentication policies, based on the token sent by the client:
-
HTTP Basic over SSL—Extracts username and password credentials from the HTTP header.
-
SAML 2.0 Bearer token in the HTTP header over SSL—Extracts SAML 2.0 Bearer assertion in the HTTP header.
-
HTTP OAM security (non-SSL)—Verifies that the OAM agent has authenticated user and establishes identity. (Provides non-SSL OAM protection on the server-side only.)
-
SPNEGO over HTTP security (non-SSL)—Extracts SPNEGO Kerberos token information from the HTTP header. (Provides non-SSL protection only.)
-
JWT token in the HTTP header over SSL—Extracts username from the JWT token in the HTTP header.
-
-
oracle/multi_token_sso_rest_service_policy enforces one of the following authentication policies, based on the token sent by the client:
-
HTTP Basic over SSL—Extracts username and password credentials from the HTTP header.
-
SAML 2.0 Bearer token in the HTTP header over SSL—Extracts SAML 2.0 Bearer assertion in the HTTP header.
-
HTTP OAM security (non-SSL)—Verifies that the OAM agent has authenticated user and establishes identity. (Provides non-SSL OAM protection on the server-side only.)
-
SPNEGO over HTTP security (non-SSL)—Extracts SPNEGO Kerberos token information from the HTTP header. (Provides non-SSL protection only.)
-
JWT token in the HTTP header over SSL—Extracts username from the JWT token in the HTTP header.
-
17.8 Security Policies-Authorization Only
You can use predefined security policies for authorization only scenarios.
This section summarizes the predefined OWSM authorization only security policies in the following topics:
-
oracle/binding_authorization_denyall_policy provides a simple role-based authorization policy based on the authenticated subject at the SOAP binding level.
-
oracle/binding_authorization_permitall_policy provides a simple role-based authorization for the request based on the authenticated Subject at the SOAP binding level.
-
oracle/binding_permission_authorization_policy provides a permission-based authorization policy based on the authenticated subject.
-
oracle/component_authorization_denyall_policy provides a simple role-based authorization policy based on the authenticated subject.
-
oracle/component_authorization_permitall_policy provides a simple role-based authorization policy based on the authenticated subject.
-
oracle/component_permission_authorization_policy provides a permission-based authorization policy based on the authenticated Subject.
-
oracle/no_authorization_component_policy when directly attached to a SOA component or globally attached at a lower scope, effectively disables a globally attached authorization policy at a higher scope.
-
oracle/no_authorization_service_policy when directly attached to a service endpoint or globally attached at a lower scope, effectively disables a globally attached authorization policy at a higher scope. If the globally attached policy contains any other assertions, in addition to the authorization assertion, those assertions are disabled also. For details about using this no behavior policy, see "Disabling a Globally Attached Policy"
-
oracle/whitelist_authorization_policy accepts requests only if one of the following conditions is true:
-
The authenticated token is SAML Sender Vouches.
-
The user is in a particular role (the default is
trustedEnterpriseRole
, that establishes the user as a trusted entity -
The request is coming from within a private network.
-
17.9 Security Policies-Message Protection Only
You can use predefined security policies for message protection only scenarios.
Topics:
-
oracle/no_messageprotection_client_policy when directly attached to a client endpoint or globally attached at a lower scope, effectively disables a globally attached message protection policy at a higher scope.
-
oracle/no_messageprotection_service_policy when directly attached to a service endpoint or globally attached at a lower scope, effectively disables a globally attached message protection policy at a higher scope.
-
oracle/wss10_message_protection_client_policy provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.0 standard.
-
oracle/wss10_message_protection_service_policy enforces message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
-
oracle/wss11_message_protection_client_policy provides message integrity and confidentiality for outbound SOAP requests in accordance with the WS-Security 1.1 standard.
-
oracle/wss11_message_protection_service_policy enforces message integrity and confidentiality for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
17.10 Security Policies-Messages Protection and Authentication
OWSM has predefined security policies for message protection and authentication.
This section summarizes these policies in the following topics:
-
oracle/http_basic_auth_over_ssl_client_policy includes credentials in the HTTP header for outbound client requests and verifies that the transport protocol is HTTPS.
-
oracle/http_basic_auth_over_ssl_service_policy uses the credentials in the HTTP header to authenticate users against the OPSS identity store and verifies that the transport protocol is HTTPS.
-
oracle/http_saml20_token_bearer_over_ssl_client_policy includes a SAML Bearer v2.0 token in the HTTP header. The SAML token with confirmation method Bearer is created automatically, and verifies that the transport protocol provides SSL message protection.
-
oracle/http_saml20_bearer_token_over_ssl_service_policy authenticates users using credentials provided in the SAML v2.0 token with confirmation method Bearer in the HTTP header, and verifies that the transport protocol provides SSL message protection.
-
oracle/multi_token_over_ssl_rest_service_policy enforces one of the following authentication policies, based on the token sent by the client:
-
HTTP Basic over SSL-Extracts username and password credentials from the HTTP header.
-
SAML 2.0 Bearer token in the HTTP header over SSL-Extracts SAML 2.0 Bearer assertion in the HTTP header.
-
HTTP OAM security (non-SSL)-Verifies that the OAM agent has authenticated user and establishes identity.
-
SPNEGO over HTTP security (non-SSL)-Extracts SPNEGO token information from the HTTP header.
-
-
oracle/pii_security_policy encrypts the PII data you want to protect.
-
oracle/sts_trust_config_client_policy specifies the STS client configuration information that is used to invoke the STS for token exchange.
-
oracle/sts_trust_config_service_policy specifies the STS configuration information that is used to invoke the STS for token exchange.
-
oracle/wss_saml_or_username_token_over_ssl_service_policy enforces message protection (integrity and confidentiality) and one of the following authentication policies, based on whether the client uses a SAML or username token, respectively:
-
SAML token within WS-Security SOAP header using the sender-vouches confirmation type.
-
WS-Security UsernameToken SOAP header to authenticate users against the configured identity store.
-
-
oracle/wss_saml_token_bearer_over_ssl_client_policy includes SAML tokens in outbound SOAP request messages.
-
oracle/wss_saml_token_bearer_over_ssl_service_policy authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.
-
oracle/wss_http_token_over_ssl_client_policy includes credentials in the HTTP header for outbound client requests, authenticates users against the OPSS identity store, and verifies that the transport protocol is HTTPS.
-
oracle/wss_http_token_over_ssl_service_policy extracts the credentials in the HTTP header and authenticates users against the OPSS identity store, and verifies that the transport protocol is HTTPS.
-
oracle/wss_saml_token_over_ssl_client_policy includes SAML tokens in outbound WS-Security SOAP headers using the sender-vouches confirmation type.
-
oracle/wss_saml_token_over_ssl_service_policy enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type, and verifies that the transport protocol provides SSL message protection.
-
oracle/wss_saml20_token_bearer_over_ssl_client_policy includes SAML tokens in outbound SOAP request messages, and verifies that the transport protocol provides SSL message protection.
-
oracle/wss_saml20_token_bearer_over_ssl_service_policy authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header, and verifies that the transport protocol provides SSL message protection.
-
oracle/wss_saml20_token_over_ssl_client_policy includes SAML tokens in outbound WS-Security SOAP headers using the sender-vouches confirmation type, and verifies that the transport protocol provides SSL message protection.
-
oracle/wss_saml20_token_over_ssl_service_policy enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type, and verifies that the transport protocol provides SSL message protection.
-
oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy inserts a SAML bearer assertion issued by a trusted STS.
-
oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy authenticates a SAML bearer assertion issued by a trusted STS.
-
oracle/wss_username_token_over_ssl_client_policy includes credentials in the WS-Security UsernameToken header in outbound SOAP request messages, and verifies that the transport protocol provides SSL message protection.
-
oracle/wss_username_token_over_ssl_service_policy uses the credentials in the WS-Security UsernameToken SOAP header to authenticate users against the OPSS configured identity store, and verifies that the transport protocol provides SSL message protection.
-
oracle/wss_username_token_over_ssl_wssc_client_policy includes credentials in the WS-Security UsernameToken header in outbound SOAP request messages, and verifies that the transport protocol provides SSL message protection.
-
oracle/wss_username_token_over_ssl_wssc_service_policy uses the credentials in the WS-Security UsernameToken SOAP header to authenticate users against the OPSS configured identity store, and verifies that the transport protocol provides SSL message protection.
-
oracle/wss10_saml_hok_token_with_message_protection_client_policy provides message protection (integrity and confidentiality) and SAML holder of key based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.
-
oracle/wss10_saml_hok_token_with_message_protection_service_policy enforces message protection (integrity and confidentiality) and SAML holder of key based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
-
oracle/wss10_saml_token_with_message_integrity_client_policy provides message-level integrity and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.
-
oracle/wss10_saml_token_with_message_integrity_service_policy enforces message-level integrity protection and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
-
oracle/wss10_saml_token_with_message_protection_client_policy provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.
-
oracle/wss10_saml_token_with_message_protection_service_policy enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
-
oracle/wss10_saml_token_with_message_protection_ski_basic256_client_policy provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.
-
oracle/wss10_saml_token_with_message_protection_ski_basic256_service_policy enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
-
oracle/wss10_saml20_token_with_message_protection_client_policy provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.
-
oracle/wss10_saml20_token_with_message_protection_service_policy enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
-
oracle/wss10_username_id_propagation_with_msg_protection_client_policy provides message protection (integrity and confidentiality) and identity propagation for outbound SOAP requests in accordance with the WS-Security 1.0 standard.
-
oracle/wss10_username_id_propagation_with_msg_protection_service_policy enforces message level protection (i.e., integrity and confidentiality) and identity propagation for inbound SOAP requests using mechanisms described in WS-Security 1.0.
-
oracle/wss10_username_token_with_message_protection_client_policy provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.0 standard.
-
oracle/wss10_username_token_with_message_protection_service_policy enforces message protection (message integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
-
oracle/wss10_username_token_with_message_protection_ski_basic256_client_policy provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.0 standard.
-
oracle/wss10_username_token_with_message_protection_ski_basic256_service_policy enforces message protection (message integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
-
oracle/wss10_x509_token_with_message_protection_client_policy provides message protection (integrity and confidentiality) and certificate credential population for outbound SOAP requests in accordance with the WS-Security 1.0 standard.
-
oracle/wss10_x509_token_with_message_protection_service_policy enforces message protection (integrity and confidentiality) and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
-
oracle/wss11_kerberos_token_with_message_protection_client_policy includes a Kerberos token in the WS-Security header, and uses Kerberos keys to guarantee message integrity and confidentiality, in accordance with the WS-Security Kerberos Token Profile v1.1 standard.
-
oracle/wss11_kerberos_token_with_message_protection_service_policy enforced in accordance with the WS-Security Kerberos Token Profile v1.1 standard.
-
oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy includes a Kerberos token in the WS-Security header, and uses Kerberos keys to guarantee message integrity and confidentiality, in accordance with the WS-Security Kerberos Token Profile v1.1 standard.
-
oracle/wss11_kerberos_token_with_message_protection_basic128_service_policy enforced in accordance with the WS-Security Kerberos Token Profile v1.1 standard.
-
oracle/wss11_saml_or_username_token_with_message_protection_service_policy enforces message protection (integrity and confidentiality) and one of the following authentication policies, based on whether the client uses a SAML, username, or HTTP token, respectively:
-
SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
-
Username token authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
-
SAML-based authentication using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header. Verifies that the transport protocol provides SSL message protection.
-
Username token authentication using the credentials in the UsernameToken WS-Security SOAP header to authenticate users against the configured identity store. Verifies that the transport protocol provides SSL message protection.
-
HTTP authentication using credentials extracted from the HTTP header to authenticate users against the configured identity store. Verifies that the transport protocol is HTTPS.
-
-
oracle/wss11_saml_token_identity_switch_with_message_protection_client_policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.
-
oracle/wss11_saml_token_with_message_protection_client_policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.
-
oracle/wss11_saml_token_with_message_protection_wssc_client_policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.
-
oracle/wss11_saml_token_with_message_protection_wssc_reauthn_client_policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.
-
oracle/wss11_saml_token_with_message_protection_wssc_reauthn_service_policy nables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.
-
oracle/wss11_saml20_token_with_message_protection_client_policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.
-
oracle/wss11_saml20_token_with_message_protection_service_policy enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
-
oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy inserts a SAML HOK assertion issued by a trusted STS (Security Token Service). Messages are protected using proof key material provided by the STS.
-
oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy authenticates a SAML HOK assertion issued by a trusted STS (Security Token Service).
-
oracle/wss11_username_token_with_message_protection_service_policy provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.
-
oracle/wss11_username_token_with_message_protection_client_policy enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
-
oracle/wss11_username_token_derivedkey_with_message_protection_service_policy enables use of OWSM to integrate with any backend service client where request contains <wsse11:Salt> or <wsse11:Iteration> element in the username token. These elements are used in Username token to facilitate password-derived keys support. Either signature or encryption is used.
-
oracle/wss11_username_token_derivedkey_with_message_protection_signature_only_client_policy enables use of OWSM to integrate with any backend service which requires <wsse11:Salt> or <wsse11:Iteration> element in the username token. These elements are used in Username token to facilitate password-derived keys support. This client policy is for message protection using signature.
-
oracle/wss11_username_token_derivedkey_with_message_protection_encryption_only_client_policy enables use of OWSM to integrate with any backend service which requires <wsse11:Salt> or <wsse11:Iteration> element in the username token. These elements are used in Username token to facilitate password-derived keys support. This client policy is for message protection using encryption.
-
oracle/wss11_username_token_with_message_protection_wssc_client_policy provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard.
-
oracle/wss11_username_token_with_message_protection_wssc_service_policy enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
-
oracle/wss11_x509_token_with_message_protection_client_policy provides message protection (integrity and confidentiality) and certificate-based authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard.
-
oracle/wss11_x509_token_with_message_protection_service_policy enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
-
oracle/wss11_x509_token_with_message_protection_wssc_client_policy provides message protection (integrity and confidentiality) and certificate-based authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard.
-
oracle/wss11_x509_token_with_message_protection_wssc_service_policy enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
17.11 Security Policies-Sha256 Only
OWSM has predefined sha256 policies.
This section summarizes the predefined OWSM Sha256 only security policies in the following topics:
-
oracle/wss11_saml_or_username_token_with_message_protection_sha256_service_policy enforces message protection (integrity and confidentiality) and an authentication policy, based on whether the client uses a SAML, username, or HTTP token.
-
oracle/wss11_saml_token_identity_switch_with_message_protection_sha256_client_policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.
-
oracle/wss11_saml_token_with_message_protection_sha256_client_policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.
-
oracle/wss11_saml_token_with_message_protection_sha256_service_policy enables message protection (integrity and confidentiality) and SAML token population for inbound SOAP requests using mechanisms described in WS-Security 1.1.
-
oracle/wss11_username_token_with_message_protection_sha256_client_policy provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard.
-
oracle/wss11_username_token_with_message_protection_sha256_service_policy enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
-
oracle/wss_saml_bearer_or_username_token_sha256_service_policy enforces one authentication policy, based on whether the client uses a SAML bearer or username token.
-
oracle/wss_saml_token_bearer_identity_switch_sha256_client_policy performs dynamic identity switching by propagating a different identity than the one based on the authenticated subject.
-
oracle/wss_saml_token_bearer_over_ssl_sha256_client_policy includes SAML tokens in outbound SOAP request messages.
-
oracle/wss_saml_token_bearer_over_ssl_sha256_service_policy authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.
-
oracle/wss_saml_token_bearer_sha256_client_policy includes SAML Bearer tokens in outbound SOAP request messages.
-
oracle/wss_saml_token_bearer_sha256_service_policy authenticates users using credentials provided in SAML Bearer token in the WS-Security SOAP header.
17.12 Security Policies—Oracle Entitlements Server
OWSM has predefined security policies for Oracle Entitlements Server (OES).
Topics:
-
oracle/binding_oes_authorization_policy sets user authorization based on the policy defined in Oracle Entitlements Server.
-
oracle/binding_oes_masking_policy does response masking based on the policy defined in Oracle Entitlements Server.
-
oracle/component_oes_authorization_policy sets user authorization based on the policy defined in Oracle Entitlements Server.
17.13 SOAP Over JMS Transport Policies
You can use predefined policies for SOAP Over JMS Transport.
Topics:
-
oracle/jms_transport_client_policy enables and configures support for SOAP over JMS transport for web service clients.
-
oracle/jms_transport_service_policy enables and configures support for SOAP over JMS transport for web services.
-
oracle/no_jms_transport_client_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached SOAP over JMS transport client policy at a higher scope.
-
oracle/no_jms_transport_service_policy when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached SOAP over JMS transport service policy at a higher scope.
For more information about attaching SOAP over JMS transport policies, see:
-
"Configuring SOAP Over JMS Transport Using Fusion Middleware Control" in Administering Web Services
-
"Configuring SOAP Over JMS Transport Using WLST" in Administering Web Services
17.14 oracle/wsaddr_policy
The oracle/wsaddr_policy checks inbound messages for the presence of WS-Addressing headers conforming to the W3C 2005 Final WS-Addressing Policy standard. In addition, it causes the platform to include a WS-Addressing header in outbound SOAP messages.
Display Name: WS Addressing Policy
Category: WS-Addressing
Description
For more information about configuring WS-Addressing on the web service client, see Web Services Addressing 1.0 - SOAP Binding specification (http://www.w3.org/TR/ws-addr-soap/
).
Note:
Please note the following:
-
This policy cannot be duplicated.
-
The assertion template associated with this policy is not available for generating new policies.
-
This policy is not supported for Java EE (WebLogic) web services.
Assertion
An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-1 lists the configuration property that you can override for the addressing policy.
Table 17-1 Configuration Property for oracle/wsaddr_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.15 oracle/no_addressing_policy
When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached WS Addressing policy at a higher scope.
Display Name: No Behavior Addressing Policy
Category: WS-Addressing
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no_behavior policy is not supported for Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-2 lists the configuration property that you can override for the no behavior policy.
Table 17-2 Configuration Property for oracle/no_addressing_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.16 oracle/atomic_transaction_policy
The Atomic Transaction Policy enables and configures support for atomic transactions.
Display Name: Atomic Transaction Policy
Category: Atomic Transactions
Description
For more information about atomic transactions, see "Using Web Services Atomic Transactions" in Developing Oracle Infrastructure Web Services.
Note:
Please note the following:
-
This atomic transactions policy cannot be duplicated.
-
The assertion template associated with this atomic transactions policy is not available for generating new policies.
-
This atomic transactions policy is not supported for Java EE (WebLogic) web services.
Assertion
An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-3 lists the configuration properties that you can override for atomic transactions.
Table 17-3 Configuration Properties for oracle/atomic_transaction_policy
Name | Description | Default | Required? |
---|---|---|---|
|
Whether the web services atomic transaction coordination context is passed with the transaction flow. Valid values include:
For more information about the valid values, see "Configuring Web Service Atomic Transactions" in Developing Oracle Infrastructure Web Services. |
|
Optional |
|
Version of the web services atomic transaction coordination context that is supported. For web service clients, it specifies the version used for outbound messages only. The value specified must be consistent across the entire transaction. Valid values include:
For more information about the valid values, see "Configuring Web Service Atomic Transactions" in Developing Oracle Infrastructure Web Services. |
|
Optional |
|
See "reference.priority". |
None |
Optional |
17.17 oracle/no_atomic_transaction_policy
When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached atomic transaction web service policy at a higher scope.
Display Name: No Atomic Transaction Policy
Category: Atomic Transactions
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
For more information about atomic transactions, see "Using Web Services Atomic Transactions" in Developing Oracle Infrastructure Web Services.
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no_behavior policy is not supported for Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-4 lists the configuration property that you can override for the no behavior policy.
Table 17-4 Configuration Property for oracle/no_atomic_transaction_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.18 oracle/async_web_service_policy
The Async Web Service Policy enables and configures an asynchronous web service.
Display Name: Async Web Service Policy
Category: Configuration
Description
Enables and configures an asynchronous web service.
Note:
Please note the following:
-
This configuration policy cannot be duplicated.
-
The assertion template associated with this configuration policy is not available for generating new policies.
-
This configuration policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-5 lists the configuration properties that you can override for asynchronous web services.
Table 17-5 Configuration Property for oracle/async_web_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
The user that is authorized to use the JMS queues. Note: For most users, the OracleSystemUser is sufficient. However, if you need to change this user to another user in your security realm, you can do so using the instructions provided in "Changing the JMS System User for Asynchronous Web Services Using Fusion Middleware Control" in Administering Web Services. |
|
Optional |
|
Name of the connection factory for the JMS request queue. |
|
Optional |
|
Name of the request queue. |
|
Optional |
|
Name of the connection factory for the JMS response queue. |
|
Optional |
|
Name of the request queue. |
|
Optional |
|
See "reference.priority". |
None |
Optional |
17.19 oracle/cache_binary_content_policy
The oracle/cache_binary_content_policy enables and configures support for binary caching of content.
Display Name: Cache Binary Content Policy
Category: Configuration
Description
Enables and configures support for binary caching of content.
Note:
Please note the following:
-
This configuration policy cannot be duplicated.
-
The assertion template associated with this configuration policy is not available for generating new policies.
-
This configuration policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-6 lists the configuration properties that you can override for binary caching.
Table 17-6 Configuration Properties for oracle/cache_binary_content_policy
Name | Description | Default | Required? |
---|---|---|---|
|
Value that specifies the runtime requirements of XTI scalable DOM in OraSAAJ. Valid values include:
|
|
Optional |
|
Boolean value that defines one of the following values:
|
|
Optional |
|
See "reference.priority". |
None |
Optional |
17.20 oracle/fast_infoset_client_policy
The oracle/fast_infoset_client_policy enables and configures Fast Infoset on the web service client.
Display Name: Fast Infoset Client Policy
Category: Configuration
Description
Enables and configures Fast Infoset on the web service client.
For more information about Fast Infoset, see:
-
JAX-WS Web Services: "Optimizing XML Transmission Using Fast Infoset" in Developing JAX-WS Web Services for Oracle WebLogic Server.
-
Oracle Infrastructure Web Services: "Optimizing XML Transmission Using Fast Infoset" in Developing Oracle Infrastructure Web Services.
Note:
Please note the following:
-
This configuration policy cannot be duplicated.
-
The assertion template associated with this configuration policy is not available for generating new policies.
-
This configuration policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-7 lists the configuration properties that you can override for Fast Infoset clients.
Table 17-7 Configuration Properties for oracle/fastinfoset_client_policy
Name | Description | Default | Required? |
---|---|---|---|
|
Value that specifies the Fast Infoset content negotiation setting. Valid values include:
|
|
Optional |
|
See "reference.priority". |
None |
Optional |
17.21 oracle/fast_infoset_service_policy
The oracle/fast_infoset_service_policy enables Fast Infoset on the web service.
Display Name: Fast Infoset Service Policy
Category: Configuration
Description
Enables Fast Infoset on the web service.
For more information about Fast Infoset, see:
-
JAX-WS Web Services: "Optimizing XML Transmission Using Fast Infoset" in Developing JAX-WS Web Services for Oracle WebLogic Server.
-
Oracle Infrastructure Web Services: "Optimizing XML Transmission Using Fast Infoset" in Developing Oracle Infrastructure Web Services.
Note:
Please note the following:
-
This configuration policy cannot be duplicated.
-
The assertion template associated with this configuration policy is not available for generating new policies.
-
This configuration policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-8 lists the configuration properties that you can override for Fast Infoset web services.
Table 17-8 Configuration Properties for oracle/fastinfoset_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.22 oracle/max_request_size_policy
The oracle/max_request_size_policy configures the maximum size, in bytes, of the request message that can be sent to the web service.
Display Name: Max Request Size Policy
Category: Configuration
Description
Configures the maximum size, in bytes, of the request message that can be sent to the web service.
Note:
Please note the following:
-
This configuration policy cannot be duplicated.
-
The assertion template associated with this configuration policy is not available for generating new policies.
-
This configuration policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-9 lists the configuration properties that you can override when enabling maximum request size on the web service.
Table 17-9 Configuration Properties for oracle/max_request_size_policy
Name | Description | Default | Required? |
---|---|---|---|
|
Maximum size of the request message, in bytes. A value of |
|
Optional |
|
See "reference.priority". |
None |
Optional |
17.23 oracle/mex_request_processing_service_policy
The oracle/mex_request_processing_service_policy enables the exchange of web service metadata.
Display Name: MEX Request Processing Service Policy
Category: Configuration
Description
Enables the exchange of web service metadata.
Note:
Please note the following:
-
This configuration policy cannot be duplicated.
-
The assertion template associated with this configuration policy is not available for generating new policies.
-
This configuration policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-10 lists the configuration properties that you can override when enabling the exchange of web service metadata.
Table 17-10 Configuration Properties for oracle/mex_request_processing_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.24 oracle/mtom_encode_fault_service_policy
The oracle/mtom_encode_fault_service_policy enables the creation of MTOM-enabled SOAP fault messages when MTOM is enabled.
Display Name: MTOM Encode Fault Service Policy
Category: Configuration
Description
Enables the creation of MTOM-enabled SOAP fault messages when MTOM is enabled.
Note:
Please note the following:
-
This configuration policy cannot be duplicated.
-
The assertion template associated with this configuration policy is not available for generating new policies.
-
This configuration policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-11 lists the configuration properties that you can override when enabling MTOM encoding for SOAP faults.
Table 17-11 Configuration Properties for oracle/mtom_encode_fault_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.25 oracle/no_async_web_service_policy
The oracle/no_async_web_service_policy is a no behavior policy. When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached asynchronous web service policy at a higher scope.
Display Name: No Async Web Service Policy
Category: Configuration
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no behavior policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-12 lists the configuration property that you can override for the no behavior policy.
Table 17-12 Configuration Property for oracle/no_async_web_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.26 oracle/no_cache_binary_content_policy
The oracle/no_cache_binary_content_policy is a no behavior policy. When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached binary caching policy at a higher scope.
Display Name: No Cache Binary Content Policy
Category: Configuration
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no behavior policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-13 lists the configuration property that you can override for the no behavior policy.
Table 17-13 Configuration Property for oracle/no_cache_binary_content_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.27 oracle/no_fast_infoset_client_policy
The oracle/no_fast_infoset_client_policy is a no behavior policy. When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Fast Infoset client policy at a higher scope.
Display Name: No Fast Infoset Client Policy
Category: Configuration
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no behavior policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-14 lists the configuration property that you can override for the no behavior policy.
Table 17-14 Configuration Property for oracle/no_fast_infoset_client_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.28 oracle/no_fast_infoset_service_policy
The oracle/no_fast_infoset_service_policy is a no behavior policy. When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Fast Infoset service policy at a higher scope.
Display Name: No Fast Infoset Service Policy
Category: Configuration
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no behavior policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-15 lists the configuration property that you can override for the no behavior policy.
Table 17-15 Configuration Property for oracle/no_fast_infoset_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.29 oracle/no_max_request_size_policy
The oracle/no_max_request_size_policy is a no behavior policy. When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached maximum request size policy at a higher scope.
Display Name: No Max Request Size Policy
Category: Configuration
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no behavior policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-16 lists the configuration property that you can override for the no behavior policy.
Table 17-16 Configuration Property for oracle/no_max_request_size_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.30 oracle/no_mex_request_processing_service_policy
The oracle/no_mex_request_processing_service_policy is a no behavior policy. When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached web service metadata exchange policy at a higher scope.
Display Name: No MEX Request Processing Service Policy
Category: Configuration
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no behavior policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-17 lists the configuration property that you can override for the no behavior policy.
Table 17-17 Configuration Property for oracle/no_mex_request_processing_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.31 oracle/no_mtom_encode_fault_service_policy
The oracle/no_mtom_encode_fault_service_policy is a no behavior policy. When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached SOAP fault MTOM encoding policy at a higher scope.
Display Name: No MTOM Encode Fault Service Policy
Category: Configuration
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no behavior policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-18 lists the configuration property that you can override for the no behavior policy.
Table 17-18 Configuration Property for oracle/no_mtom_encode_fault_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.32 oracle/no_persistence_policy
The oracle/no_persistence_policy is a no behavior policy. When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached persistence policy at a higher scope.
Display Name: No Persistence Policy
Category: Configuration
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no behavior policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-19 lists the configuration property that you can override for the no behavior policy.
Table 17-19 Configuration Property for oracle/no_persistence_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.33 oracle/no_pox_http_binding_service_policy
The oracle/no_pox_http_binding_service_policy is a no behavior policy. When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Plain Old XML (POX) policy at a higher scope.
Display Name: No Pox Http Binding Service Policy
Category: Configuration
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no behavior policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-20 lists the configuration property that you can override for the no behavior policy.
Table 17-20 Configuration Property for oracle/no_pox_http_binding_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.34 oracle/no_request_processing_service_policy
The oracle/no_request_processing_service_policy is a no behavior policy. When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached request processing policy at a higher scope.
Display Name: No Request Processing Service Policy
Category: Configuration
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no behavior policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-21 lists the configuration property that you can override for the no behavior policy.
Table 17-21 Configuration Property for oracle/no_request_processing_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.35 oracle/no_schema_validation_policy
The oracle/no_schema_validation_policy is a no behavior policy. When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached schema validation policy at a higher scope.
Display Name: No Schema Validation Policy
Category: Configuration
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no behavior policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-22 lists the configuration property that you can override for the no behavior policy.
Table 17-22 Configuration Property for oracle/no_schema_validation_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.36 oracle/no_soap_request_processing_service_policy
The oracle/no_soap_request_processing_service_policy is a no behavior policy. When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached SOAP request processing policy at a higher scope.
Display Name: No Soap Request Processing Service Policy
Category: Configuration
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no behavior policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-23 lists the configuration property that you can override for the no behavior policy.
Table 17-23 Configuration Property for oracle/no_soap_request_processing_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.37 oracle/no_test_page_processing_service_policy
The oracle/no_test_page_processing_service_policy is a no behavior policy. When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached test page processing policy at a higher scope.
Display Name: No Test Page Processing Service Policy
Category: Configuration
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no behavior policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-24 lists the configuration property that you can override for the no behavior policy.
Table 17-24 Configuration Property for oracle/no_test_page_processing_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.38 oracle/no_ws_logging_level_policy
The oracle/no_ws_logging_level_policy is a no behavior policy. When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached logging policy at a higher scope.
Display Name: No Ws Logging Level Policy
Category: Configuration
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no behavior policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-25 lists the configuration property that you can override for the no behavior policy.
Table 17-25 Configuration Property for oracle/no_ws_logging_level_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.39 oracle/no_wsdl_request_processing_service_policy
The oracle/no_wsdl_request_processing_service_policy is a no behavior policy. When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached WSDL request processing policy at a higher scope.
Display Name: No Wsdl Request Processing Service Policy
Category: Configuration
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no behavior policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-26 lists the configuration property that you can override for the no behavior policy.
Table 17-26 Configuration Property for oracle/no_wsdl_request_processing_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.40 oracle/persistence_policy
The oracle/persistence_policy configures the secure conversation persistence mechanism for the web service.
Display Name: Persistence Policy
Category: Configuration
Description
Configures the secure conversation persistence mechanism for the web service.
Note:
Please note the following:
-
This configuration policy cannot be duplicated.
-
The assertion template associated with this configuration policy is not available for generating new policies.
-
This configuration policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-27 lists the configuration properties that you can override when enabling the policy.
Table 17-27 Configuration Properties for oracle/persistence_policy
Attribute | Description | Default | Required? |
---|---|---|---|
|
Identifies the persistence provider registered in the system. Possible values are:
Note: For J2SE clients, you can configure |
|
Optional |
|
See "reference.priority". |
None |
Optional |
17.41 oracle/pox_http_binding_service_policy
The oracle/pox_http_binding_service_policy enables an endpoint to receive non-SOAP XML messages that are processed by a user defined.
Display Name: Pox Http Binding Service Policy
Category: Configuration
Description
Enables an endpoint to receive non-SOAP XML messages that are processed by a user defined javax.xml.ws.Provider<T>.invoke
method.
Note:
Please note the following:
-
This configuration policy cannot be duplicated.
-
The assertion template associated with this configuration policy is not available for generating new policies.
-
This configuration policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-28 lists the configuration property that you can override when enabling the policy.
Table 17-28 Configuration Property for oracle/pox_http_binding_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.42 oracle/request_processing_service_policy
The oracle/request_processing_service_policy enables the web service endpoint to process incoming requests.
Display Name: Request Processing Service Policy
Category: Configuration
Description
Enables the web service endpoint to process incoming requests.
Note:
Please note the following:
-
This configuration policy cannot be duplicated.
-
The assertion template associated with this configuration policy is not available for generating new policies.
-
This configuration policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-29 lists the configuration property that you can override when enabling this policy.
Table 17-29 Configuration Property for oracle/request_processing_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.43 oracle/schema_validation_policy
The oracle/schema_validation_policy enables the validation of request messages against the schema.
Display Name: Schema Validation Policy
Category: Configuration
Description
Enables the validation of request messages against the schema.
Note:
Please note the following:
-
This configuration policy cannot be duplicated.
-
The assertion template associated with this configuration policy is not available for generating new policies.
-
This configuration policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-30 lists the configuration property that you can override when enabling this policy.
Table 17-30 Configuration Property for oracle/schema_validation_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.44 oracle/soap_request_processing_service_policy
The oracle/soap_request_processing_service_policy enables the processing of SOAP requests on the web service endpoint.
Display Name: Soap Request Processing Service Policy
Category: Configuration
Description
Enables the processing of SOAP requests on the web service endpoint.
Note:
Please note the following:
-
This configuration policy cannot be duplicated.
-
The assertion template associated with this configuration policy is not available for generating new policies.
-
This configuration policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-31 lists the configuration property that you can override when enabling this policy.
Table 17-31 Configuration Property for oracle/soap_request_processing_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.45 oracle/test_page_processing_policy
The oracle/test_page_processing_policy enables the Web Service Test Client. It contains reference.priority
as configuration property.
Display Name: Test Page Processing Service Policy
Category: Configuration
Description
Enables the Web Service Test Client, as described in "Using the Web Services Test Client" in Administering Web Services.
Note:
Please note the following:
-
This configuration policy cannot be duplicated.
-
The assertion template associated with this configuration policy is not available for generating new policies.
-
This configuration policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-32 lists the configuration property that you can override when enabling this policy.
Table 17-32 Configuration Property for oracle/test_page_processing_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.46 oracle/ws_logging_level_policy
The oracle/ws_logging_level_policy sets the logging level for diagnostic logs for the web service endpoint. It contains logging.level
and reference.priority
as configuration properties.
Display Name: Ws Logging Level Policy
Category: Configuration
Description
Sets the logging level for diagnostic logs for the web service endpoint.
Note:
Please note the following:
-
This configuration policy cannot be duplicated.
-
The assertion template associated with this configuration policy is not available for generating new policies.
-
This configuration policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-33 lists the configuration properties that you can override when enabling this policy.
Table 17-33 Configuration Property for oracle/ws_logging_level_policy
Name | Description | Default | Required? |
---|---|---|---|
|
Defines the logging level. Valid values include: |
None |
Optional |
|
See "reference.priority". |
None |
Optional |
17.47 oracle/wsdl_request_processing_service_policy
The oracle/wsdl_request_processing_service_policy enables access to the WSDL for the web service. It contains reference.priority
as configuration property.
Display Name: Wsdl Request Processing Service
Category: Configuration
Description
Enables access to the WSDL for the web service.
Note:
Please note the following:
-
This configuration policy cannot be duplicated.
-
The assertion template associated with this configuration policy is not available for generating new policies.
-
This configuration policy is not supported for SOA composite or Java EE (WebLogic) web services.
Assertion
An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-34 lists the configuration property that you can override when enabling this policy.
Table 17-34 Configuration Property for oracle/ws_logging_level_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.48 oracle/log_policy
The oracle/log_policy causes the request, response, and fault messages to be sent to a message log. By default, this policy logs the entire SOAP message for the request and just the SOAP body information for the response.
Display Name: Log Policy
Category: Management
Description
Messages are logged to the message log for the domain. For information about viewing and filtering message logs, see "Using Message Logs for Web Services" in Administering Web Services.
Note:
This policy is not supported for Java EE (WebLogic) web services.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
The assertion is not advertised in the WSDL.
Configuration
Table 17-35 lists the configuration property that you can override for the log policy.
Table 17-35 Configuration Property for oracle/log_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.49 oracle/no_mtom_policy
The oracle/no_mtom_policy is a no behavior policy. When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached MTOM policy at a higher scope.
Display Name: No Behavior MTOM Policy
Category: MTOM Attachments
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no_behavior policy is not supported for Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-36 lists the configuration property that you can override for the no behavior policy.
Table 17-36 Configuration Property for oracle/no_mtom_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.50 oracle/wsmtom_policy
The oracle/wsmtom_policy rejects inbound messages that are not in MTOM format and verifies that outbound messages are in MTOM format. MTOM defines a method for optimizing the transmission of XML data of type xs:base64Binary
or xs:hexBinary
in SOAP messages.
Display Name: WS MTOM Policy
Category: MTOM Attachments
Description
For more information about MTOM, see the following specifications for SOAP 1.2 and 1.1., respectively: http://www.w3.org/TR/2005/REC-soap12-mtom-20050125
and http://www.w3.org/Submission/2006/SUBM-soap11mtom10-20060405
.
To enable MTOM on the client of the web service, pass the javax.xml.ws.soap.MTOMFeature
as a parameter when creating the web service proxy or dispatch, as illustrated in the following example.
package examples.webservices.mtom.client; import javax.xml.ws.soap.MTOMFeature; public class Main { public static void main(String[] args) { String FOO = "FOO"; MtomService service = new MtomService() MtomPortType port = service.getMtomPortTypePort(new MTOMFeature()); String result = null; result = port.echoBinaryAsString(FOO.getBytes()); System.out.println( "Got result: " + result ); } }
Note:
Please note the following:
-
This MTOM policy cannot be duplicated.
-
The assertion template associated with this policy is not available for generating new policies.
-
This policy is not supported for Java EE (WebLogic) web services.
Assertion
An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-37 lists the configuration property that you can override for the MTOM policy.
Table 17-37 Configuration Property for oracle/wsmtom_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.51 oracle/no_reliable_messaging_policy
The oracle/no_reliable_messaging_policy is a no behavior policy. When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Web Services Reliable Messaging policy at a higher scope.
Display Name: No Reliable Messaging Policy
Category: Reliable Messaging
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
For more information about reliable messaging, see "Using Web Services Atomic Transactions" in Developing Oracle Infrastructure Web Services.
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no_behavior policy is not supported for Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-38 lists the configuration property that you can override for the no behavior policy.
Table 17-38 Configuration Property for oracle/no_reliable_messaging_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.52 oracle/no_wsrm_policy
The oracle/no_wsrm_policy is a no behavior policy. When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Web Services Reliable Messaging policy at a higher scope.
Display Name: No Behavior RM Policy
Category: Reliable Messaging
Note:
This policy has been deprecated. Oracle recommends that you use the oracle/no_reliable_messaging
policy, as described in "oracle/no_reliable_messaging_policy".
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no_behavior policy is not supported for Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-39 lists the configuration property that you can override for the no behavior policy.
Table 17-39 Configuration Property for oracle/no_wsrm_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.53 oracle/reliable_messaging_policy
The oracle/reliable_messaging_policy configures web services reliable messaging on the web service and client. This policy can be attached to any SOAP-based web service and client.
Display Name: Reliable Messaging Policy
Category: Reliable Messaging
Description
The web service client will automatically detect the WSDL policy assertions at run time and use them to enable the advertised version of reliable messaging on the client. When more than one version is enabled, the generated WSDL has policy alternatives for the given versions, which enables the client to select any version. The client must consistently use the selected version of the protocol for all interaction with a given sequence.
For multi-message sequences, the client code must include explicit invocations of methods for delimiting sequence boundaries. Otherwise, every message is wrapped in its own sequence. Edit the client to enable a reliable messaging session for the messages sent to the service. The oracle.webservices.rm.client.RMSessionLifecycle
interface provides the client with a mechanism for demarcating reliable messaging sequence boundaries.
The following example shows sample client code for web services reliable messaging for a servlet client. In this example, a new TestService is created. The TestPort, through which the client will communicate with the service, is retrieved. The port object is cast to a RMSessionLifecycle
object and a reliable messaging session is opened on it (openSession
). After the messages are sent to the service, the session is closed (closeSession
).
public class ClientServlet extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { int num1 = Integer.parseInt(request.getParameter("num1")); int num2 = Integer.parseInt(request.getParameter("num2")); String outputStr = null; TestService service = new TestService(); Test port = service.getTestPort(); try { ((RMSessionLifecycle) port).openSession(); outputStr = port.hello(inputStr); } catch (Exception e) { e.printStackTrace(); outputStr = e.getMessage(); } finally { ((RMSessionLifecycle) port).closeSession(); response.getOutputStream().write(outputStr.getBytes()); } } }
Note:
Please note the following:
-
This reliable messaging policy cannot be duplicated.
-
The assertion template associated with this policy is not available for generating new policies.
-
This policy is not supported for Java EE (WebLogic) web services.
Assertion
An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-40 lists the configuration properties that you can override when enabling the policy.
Table 17-40 Configuration Properties for oracle/reliable_messaging_policy
Name | Description | Default | Required? |
---|---|---|---|
|
Maximum interval, in milliseconds, in which the destination endpoint must transmit a standalone acknowledgement. The value specified must be a positive value and conform to the XML schema duration lexical format, This value is set at sequence creation time, and cannot be reset. |
|
Optional |
|
Reliable messaging version(s) supported. When more than one version is enabled, the generated WSDL will list policy alternatives for the given versions, allowing the client to select the version. The client must use the selected version consistently for all interactions in a given sequence. Valid values include:
|
|
Optional |
|
Flag indicating that non-buffered receipt of messages is requested. This value is set at sequence creation time, and cannot be reset. |
|
Optional |
|
Number of milliseconds which defines an inactivity interval. After this amount of time, if the destination endpoint has not received a message from the source endpoint, the destination endpoint may consider the sequence to have terminated due to inactivity. The same is true for the source endpoint. By default, sequences never timeout. Implementations of RM source and RM destination are free to manage resources associated with the sequence as desired, but there are no guarantees that the sequence will be usable by either party after the inactivity timeout expires. The value specified must be a positive value and conform to the XML schema duration lexical format, Set at sequence creation time, and cannot be reset. |
|
Optional |
|
Number of times that the JMS queue on the invoked WebLogic Server instance attempts to deliver the message to the web service implementation until the operation is successfully invoked. |
|
Optional |
|
Flag that specifies whether reliable messaging is required. This flag enables a service endpoint to support reliable or non-reliable communication with different clients. If optional is set to When used in combination with an operation-level "required" WS-RM policy, operations without an explicit WS-RM policy do not need to be called with the WS-RM protocol, but operations with an explicit WS-RM policy must be called with the WS-RM protocol. |
|
Optional |
|
See "reference.priority". |
None |
Optional |
|
Delivery assurance for reliable messaging. Valid values include:
|
|
Optional |
|
Flag that specifies that messages are delivered in the order that they were sent. |
|
Optional |
|
Amount of time after which the reliable web service expires and does not accept any new sequence messages. If this limit is reached before the sequence naturally completes, it will be forcibly terminated. The value specified must be a positive value and conform to the XML schema duration lexical format, This value is set at sequence creation time, and cannot be reset. |
|
Optional |
|
Flag that specifies that in order to secure messages in a reliable sequence, the runtime will use the |
|
Optional |
|
Flag that specifies that in order to secure messages in a reliable sequence, the RM Sequence must be bound to the session(s) of the underlying transport-level protocol used to carry the When present, this assertion must be used in conjunction with the |
|
Optional |
|
Backoff algorithm. If a destination endpoint does not acknowledge a sequence of messages for the time interval specified by the base retransmission interval ( Valid values include:
This value is set at sequence creation time, and cannot be reset. |
|
Optional |
|
Interval of time that must pass before a message will be retransmitted to the RM destination (in the event a prior transmission failed.) This interval can be used in conjunction with the backoff algorithm ( The value specified must be a positive value and conform to the XML schema duration lexical format, This value is set at sequence creation time, and cannot be reset. |
|
Optional |
|
Reliable messaging version(s) supported by the RM source. When the service WSDL contains policy alternatives for multiple RM versions, the client can select the version via this attribute. If the WSDL contains multiple RM versions and this attribute is not explicitly set, then either RM 1.2 is used or the highest version in the WSDL, if the WSDL does not contain RM 1.2. Valid values include:
If the WSDL contains only one RM version, this attribute is ignored and the version in the WSDL is used. Other possible values are DEFAULT, WS_RM_1_0, and WS_RM_1_1. |
|
Optional |
|
See "reference.priority". |
None |
Optional |
17.54 oracle/wsrm10_policy
The oracle/wsrm10_policy configures version 1.0 of the Web Services Reliable Messaging protocol. This policy can be attached to any SOAP-based client or endpoint.
Display Name: WS RM10 Policy
Category: Reliable Messaging
Note:
This policy has been deprecated. Oracle recommends that you use the oracle/reliable_messaging
policy, as described in "oracle/reliable_messaging_policy".
Description
The web service client will automatically detect the WSDL policy assertions at run time and use them to enable the advertised version of reliable messaging on the client.
For multi-message sequences, the client code must include explicit invocations of methods for delimiting sequence boundaries. Otherwise, every message is wrapped in its own sequence. Edit the client to enable a reliable messaging session for the messages sent to the service. The oracle.webservices.rm.client.RMSessionLifecycle
interface provides the client with a mechanism for demarcating reliable messaging sequence boundaries.
The example in oracle/wsmtom_policy illustrates a servlet client. In this example, a new TestService is created. The TestPort, through which the client will communicate with the service, is retrieved. The port object is cast to a RMSessionLifecycle
object and a reliable messaging session is opened on it (openSession
). After the messages are sent to the service, the session is closed (closeSession
).
Note:
Please note the following:
-
This reliable messaging policy cannot be duplicated.
-
The assertion template associated with this policy is not available for generating new policies.
-
This policy is not supported for Java EE (WebLogic) web services.
Assertion
An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-41 lists the configuration properties that you can override for the reliable messaging policy.
Table 17-41 Configuration Properties for the wsrm10_policy
Name | Description | Default | Required |
---|---|---|---|
|
Delivery assurance. The following defines the delivery assurance types:
In addition, you can configure whether messages are delivered in the order that they were sent. Valid values include
|
|
Optional |
|
Type of message store. Valid values include:
|
|
Optional |
|
Name of the message store. |
|
Optional |
|
JNDI reference to a JDBC data source. This field is valid only if StoreType is set to JDBC. This value takes precedence over jdbc-connection-url. The username and password will be used if both are present. |
jdbc/MessagesStore |
Optional |
|
Number of milliseconds which defines an inactivity interval. After this amount of time, if the destination endpoint has not received a message from the source endpoint, the destination endpoint may consider the sequence to have terminated due to inactivity. The same is true for the source endpoint. By default, sequences never timeout. Implementations of RM source and RM destination are free to manage resources associated with the sequence as desired, but there are no guarantees that the sequence will be usable by either party after the inactivity timeout expires. |
|
Optional |
|
Interval of time that must pass before a message will be retransmitted to the RM destination (in the event a prior transmission failed.) |
|
Optional |
17.55 oracle/wsrm11_policy
The oracle/wsrm11_policy configures version 1.1 of the Web Services Reliable Messaging protocol. This policy can be attached to any SOAP-based client or endpoint.
Display Name: WS RM11 Policy
Category: Reliable Messaging
Note:
This policy has been deprecated. Oracle recommends that you use the oracle/reliable_messaging
policy, as described in "oracle/reliable_messaging_policy".
Description
The web service client will automatically detect the WSDL policy assertions at run time and use them to enable the advertised version of reliable messaging on the client.
For multi-message sequences, the client code must include explicit invocations of methods for delimiting sequence boundaries. Otherwise, every message is wrapped in its own sequence Edit the client to enable a reliable messaging session for the messages sent to the service. The oracle.webservices.rm.client.RMSessionLifecycle
interface provides the client with a mechanism for demarcating reliable messaging sequence boundaries.
The example in Example 17- illustrates a servlet client. In this example, a new TestService is created. The TestPort, through which the client will communicate with the service, is retrieved. The port object is cast to a RMSessionLifecycle
object and a reliable messaging session is opened on it (openSession
). After the messages are sent to the service, the session is closed (closeSession
).
Note:
Please note the following:
-
This reliable messaging policy cannot be duplicated.
-
The assertion template associated with this policy is not available for generating new policies.
-
This policy is not supported for Java EE (WebLogic) web services.
Assertion
An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-41 lists the configuration properties that you can override for this policy
17.56 oracle/http_basic_auth_over_ssl_client_policy
The oracle/http_basic_auth_over_ssl_client_policy includes credentials in the HTTP header for outbound client requests and verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused.
Display Name: HTTP Basic Auth Over SSL Client Policy
Category: Security
Description
This policy can be enforced on any HTTP-based client endpoint.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
The assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-52. For more information, see "Overriding Policy Configuration Properties".
-
Configure one-way, as described in "Configuring One-Way SSL on WebLogic Server"
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed using the Remote Console, as described in "Supported Authentication Providers in WebLogic Server".
17.57 oracle/http_basic_auth_over_ssl_service_policy
The oracle/http_basic_auth_over_ssl_service_policy uses the credentials in the HTTP header to authenticate users against the OPSS identity store and verifies that the transport protocol is HTTPS.
Display Name: HTTP Basic Auth Over SSL Service Policy
Category: Security
Description
Requests over a non-HTTPS transport protocol are refused. This policy can be enforced on any HTTP-based endpoint.
Note:
This policy functions similarly to oracle/wss_http_token_over_ssl_service_policy. The difference is that oracle/wss_http_token_over_ssl_service_policy
enables the include-timestamp
attribute in the require-tls
element to prevent replay attacks, a feature that is not applicable to RESTful services. For more information about the require-tls
element, see "orasp:require-tls Element".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
The assertion is advertised in the WSDL.
Note:
Advertisement of policy assertions in a WADL file is not supported. The Advertised option has no effect when the associated policy is attached to a RESTful web service.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-53. For more information, see "Overriding Policy Configuration Properties".
-
Configure one-way SSL, as described in "Configuring One-Way SSL on WebLogic Server".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed using the Remote Console, as described in "Supported Authentication Providers in WebLogic Server".
17.58 oracle/http_mutual_auth_over_ssl_client_policy
The oracle/http_mutual_auth_over_ssl_client_policy includes credentials in the HTTP header for outbound client requests and verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused.
Display Name: HTTP Mutual Auth Over SSL Client Policy
Category: Security
Description
This policy can be enforced on any HTTP-based client endpoint.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
-
oracle/http_mutual_auth_over_ssl_client_template
The assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in
wss_http_token_over_ssl_client_template
Configuration Properties. -
Configure two-way SSL.
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed using the Remote Console.
17.59 oracle/http_mutual_auth_over_ssl_service_policy
The http_mutual_auth_over_ssl_service_policy uses the credentials in the HTTP header to authenticate users against the OPSS identity store and verifies that the transport protocol is HTTPS.
Display Name: http mutual auth over ssl service policy
Category: Security
Description
Requests over a non-HTTPS transport protocol are refused. This policy can be enforced on any HTTP-based endpoint.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
-
oracle/http_mutual_auth_over_ssl_service_template
The assertion is advertised in the WSDL.
Note:
Advertisement of policy assertions in a WADL file is not supported. The Advertised option has no effect when the associated policy is attached to a RESTful web service.
Configuration
To configure the policy:
-
Override the configuration properties defined in
wss_http_token_over_ssl_service_template
Configuration Properties. -
Configure two-way SSL.
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed using the Remote Console.
17.60 oracle/http_oam_token_service_policy
The oracle/http_oam_token_service_policy verifies that the OAM agent has authenticated the user and has established an identity.
Display Name: HTTP OAM Service Policy
Category: Security
Description
This policy can be enforced on any HTTP-based endpoint.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
The assertion is not advertised in the WSDL.
Note:
Advertisement of policy assertions in a WSDL file is not supported. The Advertised option has no effect when the associated policy is attached to a RESTful web service.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-5. For more information, see "Overriding Policy Configuration Properties".
-
To enforce HTTP OAM security, configure OAM WebGate to intercept the request, authenticate the user, and set the
OAM_REMOTE_USER HTTP
header. OWSM verifies that theOAM_REMOTE_USER_HTTP
header is present before allowing the request. -
To support remote user header, ensure that the
remote-user
configuration property value is set to the default value ofOAM_REMOTE_USER
.
For more information, see Installing and Configuring Oracle HTTP Server 11g WebGate for OAM in Installing WebGates for Oracle Access Manager.
17.61 oracle/http_saml20_token_bearer_client_policy
The oracle/http_saml20_token_bearer_client_policy includes a SAML Bearer V2.0 token in the HTTP header. The SAML token with confirmation method Bearer is created automatically.
Display Name: HTTP Saml Bearer V2.0 Token Client Policy
Category: Security
Description
This policy can be enforced on any HTTP-based client endpoint.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
The assertion is advertised.
Configuration
To configure the policy, override the configuration properties defined in Table 18-7. For more information, see "Overriding Policy Configuration Properties".
Design Time Considerations
Configure SAML for the web service client at design time, as described in "Configuring SAML Web Service Client at Design Time".
17.62 oracle/http_saml20_token_bearer_service_policy
The oracle/http_saml20_token_bearer_service_policy authenticates users using credentials provided in the SAML v2.0 token with confirmation method Bearer in the HTTP header. The credentials in the SAML token are authenticated against a SAML v2.0 login module.
Display Name: HTTP Saml Bearer V2.0 Token Service Policy
Category: Security
Description
This policy can be enforced on any HTTP-based endpoint.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
The assertion is advertised in the WSDL.
Note:
Advertisement of policy assertions in a WADL file is not supported. The Advertised option has no effect when this policy is attached to a RESTful web service.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-8. For more information, see "Overriding Policy Configuration Properties".
-
Configure SAML and set up OPSS, as described in "About SAML Configuration".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
Configure the
saml2.loginmodule
login module, as described in "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control". The SAML login module extracts the username from the verified token and passes it to the Authentication provider.
17.63 oracle/http_saml20_token_bearer_over_ssl_client_policy
The oracle/http_saml20_token_bearer_over_ssl_client_policy includes a SAML Bearer v2.0 token in the HTTP header. The SAML token with confirmation method Bearer is created automatically, and verifies that the transport protocol provides SSL message protection.
Display Name: HTTP Saml Bearer V2.0 Token Over SSL Client Policy
Category: Security
Description
This policy can be attached to any HTTP-based client endpoint.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
The assertion is advertised.
Note:
Advertisement of policy assertions in a WADL file is not supported. The Advertised option has no effect when this policy is attached to a RESTful web service.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-7. For more information, see "Overriding Policy Configuration Properties".
-
Configure one-way SSL, as described in "Configuring One-Way SSL for a Web Service Client".
Design Time Considerations
Configure SAML for the web service client at design time, as described in "Configuring SAML Web Service Client at Design Time".
17.64 oracle/http_saml20_bearer_token_over_ssl_service_policy
The oracle/http_saml20_bearer_token_over_ssl_service_policy authenticates users using credentials provided in the SAML v2.0 token with confirmation method Bearer in the HTTP header, and verifies that the transport protocol provides SSL message protection.
Display Name: HTTP Saml Bearer V2.0 Token Service Policy
Category: Security
Description
The credentials in the SAML token are authenticated against a SAML v2.0 login module. This policy can be enforced on any HTTP-based endpoint.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
The assertion is advertised in the WSDL.
Note:
Advertisement of policy assertions in a WADL file is not supported. The Advertised option has no effect when this policy is attached to a RESTful web service.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-8. For more information, see "Overriding Policy Configuration Properties".
-
Configure SAML and set up OPSS, as described in "About SAML Configuration".
-
Configure one-way SSL, as described in "Configuring One-Way SSL on WebLogic Server".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
Configure the
saml2.loginmodule
login module, as described in "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control". The SAML login module extracts the username from the verified token and passes it to the Authentication provider.
17.65 oracle/multi_token_rest_service_policy
The oracle/multi_token_rest_service_policy enforces an authentication policy, based on the token sent by the client.
Display Name: Multi Token RESTful Service Policy
Category: Security
Description
Enforces one of the following authentication policies, based on the token sent by the client:
-
HTTP Basic—Extracts username and password credentials from the HTTP header.
-
SAML v2.0 Bearer token in the HTTP header—Extracts SAML 2.0 Bearer assertion in the HTTP header.
-
HTTP OAM security—Verifies that the OAM agent has authenticated user and establishes identity.
-
SPNEGO over HTTP security—Extracts Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) token from the HTTP header.
Assertions (OR Group)
This policy contains assertions that are based on the following assertion templates as an OR group—meaning any one of the tokens can be sent by the client:
-
oracle/http_oam_token_service_template. (Provides OAM protection on the server-side only.)
Note:
For this policy, the default value of theremote-user
configuration property is set toNONE
to disable the processing of remote user header.
The oracle/http_saml20_token_bearer_client_template
and oracle/http_spengo_token_service_template
policy assertions are advertised.
The wss_http_token_client_template
and oracle/http_oam_token_service_template
assertions are not advertised in the WSDL.
Note:
Advertisement of policy assertions in a WADL file is not supported. The Advertised option has no effect when this policy is attached to a RESTful web service.
Configuration
To configure the policy:
-
Override the configuration properties defined in one of the following sections, based on the token sent by the client. For more information, see "Overriding Policy Configuration Properties".
-
To configure HTTP OAM security:
-
Configure the OAM service endpoint as
anonymous
using the OAM Console. -
Configure OAM WebGate to intercept a client request, authenticate the user, and set the
OAM_REMOTE_USER HTTP
header. OWSM verifies that theOAM_REMOTE_USER_HTTP
header is present before allowing the request.
For more information, see Installing and Configuring Oracle HTTP Server 11g WebGate for OAM in Installing WebGates for Oracle Access Manager.
-
17.66 oracle/multi_token_over_ssl_rest_service_policy
The oracle/multi_token_over_ssl_rest_service_policy enforces an authentication policy, based on the token sent by the client.
Display Name: Multi Token Over SSL RESTful Service Policy
Category: Configuration
Description
Enforces one of the following authentication policies, based on the token sent by the client:
-
HTTP Basic over SSL—Extracts username and password credentials from the HTTP header.
-
SAML 2.0 Bearer token in the HTTP header over SSL—Extracts SAML 2.0 Bearer assertion in the HTTP header.
-
HTTP OAM security (non-SSL)—Verifies that the OAM agent has authenticated user and establishes identity.
-
SPNEGO over HTTP security (non-SSL)—Extracts SPNEGO token information from the HTTP header.
Assertions (OR Group)
This policy contains assertions that are based on the following assertion templates as an OR group—meaning any one of the tokens can be sent by the client:
-
oracle/http_oam_token_service_template
Note:
For this policy, the default value of theremote-user
configuration property is set toNONE
to disable the processing of remote user header.
The oracle/wss_http_token_over_ssl_client_template
, oracle/http_samle20_token_bearer_service_template
, and oracle/http_spengo_token_service_template
assertions are advertised in the WSDL.
The oracle/http_oam_token_service_template
assertions are not advertised in the WSDL.
Note:
Advertisement of policy assertions in a WADL file is not supported. The Advertised option has no effect when this policy is attached to a RESTful web service.
Configuration
To configure the policy:
-
Override the configuration properties defined in one of the following sections, based on the token sent by the client. For more information, see "Overriding Policy Configuration Properties".
-
To configure HTTP OAM security:
-
Configure the OAM service endpoint as
anonymous
using the OAM Console. -
Configure OAM WebGate to intercept the request, authenticate the user, and set the
OAM_REMOTE_USER HTTP
header. OWSM verifies that theOAM_REMOTE_USER_HTTP
header is present before allowing the request.
For more information, see Installing and Configuring Oracle HTTP Server 11g WebGate for OAM in Installing WebGates for Oracle Access Manager.
-
17.67 oracle/multi_token_sso_over_ssl_rest_service_policy
The oracle/multi_token_sso_over_ssl_rest_service_policy enforces an authentication policy, based on the token sent by the client..
Display Name: Multi Token SSO Over SSL RESTFul Service Policy
Category: Security
Description
Enforces one of the following authentication policies, based on the token sent by the client:
-
HTTP Basic—Extracts username and password credentials from the HTTP header.
-
SAML v2.0 Bearer token in the HTTP header—Extracts SAML 2.0 Bearer assertion in the HTTP header.
-
HTTP OAM security (non-SSL)—Verifies that the OAM agent has authenticated user and establishes identity. (Provides non-SSL OAM protection on the server-side only.)
-
SPNEGO over HTTP security (non-SSL)—Extracts SPNEGO Kerberos token information from the HTTP header. (Provides non-SSL protection only.)
-
JWT token in the HTTP header over SSL—Extracts username from the JWT token in the HTTP header
Assertions (OR Group)
This policy contains assertions that are based on the following assertion templates as an OR group—meaning any one of the tokens can be sent by the client:
-
oracle/http_oam_token_service_template (Provides non-SSL OAM protection on the server-side only.)
-
oracle/http_spnego_token_service_template (Provides non-SSL protection only.)
Configuration
To configure the policy:
-
To configure HTTP OAM security:
For more information, see Installing and Configuring Oracle HTTP Server 11g WebGate for OAM in Installing WebGates for Oracle Access Manager.
-
To support remote user header, ensure that the
remote-user
configuration property value is set to the default value ofOAM_REMOTE_USER
.
17.68 oracle/multi_token_sso_rest_service_policy
The oracle/multi_token_sso_rest_service_policy enforces an authentication policy, based on the token sent by the client..
Display Name: Multi Token SSO Over SSL RESTFul Service Policy
Category: Security
Description
Enforces one of the following authentication policies, based on the token sent by the client:
-
HTTP Basic—Extracts username and password credentials from the HTTP header.
-
SAML v2.0 Bearer token in the HTTP header—Extracts SAML 2.0 Bearer assertion in the HTTP header.
-
HTTP OAM security (non-SSL)—Verifies that the OAM agent has authenticated user and establishes identity. (Provides non-SSL OAM protection on the server-side only.)
-
SPNEGO over HTTP security (non-SSL)—Extracts SPNEGO Kerberos token information from the HTTP header. (Provides non-SSL protection only.)
-
JWT token in the HTTP header over SSL—Extracts username from the JWT token in the HTTP header
Assertions (OR Group)
This policy contains assertions that are based on the following assertion templates as an OR group—meaning any one of the tokens can be sent by the client:
-
oracle/http_oam_token_service_template (Provides non-SSL OAM protection on the server-side only.)
-
oracle/http_spnego_token_service_template (Provides non-SSL protection only.)
Configuration
To configure the policy:
-
To configure HTTP OAM security:
For more information, see Installing and Configuring Oracle HTTP Server 11g WebGate for OAM in Installing WebGates for Oracle Access Manager.
-
To support remote user header, ensure that the
remote-user
configuration property value is set to the default value ofOAM_REMOTE_USER
.
17.69 oracle/no_authentication_client_policy
The oracle/no_authentication_client_policy is a no behavior policy. When directly attached to a client endpoint or globally attached at a lower scope, effectively disables a globally attached authentication policy at a higher scope.
Display Name: No Behavior Authentication Client Policy
Category: Security
Description
If the globally attached policy contains any other assertions, in addition to the authentication assertion, those assertions are disabled as well. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no_behavior policy is not supported for Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-42 lists the configuration property that you can override for the no behavior policy.
Table 17-42 Configuration Property for oracle/no_authentication_client_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.70 oracle/no_authentication_service_policy
The oracle/no_authentication_service_policy is a no behavior policy. When directly attached to a service endpoint or globally attached at a lower scope, effectively disables a globally attached authentication policy at a higher scope.
Display Name: No Behavior Authentication Service Policy
Category: Security
Description
If the globally attached policy contains any other assertions, in addition to the authentication assertion, those assertions are disabled also. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no_behavior policy is not supported for Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-43 lists the configuration property that you can override for the no behavior policy.
Table 17-43 Configuration Property for oracle/no_authentication_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.71 oracle/wss_http_token_client_policy
The oracle/wss_http_token_client_policy includes credentials in the HTTP header for outbound client requests. The client must pass the credentials in the HTTP header.
Display Name: Wss HTTP Token Client Policy
Category: Security
Description
This policy can be enforced on any HTTP-based client.
Note:
Currently only HTTP basic authentication is supported.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is not advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-13. For more information, see "Overriding Policy Configuration Properties".
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
-
Specify a value for
csf-key
, as described in "Overriding Policy Configuration Properties". The value signifies a key that maps to a username/password. For information about how to add the key to the credential store, see "Adding Keys and User Credentials to Configure the Credential Store".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
The client must pass the credentials in the HTTP header.
17.72 oracle/wss_http_token_service_policy
The oracle/wss_http_token_service_policy uses the credentials in the HTTP header to authenticate users against the OPSS identity store. This policy can be enforced on any HTTP-based endpoint.
Description
The web service must authenticate the supplied username and password credentials against the configured authentication source.
Note:
Currently only HTTP basic authentication is supported.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is not advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-14. For more information, see "Overriding Policy Configuration Properties".
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
-
The web service must authenticate the supplied username and password credentials against the configured authentication source. Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
17.73 oracle/wss_username_token_client_policy
The oracle/wss_username_token_client_policy includes credentials in the WS-Security UsernameToken header for all outbound SOAP request messages. This policy can be attached to any SOAP-based client.
Display Name: Wss Username Token Client Policy
Category: Security
Description
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
This policy supports plain text passwords. This client policy is analogous to the oracle/wss_username_token_service_policy
service endpoint policy.
Note:
This policy transmits the password in clear text. You should use this policy in low security situations only, or when you know that the transport is protected using some other mechanism.
Alternatively, consider:
-
Copying the policy and setting the password type to digest, as described in "Creating and Editing Web Service Policies".
-
Using the SSL version of this policy, "oracle/wss_username_token_over_ssl_client_policy".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-16. For more information, see "Overriding Policy Configuration Properties".
-
Specify a value for
csf-key
, as described in "Overriding Policy Configuration Properties". The value signifies a key that maps to a username/password. For information about how to add the key to the credential store, see "Adding Keys and User Credentials to Configure the Credential Store". -
If you specify a password type of None on the Settings page, you do not need to include a password in the key.
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Include a WS-Security UsernameToken element (
<wsse:UsernameToken/>
) in the SOAP request message. The client provides a username and password for authentication.
17.74 oracle/wss_username_token_service_policy
The oracle/wss_username_token_service_policy uses the credentials in the UsernameToken WS-Security SOAP header to authenticate users.
Display Name: Wss Username Token Service Policy
Category: Security
Description
This policy supports plain text passwords.
Note:
This policy transmits the password in clear text. You should use this policy in low security situations only, or when you know that the transport is protected using some other mechanism.
Alternatively, consider:
-
Copying the policy and setting the password type to digest, as described in "Creating and Editing Web Service Policies".
-
Using the SSL version of this policy, "oracle/wss_username_token_over_ssl_client_policy".
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is not advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-17. For more information, see "Overriding Policy Configuration Properties".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
17.75 oracle/wss10_saml_token_client_policy
The oracle/wss10_saml_token_client_policy includes SAML tokens in outbound SOAP request messages.
Display Name: Wss10 SAML Token Client Policy
Category: Security
Description
The policy can be enforced on any SOAP-based client.
Note:
This policy is not secure and is provided for demonstration purposes only. Although the SAML issuer name is present, the SAML token is not endorsed. Therefore, it is possible to spoof the message.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-19. For more information, see "Overriding Policy Configuration Properties".
-
Configure SAML and set up OPSS, as described in "About SAML Configuration".
-
Specify a value for
saml.issuer.name
, as described in "Overriding Policy Configuration Properties". Thesaml.issuer.name
property defaults to a value ofwww.oracle.com
. For additional considerations, see "Adding an Additional SAML Assertion Issuer Name". -
Specify a value for
propagate.identity.context
, as described in "Overriding Policy Configuration Properties". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Configure SAML for the web service client at design time, as described in "Configuring SAML Web Service Client at Design Time".
-
Include a WS-Security Header Element (
<saml:Assertion>
) that inserts a SAML token in the outbound SOAP message. The confirmation type is always sender-vouches.
17.76 oracle/wss10_saml_token_service_policy
You can use the oracle/wss10_saml_token_service_policy to authenticate users using the credentials provided in SAML tokens in the WS-Security SOAP header. The credentials in the SAML token are authenticated against a SAML login module.
Display Name: Wss10 SAML Token Service Policy
Category: Security
Description
This policy can be enforced on any SOAP-based endpoint.
Note:
This policy is not secure and is provided for demonstration purposes only. Although the SAML issuer name is present, the SAML token is not endorsed. Therefore, it is possible to spoof the message.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-20. For more information, see "Overriding Policy Configuration Properties".
-
Configure SAML and set up OPSS, as described in "About SAML Configuration".
-
Specify a value for
propagate.identity.context
, as described in "Overriding Policy Configuration Properties". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies". -
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
Configure the
saml.loginmodule
login module, as described in "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control". The SAML login module extracts the username from the verified token and passes it to the provider.
17.77 oracle/wss10_saml20_token_client_policy
The oracle/wss10_saml20_token_client_policy includes SAML tokens in outbound SOAP request messages.
Display Name: Wss10 SAML V2.0 Token Client Policy
Category: Security
Description
The policy can be enforced on any SOAP-based client.
Note:
This policy is not secure and is provided for demonstration purposes only. Although the SAML issuer name is present, the SAML token is not endorsed. Therefore, it is possible to spoof the message.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-22. For more information, see "Overriding Policy Configuration Properties".
-
Configure SAML and set up OPSS, as described in "About SAML Configuration".
-
Specify a value for
saml.issuer.name
, as described in "Overriding Policy Configuration Properties". Thesaml.issuer.name
property defaults to a value ofwww.oracle.com
. For additional considerations, see "Adding an Additional SAML Assertion Issuer Name". -
Specify a value for
propagate.identity.context
, as described in "Overriding Policy Configuration Properties". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Configure SAML for the web service client at design time, as described in "Configuring SAML Web Service Client at Design Time".
-
Include a WS-Security Header Element (
<saml:Assertion>
) that inserts a SAML token in the outbound SOAP message. The confirmation type is always sender-vouches.
17.78 oracle/wss10_saml20_token_service_policy
The oracle/wss10_saml20_token_service_policy authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header. The credentials in the SAML token are authenticated against a SAML login module.
Display Name: Wss10 SAML V2.0 Token Service Policy
Category: Security
Description
This policy can be enforced on any SOAP-based endpoint.
Note:
This policy is not secure and is provided for demonstration purposes only. Although the SAML issuer name is present, the SAML token is not endorsed. Therefore, it is possible to spoof the message.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-23. For more information, see "Overriding Policy Configuration Properties".
-
Configure SAML and set up OPSS, as described in "About SAML Configuration".
-
Specify a value for
propagate.identity.context
, as described in "Overriding Policy Configuration Properties". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies". -
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
Configure the
saml2.loginmodule
login module, as described in "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control". The SAML login module extracts the username from the verified token and passes it to the provider.
17.79 oracle/wss11_kerberos_token_client_policy
The oracle/wss11_kerberos_token_client_policy includes a Kerberos token in the WS-Security header in accordance with the WS-Security Kerberos Token Profile v1.1 standard. This policy is compatible with MIT and Active Directory KDCs. This policy can be enforced on any SOAP-based client.
Display Name: Wss11 Kerberos Token Client Policy
Category: Security
Description
Service principal names (SPN) are a key component in Kerberos authentication. SPNs are unique identifiers for services running on servers. Every service that uses Kerberos authentication needs to have an SPN set for it so that clients can identify the service on the network. If an SPN is not set for a service, clients have no way of locating that service and Kerberos authentication is not possible.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-25. For more information, see "Overriding Policy Configuration Properties".
-
Configure Kerberos, as described in "Understanding Kerberos Token Configuration".
-
The web service client that is enforcing Kerberos client side policies needs to know the service principal name of the service it is trying to access. You can specify a value for
service.principal.name
, as described in "Overriding Policy Configuration Properties". The default value (place holder) isHOST/localhost@oracle.com
.
Design Time Considerations
At design time:
-
Configure Kerberos, as described in "Understanding Kerberos Token Configuration".
-
Set the service principal name (
service.principal.name
). The service principal name specifies the name of the service principal for which the client requests a ticket from the KDC. For more information, see "Overriding Policy Configuration Properties". -
If the Kerberos authentication is successful, then send the obtained Kerberos ticket and authenticator to the web service enclosed in a
BinarySecurityToken
element in the SOAP Security header.
17.80 oracle/wss11_kerberos_token_service_policy
The oracle/wss11_kerberos_token_service_policy extracts the Kerberos token from the SOAP header and authenticates the user. This policy is enforced in accordance with the WS-Security Kerberos Token Profile v1.1 standard. The container must have the Kerberos infrastructure configured through OPSS.
Display Name: Wss11 Kerberos Token Service Policy
Category: Security
Description
This policy is compatible with MIT and Active Directory KDCs. This policy can be attached to any SOAP-based endpoint.
Service principal names (SPN) are a key component in Kerberos authentication. SPNs are unique identifiers for services running on servers. Every service that uses Kerberos authentication needs to have an SPN set for it so that clients can identify the service on the network. If an SPN is not set for a service, clients have no way of locating that service and Kerberos authentication is not possible.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-26. For more information, see "Overriding Policy Configuration Properties".
-
Configure the
krb5.loginmodule
login module, as described in "Configuring the Kerberos Login Module". -
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
17.81 oracle/http_oauth2_token_client_policy
You can use the oracle/http_oauth2_token_client_policy for attaching to any HTTP-based SOAP or REST client.
Display Name: Http Oauth2 Token Client Policy
Category: Security
Description
This policy includes the OAuth2 access token in the HTTP header. The access token (AT) is obtained from the Mobile & Social OAuth2 Server. You can attach this policy to any HTTP-based client.
Assertion
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion:
oracle/http_oauth2_token_client_template.
See "oracle/http_oauth2_token_client_template" for more information about the assertion.
Configuration
You can override the following properties when you attach the policy:
-
For OAuth2 token request:
-
scope
-
authz.code (Not used in this release.)
-
redirect.uri (Not used in this release.)
-
-
For local token creation:
-
subject.precedence
-
csf.map
-
csf-key
-
oauth2.client.csf.key
-
federated.client.token
-
user.attributes
-
issuer.name
-
oracle.oauth2.service
-
user.roles.include
-
keystore.sig.csf.key
-
propagate.identity.context
-
user.tenant.name
-
include.certificate
-
-
General:
-
audience.uri
-
reference.priority
-
time.in.millis
-
You must use WLST or edit the policy file manually; you cannot edit the policy using Fusion Middleware Control. See "oracle/http_oauth2_token_client_template" for information about the assertion attributes that you can configure.
You attach this policy and the oracle/oauth2_config_client_policy to the client application.
The required token.uri
property of the oracle/oauth2_config_client_policy policy specifies the OAuth2 server token endpoint.
You also attach any of the following Oracle WSM JWT service policies to the web service. The Oracle WSM server-side agent validates the access token.
-
oracle/http_jwt_token_service_policy
-
oracle/multi_token_rest_service_policy (REST)
-
oracle/wss11_saml_or_username_token_with_message_protection_service_policy (SOAP)
By default, the oracle/http_oauth2_token_client_policy assertion content is defined as follows:
<orasp:http-oauth2-security xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy" xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication" orawsp:name="Http OAuth2"> <orasp:auth-header orasp:is-encrypted="false" orasp:is-signed="false" orasp:mechanism="oauth2"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="HttpOAuth2Config"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="subject.precedence"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf.map"/> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf-key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="oauth2.client.csf.key"> <orawsp:Value/> <orawsp:DefaultValue>NONE</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="federated.client.token"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="scope"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="authz.code"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="redirect.uri"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="user.attributes"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="issuer.name"> <orawsp:Value/> <orawsp:DefaultValue>www.oracle.com</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="oracle.oauth2.service"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="user.roles.include"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="reference.priority"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:name="propagate.identity.context" orawsp:type="string" orawsp:contentType="optional"> <orawsp:Value></orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="user.tenant.name"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="audience.uri"> <orawsp:Value/> <orawsp:DefaultValue>NONE</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="include.certificate"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="time.in.millis"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:http-oauth2-security>
Settings
See Table 18-27.
Configuration Properties
See Table 18-28.
17.82 oracle/ http_oauth2_token_with_resource_owner_creds_client_policy
The oracle/ http_oauth2_token_with_resource_owner_creds_client_policy includes the OAuth2 access token in the HTTP header. The access token (AT) is obtained from the Mobile & Social OAuth2 Server.
Display Name: Http OAuth2 token with resource owner creds client policy
Category: Security
Description
You can attach this policy to any HTTP-based client.
Assertion
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion:
oracle/http_oauth2_token_client_template.
Configuration
This policy includes the OAuth2 access token in the HTTP header. The access token (AT) is obtained from the Mobile & Social OAuth2 Server. You can attach this policy to any HTTP-based SOAP or REST client.
You can override the following properties when you attach the policy:
-
For OAuth2 token request:
-
scope
-
authz.code (Not used in this release.)
-
redirect.uri (Not used in this release.)
-
-
For local token creation:
-
subject.precedence
-
csf.map
-
csf-key
-
oauth2.client.csf.key
-
federated.client.token
-
user.attributes
-
issuer.name
-
oracle.oauth2.service
-
user.roles.include
-
keystore.sig.csf.key
-
propagate.identity.context
-
user.tenant.name
-
include.certificate
-
-
General:
-
audience.uri
-
reference.priority
-
time.in.millis
-
You must use WLST or edit the policy file manually; you cannot edit the policy using Fusion Middleware Control. See "oracle/http_oauth2_token_client_template" for information about the assertion attributes that you can configure.
You have to import the users from service domain to client domain as well as in the OAuth Server domain before you attach the policy.
You attach this policy and the oracle/oauth2_config_client_policy to the client application.
The required token.uri
property of the oracle/oauth2_config_client_policy policy specifies the OAuth2 server token endpoint.
You also attach any of the following Oracle WSM JWT service policies to the web service. The Oracle WSM server-side agent validates the access token.
-
oracle/http_jwt_token_service_policy
-
oracle/multi_token_rest_service_policy (REST)
-
oracle/wss11_saml_or_username_token_with_message_protection_service_policy (SOAP)
By default, the oracle/ http_oauth2_token_with_resource_owner_creds_client_policy assertion content is defined as follows:
<?xml version = '1.0'?> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:oralgp="http://schemas.oracle.com/ws/2006/01/loggingpolicy" xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" orawsp:provides="{http://docs.oasis-open.org/ns/opencsa/sca/200912}authentication, {http://docs.oasis-open.org/ns/opencsa/sca/200912}clientAuthentication, {http://schemas.oracle.com/ws/2006/01/policy}SOAP_HTTP, {http://schemas.oracle.com/ws/2006/01/policy}REST_HTTP" orawsp:status="enabled" xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="http_oauth2_token_with_resource_owner_creds_client_policy" orawsp:displayName="i18n:oracle.wsm.resources.policydescription.PolicyDescriptionBundle_oracle/http_oauth2_token_with_resource_owner_creds_client_policy_PolyDispNameKey" xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy" orawsp:description="i18n:oracle.wsm.resources.policydescription.PolicyDescriptionBundle_oracle/http_oauth2_token_with_resource_owner_creds_client_policy_PolyDescKey" orawsp:attachTo="binding.client" Name="oracle/http_oauth2_token_with_resource_owner_creds_client_policy" orawsp:readOnly="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" orawsp:category="security" orawsp:local-optimization="check-identity"> <oralgp:Logging orawsp:Silent="true" orawsp:name="Log Message1" orawsp:Enforced="false" orawsp:category="security/logging"> <orlagp:msg-log> <oralgp:request>alloralgp:request>all> <oralgp:response>alloralgp:response>all> <oralgp:fault>alloralgp:fault>all> </oralgp:msg-log> <orawsp:bindings> <orawsp:Config orawsp:name="Log Message1_properties"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="reference.priority"/> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </oralgp:Logging> <orasp:http-oauth2-security xmlns:ns0="http://schemas.oracle.com/ws/2006/01/policy" ns0:Silent="false" ns0:name="Http OAuth2" ns0:Enforced="true" ns0:category="security/authentication"> <orasp:auth-header orasp:mechanism="oauth2"/> <orawsp:bindings> <orawsp:Config orawsp:name="HttpOAuth2Config" orawsp:configType="declarative"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="subject.precedence"> <orawsp:Value/> <orawsp:DefaultValue>trueorawsp:DefaultValue>true> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf.map"/> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf-key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="constant" orawsp:name="grant_type"> <orawsp:DefaultValue>passwordorawsp:DefaultValue>password> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="oauth2.client.csf.key"> <orawsp:Value/> <orawsp:DefaultValue>NONE</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="federated.client.token"> <orawsp:Value/> <orawsp:DefaultValue>trueorawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="scope"> <orawsp:Value/> </orawsp:Property> <!-- Begin : properties needed for local token creation for end user --> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="user.attributes"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="issuer.name"> <orawsp:Value/> <orawsp:DefaultValue>www.oracle.comorawsp:DefaultValue>www.oracle.com> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="oracle.oauth2.service"> <orawsp:Value/> <orawsp:DefaultValue>falseorawsp:DefaultValue>false> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="user.roles.include"> <orawsp:Value/> <orawsp:DefaultValue>falseorawsp:DefaultValue>false> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="reference.priority"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:name="propagate.identity.context" orawsp:type="string" orawsp:contentType="optional"> <orawsp:Value></orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="user.tenant.name"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="audience.uri"> <orawsp:Value/> <orawsp:DefaultValue>NONE</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="include.certificate"> <orawsp:Value/> <orawsp:DefaultValue>falseorawsp:DefaultValue>false> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="time.in.millis"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="token.lifetime"> <orawsp:Value/> </orawsp:Property> <!--End properties for local token creation for end user --> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:http-oauth2-security> <oralgp:Logging orawsp:Silent="true" orawsp:name="Log Message2" orawsp:Enforced="false" orawsp:category="security/logging"> <oralgp:msg-log> <oralgp:request>all</oralgp:request> <oralgp:response>all</oralgp:response> <oralgp:fault>all</oralgp:fault> </oralgp:msg-log> <orawsp:bindings> <orawsp:Config orawsp:name="Log Message2_properties"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="reference.priority"/> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </oralgp:Logging> </wsp:Policy>
Settings
See Table 18-27.
Configuration Properties
See Table 18-28.
17.83 oracle/http_oauth2_token_with_resource_owner_creds_over_ssl_client_policy
The oracle/ http_oauth2_token_with_resource_owner_creds_over_ssl_client_policy includes the OAuth2 access token in the HTTP header. The access token (AT) is obtained from the Mobile & Social OAuth2 Server.
Display Name: Http OAuth2 token with resource owner creds over ssl client policy
Category: Security
Description
You can attach this policy to any HTTP-based client.
Assertion
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion:
oracle/http_oauth2_token_client_template.
Configuration
See oracle/ http_oauth2_token_with_resource_owner_creds_client_policy.
Settings
See Table 18-27.
Configuration Properties
See Table 18-28.
17.84 oracle/http_jwt_token_service_policy
You can use the oracle/http_jwt_token_service_policy to authenticate users using the username provided in the JWT token in the HTTP header.
Display Name: Http Jwt Token Service Policy
Category: Security
Description
This policy can be applied to any HTTP-based endpoint.
Assertion
This policy contains the following policy assertion:
oracle/http_jwt_token_service_template
See "oracle/http_jwt_token_service_template" for more information about the assertion.
Configuration
The http_jwt_token_service_policy authenticates users using the username provided in the JWT token in the HTTP header. By default the policy is configured to expect the JWT token to be signed using the asymmetric signature (algorithm-suite
attribute set to Basic128Sha256Rsa15
).
You can attach this policy to any HTTP-based endpoint.
You must edit the policy file manually; you cannot edit the policy using Fusion Middleware Control. See "oracle/http_jwt_token_service_template" for information about the assertion attributes that you can configure.
By default, the oracle/http_jwt_token_service_policy assertion content is defined as follows:
<orasp:http-jwt-security orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication" orawsp:name="Http JWT Security"> <orasp:auth-header orasp:algorithm-suite="Basic128Sha256Rsa15" orasp:is-encrypted="false" orasp:is-signed="true" orasp:mechanism="jwt"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="HttpJwtConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="optional" orawsp:name="trusted.issuers" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="csf.map" orawsp:type="string"/> <orawsp:Property orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="propagate.identity.context" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="reference.priority" orawsp:type="string"/> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:http-jwt-security>
Settings
See Table 18-37.
Configuration Properties
See Table 18-29.
17.85 oracle/http_oauth2_token_identity_switch_over_ssl_client_policy
The oracle/http_oauth2_token_identity_switch_over_ssl_client_policy includes the OAuth2 access token in the HTTP header. The access token is obtained from the Mobile and Social OAuth2 Server. It also verifies that the outbound transport protocol is HTTPS. If a non-HTTPS transport protocol is used, the request is refused.
Display Name: Http Oauth2 Token Identity Switch Over Ssl Client Policy
Category: Security
Description
This policy is similar to the policy oracle/http_oauth2_token_over_ssl_client_policy, with the subject.precedence property set to false by default.
This policy performs dynamic identity switching by propagating a different identity than the one based on the authenticated subject. This policy can be attached to any HTTP-based SOAP or REST client.
Assertion
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion:
oracle/http_oauth2_token_over_ssl_client_template
See "oracle/http_oauth2_token_over_ssl_client_template" for more information about the assertion.
Configuration
This policy is similar to the policy oracle/ http_oauth2_token_over_ssl_client_policy, with the subject.precedence
property set to false by default.
This policy includes the OAuth2 access token in the HTTP header.) The access token is obtained from the Mobile and Social OAuth2 Server.) It also verifies that the outbound transport protocol is HTTPS. If a non-HTTPS transport protocol is used, the request is refused.
This policy performs dynamic identity switching by propagating a different identity than the one based on the authenticated subject. This policy can be attached to any HTTP-based SOAP or REST client.
You can override the following properties when you attach the policy:
-
For OAuth2 token request:
-
scope
-
authz.code (Not used in this release.)
-
redirect.uri (Not used in this release.)
-
-
For local token creation:
-
subject.precedence
-
csf.map
-
csf-key
-
oauth2.client.csf.key
-
federated.client.token
-
user.attributes
-
issuer.name
-
oracle.oauth2.service
-
user.roles.include
-
keystore.sig.csf.key
-
propagate.identity.context
-
user.tenant.name
-
include.certificate
-
-
General:
-
audience.uri
-
reference.priority
-
time.in.millis
-
You must use WLST or edit the policy file manually; you cannot edit the policy using Fusion Middleware Control. See "oracle/http_oauth2_token_over_ssl_client_template" for information about the assertion attributes that you can configure.
You attach this policy and the oracle/oauth2_config_client_policy policy to the client application. The token.uri
property of the required oracle/oauth2_config_client_policy policy specifies the OAuth2 server.
You also attach any of the following Oracle WSM JWT service policies to the web service. The Oracle WSM server-side agent validates the AT.
-
oracle/http_jwt_token_over_ssl_service_policy
-
oracle/multi_token_over_ssl_rest_service_policy (REST)
-
oracle/wss11_saml_or_username_token_with_message_protection_service_policy (SOAP)
subject.precedence
is set to false
to allow for the use of a client-specified username rather than the authenticated subject. The user name is obtained only from the username property of the csf-key.
If subject.precedence
is set to false and csf-key
and user name are configured, the web service client application must have the oracle.wsm.security.WSIdentityPermission
permission. That is, applications from which Oracle WSM accepts the externally-supplied identity must have the WSIdentityPermission
permission. This is to avoid potentially rogue applications from providing an identity to Oracle WSM.
By default, the oracle/http_oauth2_token_identity_switch_over_ssl_client_policy assertion content is defined as follows:
<orasp:http-oauth2-security xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy" xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="Http OAuth2 Over SSL "> <orasp:auth-header orasp:is-encrypted="false" orasp:is-signed="false" orasp:mechanism="oauth2"/> <orasp:require-tls orasp:algorithm-suite="Basic128" orasp:include-timestamp="false" orasp:mutual-auth="false"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="HttpOAuth2OverSSLConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="subject.precedence"> <orawsp:Value>false</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf.map"/> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf-key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="oauth2.client.csf.key"> <orawsp:Value/> <orawsp:DefaultValue>NONE</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="federated.client.token"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="scope"> <orawsp:Value/> </orawsp:Property> orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="authz.code"> <orawsp:Value/> </orawsp:Property> orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="redirect.uri"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="user.attributes"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="issuer.name"> <orawsp:Value/> <orawsp:DefaultValue>www.oracle.com</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="oracle.oauth2.service"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="user.roles.include"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="reference.priority"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:name="propagate.identity.context" orawsp:type="string" orawsp:contentType="optional"> <orawsp:Value></orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="user.tenant.name"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="audience.uri"> <orawsp:Value/> <orawsp:DefaultValue>NONE</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="include.certificate"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="time.in.millis"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:http-oauth2-security>
Settings
See Table 18-30.
Configuration Properties
See Table 18-27.
17.86 oracle/http_jwt_token_over_ssl_service_policy
The oracle/http_jwt_token_over_ssl_service_policy authenticates users using the username provided in the JWT token in the HTTP header. This policy also verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused.
Display Name: HTTP JWT Token Over Ssl Service Policy
Category: Security
Description
This policy can be applied to any HTTP-based endpoint.
Assertion
This policy contains the following policy assertion:
oracle/http_jwt_token_over_ssl_service_template
See "oracle/http_jwt_token_over_ssl_service_template" for more information about the assertion.
Configuration
The http_jwt_token_service_policy authenticates users using the username provided in the JWT token in the HTTP header. By default the policy is configured to expect the JWT token to be signed using the asymmetric signature (algorithm-suite
attribute set to Basic128Sha256Rsa15
).
This policy also verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. This policy can be applied to any HTTP-based endpoint.
You must edit the policy file manually; you cannot edit the policy using Fusion Middleware Control. See "oracle/http_jwt_token_over_ssl_service_template" for information about the assertion attributes that you can configure.
By default, the oracle/http_jwt_token_over_ssl_service_policy assertion content is defined as follows:
<orasp:http-jwt-security orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication" orawsp:name="Http JWT Security"> <orasp:auth-header orasp:algorithm-suite="Basic128Sha256Rsa15" orasp:is-encrypted="false" orasp:is-signed="true" orasp:mechanism="jwt"/> <orasp:require-tls orasp:include-timestamp="false" orasp:mutual-auth="false"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="HttpJwtConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="optional" orawsp:name="trusted.issuers" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="csf.map" orawsp:type="string"/> <orawsp:Property orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="propagate.identity.context" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="reference.priority" orawsp:type="string"/> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:http-jwt-security>
Settings
See Table 18-39.
Configuration Properties
See Table 18-34.
17.87 oracle/http_oauth2_token_opc_oauth2_client_policy
The oracle/http_oauth2_token_opc_oauth2_client_policy includes the OAuth2 access token in the HTTP header. The access token is obtained from the Mobile & Social OAuth2 Server.
Display Name: HTTP Oaith2 Token Opc Oauth2 Client Policy
Category: Security
Description
The property oracle.oauth2.service is set to true by default, which ensures that the client ID is used as the issuer for the user and client JWT tokens for the OAuth2 server. If scope has no value, (the default), the protocol, host and port (if available) are obtained from the service URL and used. This policy can be attached to any HTTP-based, SOAP or REST client.
Assertion
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion:
oracle/http_oauth2_token_client_template.
See "oracle/http_oauth2_token_client_template" for more information about the assertion.
Configuration
This policy includes the OAuth2 access token in the HTTP header. The access token is obtained from the OAuth Server in the Oracle Cloud.
The property oracle.oauth2.service
is set to true by default, which ensures that the client ID is used as the issuer for the user and client JWT tokens for the OAuth2 server. If scope
is empty (the default), Oracle WSM automatically gets the service URL and uses the address:port portion as the scope.
This policy can be attached to any HTTP-based, SOAP or REST client.
You can override the following properties when you attach the policy:
-
For OAuth2 token request:
-
scope
-
authz.code (Not used in this release.)
-
redirect.uri (Not used in this release.)
-
-
For local token creation:
-
subject.precedence
-
csf.map
-
csf-key
-
oauth2.client.csf.key
-
federated.client.token
-
user.attributes
-
issuer.name
-
oracle.oauth2.service
-
user.roles.include
-
keystore.sig.csf.key
-
propagate.identity.context
-
user.tenant.name
-
include.certificate
-
-
General:
-
audience.uri
-
reference.priority
-
time.in.millis
-
You must use WLST or edit the policy file manually; you cannot edit the policy using Fusion Middleware Control. See "oracle/http_oauth2_token_client_template" for information about the assertion attributes that you can configure.
See "Overriding Policy Configuration Properties" for a description of the configuration settings you can override.
You attach this policy and the oracle/oauth2_config_client_policy to the client application. The required token.uri
property of the oracle/oauth2_config_client_policy policy specifies the OAuth2 server.
You also attach any of the following Oracle WSM JWT service policies to the web service. The Oracle WSM server-side agent validates the access token.
-
oracle/http_jwt_token_service_policy
-
oracle/multi_token_rest_service_policy (REST)
-
oracle/wss11_saml_or_username_token_with_message_protection_service_policy (SOAP)
By default, the oracle/http_oauth2_token_opc_oauth2_client_policy assertion content is defined as follows:
<orasp:http-oauth2-security xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy" xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication" orawsp:name="Http OAuth2"> <orasp:auth-header orasp:is-encrypted="false" orasp:is-signed="false" orasp:mechanism="oauth2"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="HttpOAuth2Config"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="subject.precedence"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf.map"/> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf-key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="oauth2.client.csf.key"> <orawsp:Value/> <orawsp:DefaultValue>NONE</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="federated.client.token"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="scope"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="authz.code"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="redirect.uri"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="user.attributes"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="issuer.name"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="oracle.oauth2.service"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="user.roles.include"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="reference.priority"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:name="propagate.identity.context" orawsp:type="string" orawsp:contentType="optional"> <orawsp:Value></orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="user.tenant.name"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="audience.uri"> <orawsp:Value/> <orawsp:DefaultValue>NONE</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="include.certificate"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="time.in.millis"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:http-oauth2-security>
Settings
See Table 18-27.
Configuration Properties
See Table 18-28.
17.88 oracle/http_oauth2_token_over_ssl_client_policy
The oracle/http_oauth2_token_over_ssl_client_policy includes the OAuth2 access token in the HTTP header. The access token (AT) is obtained from the Mobile & Social OAuth2 Server. You can attach this policy to any HTTP-based client.
Display Name: HTTP Oauth2 Token Over SSL Client Policy
Category: Security
Description
The policy verifies that the outbound transport protocol is HTTPS. If a non-HTTPS transport protocol is used, the request is refused.
Assertion
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion:
oracle/http_oauth2_token_over_ssl_client_template
See "oracle/http_oauth2_token_over_ssl_client_template" for more information about the assertion.
Configuration
This policy is the same as http_oauth2_token_client_policy, except that the AT is propagated over 1-way SSL to the resource. This policy includes the OAauth2 access token in the HTTP header. The AT is obtained from the Mobile and Social OAuth2 Server.
The policy verifies that the outbound transport protocol is HTTPS. If a non-HTTPS transport protocol is used, the request is refused. You can attach this policy to any HTTP-based client.
You can override the following properties when you attach the policy:
-
For OAuth2 token request:
-
scope
-
authz.code (Not used in this release.)
-
redirect.uri (Not used in this release.)
-
-
For local token creation:
-
subject.precedence
-
csf.map
-
csf-key
-
oauth2.client.csf.key
-
federated.client.token
-
user.attributes
-
issuer.name
-
oracle.oauth2.service
-
user.roles.include
-
keystore.sig.csf.key
-
propagate.identity.context
-
user.tenant.name
-
include.certificate
-
-
General:
-
audience.uri
-
reference.priority
-
time.in.millis
-
You must use WLST or edit the policy file manually; you cannot edit the policy using Fusion Middleware Control. See "oracle/http_oauth2_token_over_ssl_client_template" for information about the assertion attributes that you can configure.
See "Overriding Policy Configuration Properties" for a description of the configuration settings you can override.
You attach this policy and the oracle/oauth2_config_client_policy to the client application. The required token.uri
property of the oracle/oauth2_config_client_policy policy specifies the OAuth2 server.
You also attach any of the following Oracle WSM JWT service policies to the web service. The Oracle WSM server-side agent validates the AT.
-
oracle/http_jwt_token_over_ssl_service_policy
-
oracle/multi_token_over_ssl_rest_service_policy (REST)
-
oracle/wss11_saml_or_username_token_with_message_protection_service_policy (SOAP)
By default, the oracle/http_oauth2_token_over_ssl_client_policy assertion content is defined as follows:
<orasp:http-oauth2-security xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy" xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="Http OAuth2 Over SSL "> <orasp:auth-header orasp:is-encrypted="false" orasp:is-signed="false" orasp:mechanism="oauth2"/> <orasp:require-tls orasp:algorithm-suite="Basic128" orasp:include-timestamp="false" orasp:mutual-auth="false"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="HttpOAuth2OverSSLConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="subject.precedence"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf.map"/> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf-key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="oauth2.client.csf.key"> <orawsp:Value/> <orawsp:DefaultValue>NONE</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="federated.client.token"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="scope"> <orawsp:Value/> </orawsp:Property> orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="authz.code"> <orawsp:Value/> </orawsp:Property> orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="redirect.uri"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="user.attributes"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="issuer.name"> <orawsp:Value/> <orawsp:DefaultValue>www.oracle.com</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="oracle.oauth2.service"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="user.roles.include"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="reference.priority"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:name="propagate.identity.context" orawsp:type="string" orawsp:contentType="optional"> <orawsp:Value></orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="user.tenant.name"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="audience.uri"> <orawsp:Value/> <orawsp:DefaultValue>NONE</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="include.certificate"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="time.in.millis"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:http-oauth2-security> <oralgp:Logging orawsp:Silent="true" orawsp:name="Log Message2" orawsp:Enforced="false" orawsp:category="security/logging"> <oralgp:msg-log> <oralgp:request>all</oralgp:request> <oralgp:response>all</oralgp:response> <oralgp:fault>all</oralgp:fault> </oralgp:msg-log> <orawsp:bindings> <orawsp:Config orawsp:name="Log Message2_properties"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="reference.priority"/> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:http-oauth2-security>
Settings
See Table 18-30.
Configuration Properties
See Table 18-27.
17.89 oracle/http_jwt_token_over_ssl_service_policy
The oracle/http_jwt_token_over_ssl_service_policy authenticates users using the username provided in the JWT token in the HTTP header. This policy also verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused.
Display Name: HTTP Jwt Token Over SSL Service Policy
Category: Security
Description
This policy can be applied to any HTTP-based endpoint.
Assertion
This policy contains the following policy assertion: oracle/http_jwt_token_over_ssl_service_template. See "oracle/http_jwt_token_over_ssl_service_template" for more information about the assertion.
Configuration
For information about configuring the policy, see "oracle/http_jwt_token_client_policy".
17.90 oracle/oauth2_config_client_policy
The oracle/oauth2_config_client_policy provides OAuth2 information on the client side.
Display Name: Oauth2 Config Client Policy
Category: Security
Description
The OAuth2 information is used to invoke the Mobile and Social OAuth2 server for token exchange.
Assertion
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion:
oracle/oauth2_config_client_template
See "oracle/oauth2_config_client_template" for more information about the assertion.
Configuration
This policy provides OAuth2 information on the client side. This information is used to invoke the Mobile and Social OAuth2 server for token exchange.
This policy is enforced only when an OAuth2 token client policy is also attached. Otherwise, it is ignored. This policy is typically attached globally, and the OAuth2 token client policy locally.
You must use WLST or edit the policy file manually; you cannot edit the policy using Fusion Middleware Control. See "oracle/oauth2_config_client_template" for information about the assertion attributes that you can configure.
You must set or override the token.uri
property. See "Overriding Policy Configuration Properties" for a description of the configuration settings you can override.
By default, the oracle/oauth2_config_client_policy assertion content is defined as follows:
<orasp:oauth2-config xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy" xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" orasp:token-uri="http://host:port/tokens" orawsp:Enforced="true" orawsp:Silent="true" orawsp:category="security/oauth2-config" orawsp:name="OAuth2 Configuration"> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="OAuth2Config"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:name="role" orawsp:type="string" orawsp:contentType="constant"> <orawsp:Value/> <orawsp:DefaultValue>ultimateReceiver</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:name="token.uri" orawsp:type="string" orawsp:contentType="optional"> <orawsp:Value/> <orawsp:DefaultValue>http://host:port/tokens</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="required" orawsp:name="oauth2.client.csf.key"> <orawsp:Value/> <orawsp:DefaultValue>basic.client.credentials</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="reference.priority"/> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:oauth2-config>
Settings
See Table 18-35.
Configuration Properties
See Table 18-36.
17.91 oracle/http_jwt_token_client_policy
The oracle/http_jwt_token_client_policy includes a JWT token in the HTTP header. The JWT token is created automatically. The issuer name and subject name are provided either programmatically or declaratively through the policy.
Display Name: HTTP JWT Token Client Policy
Category: Security
Description
You can specify the audience restriction condition for this policy.
This policy can be enforced on any HTTP-based client endpoint.
Assertion
This policy contains the following policy assertion:
oracle/http_jwt_token_client_template
See "oracle/http_jwt_token_client_template" for more information about the assertion.
Configuration
The http_jwt_token_client_policy includes a JWT token in the HTTP header. The JWT token is created automatically. The issuer name and subject name are provided either programmatically or declaratively through the policy. You can specify the audience restriction condition for this policy.
This policy can be applied to any HTTP-based client endpoint.
You must edit the policy file manually; you cannot edit the policy using Fusion Middleware Control. See "oracle/http_jwt_token_client_template" for information about the assertion attributes that you can configure.
By default, the oracle/http_jwt_token_client_policy assertion content is defined as follows:
<orasp:http-jwt-security orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication" orawsp:name="Http JWT Security"> <orasp:auth-header orasp:algorithm-suite="Basic128Sha256Rsa15" orasp:is-encrypted="false" orasp:is-signed="true" orasp:mechanism="jwt"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="HttpJwtTokenConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="optional" orawsp:name="user.attributes" orawsp:type="string"/> <orawsp:Property orawsp:contentType="optional" orawsp:name="issuer.name" orawsp:type="string"> <orawsp:Value>www.oracle.com</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="user.roles.include" orawsp:type="string"> <orawsp:Value>false</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="csf.map" orawsp:type="string"/> <orawsp:Property orawsp:contentType="optional" orawsp:name="csf-key" orawsp:type="string"> <orawsp:Value>basic.credentials</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="subject.precedence" orawsp:type="string"> <orawsp:Value>true</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="audience.uri" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="propagate.identity.context" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="user.tenant.name" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="reference.priority" orawsp:type="string"/> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:http-jwt-security>
Settings
See Table 18-37.
Configuration Properties
See Table 18-38.
17.92 oracle/http_jwt_token_over_ssl_client_policy
The oracle/http_jwt_token_over_ssl_client_policy includes a JWT token in the HTTP header. The JWT token is created automatically. The issuer name and subject name are provided either programmatically or declaratively through the policy.
Dsiplay Name: HTTP JWT Token Over SSL Client Policy
Category: Security
Description
You can specify the audience restriction condition for this policy.
This policy also verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused.
This policy can be enforced on any HTTP-based client endpoint.
Assertion
This policy contains the following policy assertion: oracle/http_jwt_token_over_ssl_client_template. See "oracle/http_jwt_token_over_ssl_client_template" for more information about the assertion.
Configuration
For information about configuring the policy, see "oracle/http_jwt_token_client_policy".
17.93 oracle/http_oauth2_token_identity_switch_opc_oauth2_over_ssl_client_policy
The oracle/http_oauth2_token_identity_switch_opc_oauth2_over_ssl_client_policy includes the OAuth2 access token in the HTTP header. The access token is obtained from the OAuth Server. It also verifies that the outbound transport protocol is HTTPS. If a non-HTTPS transport protocol is used, the request is refused. This policy can be attached to any HTTP-based SOAP or REST client, invoking the service over SSL.
Display Name: HTTP OAuth2 Token Identity Switch Opc OAuth2 Over SSL Client Policy
Category: Security
Description
This policy also performs dynamic identity switching by propagating a different identity than the one based on the authenticated subject.
The subject.precedence property set to false by default. The oracle.oauth2.service property is set to true by default, which ensures that the client ID is used as the issuer for the user and client JWT tokens for the OAuth2 server.
Assertion
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion:
oracle/http_oauth2_token_over_ssl_client_template
See "oracle/http_oauth2_token_over_ssl_client_template" for more information about the assertion.
Configuration
This policy includes the OAuth2 access token in the HTTP header. The access token is obtained from the OAuth Server in the Oracle Cloud.
The property oracle.oauth2.service
is set to true by default, which ensures that the client ID is used as the issuer for the user and client JWT tokens for the OAuth2 server. If scope
is empty (the default), Oracle WSM automatically gets the service URL and uses the address:port portion as the scope.
It also verifies that the outbound transport protocol is HTTPS. If a non-HTTPS transport protocol is used, the request is refused. This policy can be attached to any HTTP-based SOAP or REST client, invoking the service over SSL.
This policy also performs dynamic identity switching by propagating a different identity than the one based on the authenticated subject.
You can override the following properties when you attach the policy:
-
For OAuth2 token request:
-
scope
-
authz.code (Not used in this release.)
-
redirect.uri (Not used in this release.)
-
-
For local token creation:
-
subject.precedence
-
csf.map
-
csf-key
-
oauth2.client.csf.key
-
federated.client.token
-
user.attributes
-
issuer.name
-
oracle.oauth2.service
-
user.roles.include
-
keystore.sig.csf.key
-
propagate.identity.context
-
user.tenant.name
-
include.certificate
-
-
General:
-
audience.uri
-
reference.priority
-
time.in.millis
-
You must use WLST or edit the policy file manually; you cannot edit the policy using Fusion Middleware Control. See "oracle/http_oauth2_token_over_ssl_client_template" for information about the assertion attributes that you can configure.
You attach this policy and the oracle/oauth2_config_client_policy policy to the client application. The token.uri
property of the required oracle/oauth2_config_client_policy policy specifies the OAuth2 server.
You also attach any of the following Oracle WSM JWT service policies to the web service. The Oracle WSM server-side agent validates the AT.
-
oracle/http_jwt_token_over_ssl_service_policy
-
oracle/multi_token_over_ssl_rest_service_policy (REST)
-
oracle/wss11_saml_or_username_token_with_message_protection_service_policy (SOAP)
subject.precedence
is set to false
to allow for the use of a client-specified username rather than the authenticated subject. The user name is obtained only from the username property of the csf-key
.
If subject.precedence
is set to false and csf-key
and user name are configured, the web service client application must have the oracle.wsm.security.WSIdentityPermission
permission. That is, applications from which Oracle WSM accepts the externally-supplied identity must have the WSIdentityPermission
permission. This is to avoid potentially rogue applications from providing an identity to Oracle WSM. See granting WSIdentityPermission
permission, as described in "Setting the Permission Using WSIdentityPermission".
By default, the oracle/http_oauth2_token_identity_switch_opc_oauth2_over_ssl_client_policy assertion content is defined as follows:
<orasp:http-oauth2-security xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy" xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="Http OAuth2 Over SSL "> <orasp:auth-header orasp:is-encrypted="false" orasp:is-signed="false" orasp:mechanism="oauth2"/> <orasp:require-tls orasp:algorithm-suite="Basic128" orasp:include-timestamp="false" orasp:mutual-auth="false"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="HttpOAuth2OverSSLConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="subject.precedence"> <orawsp:Value>false</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf.map"/> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf-key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="oauth2.client.csf.key"> <orawsp:Value/> <orawsp:DefaultValue>NONE</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="federated.client.token"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="scope"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="authz.code"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="redirect.uri"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="user.attributes"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="issuer.name"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="oracle.oauth2.service"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="user.roles.include"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="reference.priority"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:name="propagate.identity.context" orawsp:type="string" orawsp:contentType="optional"> <orawsp:Value></orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="user.tenant.name"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="audience.uri"> <orawsp:Value/> <orawsp:DefaultValue>NONE</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="include.certificate"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="time.in.millis"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:http-oauth2-security>
Settings
See Table 18-30.
Configuration Properties
See Table 18-27.
17.94 oracle/http_oauth2_token_opc_oauth2_over_ssl_client_policy
The oracle/http_oauth2_token_opc_oauth2_over_ssl_client_policy includes the OAuth2 access token in the HTTP header. The access token is obtained from the Mobile & Social OAuth2 Server. The property oracle.oauth2.service is set to true by default, which ensures that the client ID is used as the issuer for the user and client JWT tokens for the OAuth2 server.
Display Name: HTTP OAuth2 Token Opc OAuth2 Over SSL Client Policy
Category: Security
Description
If scope has no value, (the default), the protocol, host and port (if available) are obtained from the service URL and used.
The policy verifies that the outbound transport protocol is HTTPS. If a non-HTTPS transport protocol is used, the request is refused. You can attach this policy to any HTTP-based client.
Assertion
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion:
oracle/http_oauth2_token_over_ssl_client_template
See "oracle/http_oauth2_token_over_ssl_client_template" for more information about the assertion.
Configuration
This policy includes the OAuth2 access token in the HTTP header. The access token is obtained from the OAuth2 Server in the Oracle Cloud.
The property oracle.oauth2.service
is set to true by default, which ensures that the client ID is used as the issuer for the user and client JWT tokens for the OAuth2 server. If scope
is empty (the default), Oracle WSM automatically gets the service URL and uses the address:port portion as the scope.
The policy verifies that the outbound transport protocol is HTTPS. If a non-HTTPS transport protocol is used, the request is refused. You can attach this policy to any HTTP-based SOAP or REST client.
You can override the following properties when you attach the policy:
-
For OAuth2 token request:
-
scope
-
authz.code (Not used in this release.)
-
redirect.uri (Not used in this release.)
-
-
For local token creation:
-
subject.precedence
-
csf.map
-
csf-key
-
oauth2.client.csf.key
-
federated.client.token
-
user.attributes
-
issuer.name
-
oracle.oauth2.service
-
user.roles.include
-
keystore.sig.csf.key
-
propagate.identity.context
-
user.tenant.name
-
include.certificate
-
-
General:
-
audience.uri
-
reference.priority
-
time.in.millis
-
You must use WLST or edit the policy file manually; you cannot edit the policy using Fusion Middleware Control. See "oracle/http_oauth2_token_over_ssl_client_template" for information about the assertion attributes that you can configure.
See "Overriding Policy Configuration Properties" for a description of the configuration settings you can override.
You attach this policy and the oracle/oauth2_config_client_policy to the client application. The required token.uri
property of the oracle/oauth2_config_client_policy policy specifies the OAuth2 server.
You also attach any of the following Oracle WSM JWT service policies to the web service. The Oracle WSM server-side agent validates the AT.
-
oracle/http_jwt_token_over_ssl_service_policy
-
oracle/multi_token_over_ssl_rest_service_policy (REST)
-
oracle/wss11_saml_or_username_token_with_message_protection_service_policy (SOAP)
By default, the oracle/http_oauth2_token_opc_oauth2_over_ssl_client_policy assertion content is defined as follows:
<orasp:http-oauth2-security xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy" xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="Http OAuth2 Over SSL "> <orasp:auth-header orasp:is-encrypted="false" orasp:is-signed="false" orasp:mechanism="oauth2"/> <orasp:require-tls orasp:algorithm-suite="Basic128" orasp:include-timestamp="false" orasp:mutual-auth="false"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="HttpOAuth2OverSSLConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="subject.precedence"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf.map"/> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf-key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="oauth2.client.csf.key"> <orawsp:Value/> <orawsp:DefaultValue>NONE</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="federated.client.token"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="scope"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="authz.code"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="redirect.uri"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="user.attributes"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="issuer.name"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="oracle.oauth2.service"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="user.roles.include"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="reference.priority"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:name="propagate.identity.context" orawsp:type="string" orawsp:contentType="optional"> <orawsp:Value></orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="user.tenant.name"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="audience.uri"> <orawsp:Value/> <orawsp:DefaultValue>NONE</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="include.certificate"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="time.in.millis"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:http-oauth2-security>
Settings
See Table 18-30.
Configuration Properties
See Table 18-27.
17.95 oracle/http_jwt_token_identity_switch_client_policy
The oracle/http_jwt_token_identity_switch_client_policy performs dynamic identity switching by propagating a different identity than the one based on the authenticated subject. This policy includes a JSON Web Token (JWT) in the HTTP header. The JWT token is created automatically. The issuer name and subject name are provided either programmatically or declaratively through the policy. You can specify the audience restriction condition for this policy.
Display Name: HTTP JWT Token Identity Switch Client Policy
Category: Security
Description
This policy can be enforced on any HTTP-based, SOAP, or REST client endpoint.
Assertion
This policy contains the following policy assertion:
oracle/http_jwt_token_client_template
See "oracle/http_jwt_token_client_template" for more information about the assertion.
Configuration
Performs dynamic identity switching by propagating a different identity than the one based on the authenticated subject. This policy includes a JWT token in the HTTP header. When the policy is used by the client, the JWT token is automatically created by Oracle WSM. The issuer name and subject name are provided either programmatically or declaratively through the policy. You can specify the audience restriction condition for this policy.
This policy can be enforced on any HTTP-based, SOAP, or REST client endpoint.
You must edit the policy file manually; you cannot edit the policy using Fusion Middleware Control. See "oracle/http_jwt_token_client_template" for information about the assertion attributes that you can configure.
By default, the oracle/http_jwt_token_identity_switch_client_policy assertion content is the same as the "oracle/http_jwt_token_client_template", except that the subject.precedence
property is set to false
as follows:
<orawsp:Property orawsp:contentType="optional" orawsp:name="subject.precedence" orawsp:type="string"> <orawsp:Value>true</orawsp:Value> </orawsp:Property>
Settings
See Table 18-37.
Configuration Properties
See Table 18-38.
17.96 oracle/binding_authorization_denyall_policy
The oracle/binding_authorization_denyall_policy provides a simple role-based authorization policy based on the authenticated Subject at the SOAP binding level.
Display Name: Binding Authorization DenyAll Policy
Category: Security
Description
This policy denies all users with any roles. It should follow an authentication policy where the Subject is established and can be attached to any SOAP-based endpoint.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is not advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-123. For more information, see "Overriding Policy Configuration Properties".
-
To set up OPSS:
-
If you specify one or more of the WebLogic Server enterprise roles, the authenticated subject must already have that role. Use the WebLogic Server Remote Console to grant a role to a user or group, as described in the Manage users and groups.
-
Configure a WebLogic Authentication provider, as described in "Configure Authentication and Identity Assertion providers" in the Oracle WebLogic Server Administration Console Online Help.
-
17.97 oracle/binding_authorization_permitall_policy
The oracle/binding_authorization_permitall_policy provides a simple role-based authorization for the request based on the authenticated Subject at the SOAP binding level. This policy permits all users with any roles.
Display Name: Binding Authorization PermitAll Policy
Category: Security
Description
It should follow an authentication policy where the Subject is established and can be attached to any SOAP-based endpoint.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is not advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-123. For more information, see "Overriding Policy Configuration Properties".
-
To set up OPSS:
-
If you specify one or more of the WebLogic Server enterprise roles, the authenticated subject must already have that role. Use the WebLogic Server Remote Console to grant a role to a user or group, as described in the Manage users and groups.
-
Configure a WebLogic Authentication provider, as described in "Configure Authentication and Identity Assertion providers" in the Oracle WebLogic Server Administration Console Online Help.
-
17.98 oracle/binding_permission_authorization_policy
The oracle/binding_permission_authorization_policy provides a permission-based authorization policy based on the authenticated subject. This policy should follow an authentication policy where the Subject is established and can be attached to any SOAP-based endpoint.
Display Name: Binding Permission Based Authorization Policy
Category: Security
Description
This policy ensures that the subject has permission to perform the operation. To do this, the Authorization Policy executor leverages OPSS to check if the authenticated subject has been granted oracle.wsm.security.WSFunctionPermission
(or whatever permission class is specified in Permission Check Class
) using the Resource Pattern
and Action Pattern
as parameters. For more information, see "Determining Authorization Permissions".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is not advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-125. For more information, see "Overriding Policy Configuration Properties".
-
To set up OPSS:
-
Use Fusion Middleware Control to grant the
WSFunctionPermission
(or other) permission to the user, group, or application that will attempt to authenticate to the web service. -
Optionally, change the
permission_class
configuration property for the policy, which identifies the permission class as per JAAS standards. The class must be available in the server classpath. The custom permission class must extend the abstractPermission
class and implement theSerializable
interface. See the Javadoc athttp://docs.oracle.com/javase/7/docs/api/java/security/Permission.html
. The default isoracle.wsm.security.WSFunctionPermission
. -
Configure a WebLogic Authentication provider, as described in "Configure Authentication and Identity Assertion providers" in the Oracle WebLogic Server Administration Console Online Help.
-
17.99 oracle/component_authorization_denyall_policy
The oracle/component_authorization_denyall_policy provides a simple role-based authorization policy based on the authenticated subject.
Display Name: Component Authorization DenyAll Policy
Category: Security
Description
This policy denies all users with any roles. It should follow an authentication policy where the Subject is established and can be attached to any SCA-based endpoint.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is not advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-127. For more information, see "Overriding Policy Configuration Properties".
-
To set up OPSS:
-
If you specify one or more of the WebLogic Server enterprise roles, the authenticated subject must already have that role. Use the WebLogic Server Remote Console to grant a role to a user or group, as described in the Manage users and groups.
-
Configure a WebLogic Authentication provider, as described in "Configure Authentication and Identity Assertion providers" in the Oracle WebLogic Server Administration Console Online Help.
-
17.100 oracle/component_authorization_permitall_policy
The oracle/component_authorization_permitall_policy provides a simple role-based authorization policy based on the authenticated subject.
Display Name: Component Authorization PermitAll Policy
Category: Security
Description
This policy permits all users with any roles. It should follow an authentication policy where the Subject is established and can be attached to any SCA-based endpoint.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is not advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-127. For more information, see "Overriding Policy Configuration Properties".
-
To set up OPSS:
-
If you specify one or more of the WebLogic Server enterprise roles, the authenticated subject must already have that role. Use the WebLogic Server Remote Console to grant a role to a user or group, as described in the Manage users and groups.
-
Configure a WebLogic Authentication provider, as described in "Configure Authentication and Identity Assertion providers" in the Oracle WebLogic Server Administration Console Online Help.
-
17.101 oracle/component_permission_authorization_policy
The oracle/component_permission_authorization_policy provides a permission-based authorization policy based on the authenticated Subject. This policy should follow an authentication policy where the Subject is established and can be attached to any SCA-based endpoint.
Display Name: Component Permission Based Authorization Policy
Category: Security
Description
This policy ensures that the subject has permission to perform the operation. To do this, the Authorization Policy executor leverages OPSS to check if the authenticated subject has been granted oracle.wsm.security.WSFunctionPermission
(or whatever permission class is specified in Permission Check Class
) using the Resource Pattern
and Action Pattern
as parameters. Resource Pattern
and Action Pattern
are used to identify if the authorization assertion is to be enforced for this particular request. Access is allowed if the authenticated subject has been granted WSFunctionPermission
. For more information, see "Determining Authorization Permissions".
You can grant the WSFunctionPermission
permission to a user, a group, or an application role. If you grant WSFunctionPermission
to a user or group it will apply to all applications that are deployed in the domain.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is not advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-129. For more information, see "Overriding Policy Configuration Properties".
-
To set up OPSS:
-
Use Fusion Middleware Control to grant the
WSFunctionPermission
permission to the user, group, or application that will attempt to authenticate to the web service. -
Configure a WebLogic Authentication provider, as described in "Configure Authentication and Identity Assertion providers" in the Oracle WebLogic Server Administration Console Online Help.
-
17.102 oracle/no_authorization_component_policy
The oracle/no_authorization_component_policy is a no behavior policy. When directly attached to a SOA component or globally attached at a lower scope, effectively disables a globally attached authorization policy at a higher scope.
Display Name: No Behavior Authorization Component Policy
Category: Security
Description
If the globally attached policy contains any other assertions, in addition to the authorization assertion, those assertions are disabled as well. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no_behavior policy is not supported for Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-44 lists the configuration property that you can override for the no behavior policy.
Table 17-44 Configuration Property for oracle/no_authorization_component_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.103 oracle/no_authorization_service_policy
The oracle/no_authorization_service_policy is a no behavior policy. When directly attached to a service endpoint or globally attached at a lower scope, effectively disables a globally attached authorization policy at a higher scope.
Display Name: No Behavior Authorization Service Policy
Category: Security
Description
If the globally attached policy contains any other assertions, in addition to the authorization assertion, those assertions are disabled also. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no_behavior policy is not supported for Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-45 lists the configuration property that you can override for the no behavior policy.
Table 17-45 Configuration Property for oracle/no_authorization_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.104 oracle/whitelist_authorization_policy
The oracle/whitelist_authorization_policy is a special case of role based authorization policy, and accepts requests only if a specified condition is true.
Display Name: Constraints Based Authorization Policy
Category: Security
Description
This policy is a special case of role based authorization policy. This policy can be attached to any SOAP-based endpoint.
Accepts requests only if one of the following conditions is true:
-
The authenticated token is SAML Sender Vouches.
-
The user is in a particular role (the default is
trustedEnterpriseRole
, that establishes the user as a trusted entity -
The request is coming from within a private network.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is not advertised in the WSDL.
Configuration
To configure the policy:
-
To successfully invoke a service that has the
whitelist_authorization_policy
attached, you must do one of the following:-
If the service accepts SAML sender vouches for authentication (for example, a SAML token service policy is attached to the service), you must attach the corresponding SAML token client policy to the client.
-
If the service accepts username/password for authentication (for example, a username token service policy is attached to the service), you must attach the corresponding username token client policy to the client and make sure that the client is in a trusted role as defined in the policy. (By default, the role defined in the predefined policy is
trustedEnterpriseRole
. You need to modify this role in the predefined policy.) -
If the service is invoked using Oracle HTTP Server, and it is configured to indicate that the request came from a private internal network (see "Configuring the Oracle HTTP Server to Specify the Request Origin"), then a client on the internal network only has to attach the corresponding username token client policy at the client side.
-
-
To set up OPSS:
-
If you specify one or more of the WebLogic Server enterprise roles, the authenticated subject must already have that role. Use the WebLogic Server Remote Console to grant a role to a user or group, as described in the Manage users and groups.
-
You must configure a WebLogic Authentication provider, as described in "Configure Authentication and Identity Assertion providers" in the Oracle WebLogic Server Administration Console Online Help.
-
The Constraint Pattern property setting contains a
requestOrigin
field that specifies whether the request originated from an internal or external network. This property is valid only when using Oracle HTTP Server and the Oracle HTTP Server administrator has added a customVIRTUAL_HOST_TYPE
header to the request. To configure the Oracle HTTP Server, see "Configuring the Oracle HTTP Server to Specify the Request Origin".
-
17.105 oracle/no_messageprotection_client_policy
The oracle/no_messageprotection_client_policy is a no behavior policy. When directly attached to a client endpoint or globally attached at a lower scope, effectively disables a globally attached message protection policy at a higher scope.
Display Name: No Behavior Message Protection Client Policy
Category: Security
Description
If the globally attached policy contains any other assertions, in addition to the message protection assertion, those assertions are disabled also. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no_behavior policy is not supported for Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-46 lists the configuration property that you can override for the no behavior policy.
Table 17-46 Configuration Property for oracle/no_messageprotection_client_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.106 oracle/no_messageprotection_service_policy
The oracle/no_messageprotection_service_policy, is a no behavior policy, when directly attached to a service endpoint or globally attached at a lower scope, effectively disables a globally attached message protection policy at a higher scope.
Display Name: No Behavior Message Protection Service Policy
Category: Security
Description
If the globally attached policy contains any other assertions, in addition to the message protection assertion, those assertions are disabled also. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
This policy is not supported for Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-47 lists the configuration property that you can override for the no behavior policy.
Table 17-47 Configuration Property for oracle/no_messageprotection_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.107 oracle/wss10_message_protection_client_policy
The oracle/wss10_message_protection_client_policy provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.0 standard.
Display Name: Wss10 Message Protection Client Policy
Category: Security
Description
This policy uses the WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-42. For more information, see "Overriding Policy Configuration Properties".
-
To configure OPSS, set up the OWSM keystore and the web service client keystore, as described in "Overview of Configuring Keystores for Message Protection". The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties". -
Configure the policy assertion for message signing, message encryption, or both.
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Configure the policy assertion for message signing, message encryption, or both.
-
You can include signature and encryption elements in the Security header in conformance with the WS-Security 1.0 standards.
The following example (WS-Security 1.0 Message Integrity of SOAP Message) shows the typical structure of a signature included in the Security header. In this example, the body element of the SOAP message is signed.
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:SignedInfo> <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <dsig:Reference URI="#Timestamp-..."> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <dsig:DigestValue>...</dsig:DigestValue> </dsig:Reference> <dsig:Reference URI="#Body-..."> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <dsig:DigestValue>...</dsig:DigestValue> </dsig:Reference> <dsig:Reference URI="#KeyInfo-..."> <dsig:Transforms> <dsig:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"> <TransformationParameters xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns="http://www.w3.org/2000/09/xmldsig#"/> </TransformationParameters> </dsig:Transform> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <dsig:DigestValue>...</dsig:DigestValue> </dsig:Reference> </dsig:SignedInfo> <dsig:SignatureValue>....</dsig:SignatureValue> <dsig:KeyInfo Id="KeyInfo-..."> <wsse:SecurityTokenReference xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"> ...</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </dsig:KeyInfo> </dsig:Signature>
The following example (WS-Security 1.0 Message Confidentiality of SOAP Message) shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element is encrypted.
<env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body-JA9fsCRnqbFJ0ocBAMKb7g22"> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content" Id="..."> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </env:Body>
17.108 oracle/wss10_message_protection_service_policy
The oracle/wss10_message_protection_service_policy enforces message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
Display Name: Wss10 Message Protection Service Policy
Category: Security
Description
The messages are protected using WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-43. For more information, see "Overriding Policy Configuration Properties".
-
To set up OPSS:
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. You also need to store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name. -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties".
-
17.109 oracle/wss11_message_protection_client_policy
The oracle/wss11_message_protection_client_policy provides message integrity and confidentiality for outbound SOAP requests in accordance with the WS-Security 1.1 standard.
Display Name: Wss11 Message Protection Client Policy
Category: Security
Description
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
Symmetric key technology is an encryption method that uses the same shared key to encrypt and decrypt data. The symmetric key is used to sign the message.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-45. For more information, see "Overriding Policy Configuration Properties".
-
Set up the OWSM keystore and the web service client keystore, as described in "Overview of Configuring Keystores for Message Protection". The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Configure the policy assertion for message signing, message encryption, or both.
-
Specify a value for
keystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Set up the web service client keystore, as described in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
-
This policy uses symmetric key technology, which is an encryption method that uses the same shared key to encrypt and decrypt data. The symmetric key is used to sign the message.
-
Configure the policy assertion for message signing, message encryption, or both.
The following example (WS-Security 1.1 Message Confidentiality of SOAP Message) shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-..."> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" /> </xenc:EncryptionMethod> <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">...</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </dsig:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#_..." /> </xenc:ReferenceList> </xenc:EncryptedKey> <env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body-..."> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content" Id="..."> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:Reference URI="#EK-..." ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" /> </wsse:SecurityTokenReference> </dsig:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </env:Body>
17.110 oracle/wss11_message_protection_service_policy
The oracle/wss11_message_protection_service_policy enforces message integrity and confidentiality for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
Display Name: Wss11 Message Protection Service Policy
Category: Security
Description
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-46. For more information, see "Overriding Policy Configuration Properties".
-
To set up OPSS:
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. You also need to store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name. -
Configure the policy assertion for message signing, message encryption, or both.
-
Specify a value for
keystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties".
-
17.111 wss11_username_token_derivedkey_with_message_protection_service
The oracle/wss11_username_token_derivedkey_with_message_protection_service_policy
enables use of OWSM to integrate with client where request contains <wsse11:Salt>
or <wsse11:Iteration>
element in the username token. These elements are used in Username token to facilitate password-derived keys support. Either signature or encryption is used.
Display Name: Wss11 Username Token With Message Protection using Password Derived Keys Service Policy
Category: Security
Description
The web service consumer inserts username and password credentials, and signs or encrypts the outgoing SOAP message. The web service provider decrypts or verifies the message. This policy can be attached to any SOAP-based endpoint.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token.
To prevent replay attacks, the assertion provides the option to include time stamps and verification by the web service provider.
Note:
Only BASIC128 ALgosuite is supported for this policy.-
The client creates a secret key using the password associated with the user. This is used to create a symmetric signature or encryption of data according to the applied client policy.
Note:
The UsernameToken header encryption is not supported. -
When the service receives the message, it derives the same secret key as the client using its knowledge of the password and two additional elements, that is, salt and iteration as received in the request token.
-
The Web service authenticates the user passed through the UsernameToken and decrypts or verifies the message using this password derived key.
-
It then uses the same secret key to encrypt or sign the response that it sends back to the client.
Assertion (OR Group)
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-102. For more information, see Overriding Policy Configuration Properties.
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in Supported Authentication Providers in WebLogic Server.
-
To set up OPSS:
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in Overview of Configuring Keystores for Message Protection.
-
-
Set the value of user.csf.key configuration parameter. The default value is
basic.credentials
.
17.112 oracle/wss11_username_token_with_message_protection_client_policy
The oracle/wss11_username_token_with_message_protection_client_policy
enables use of OWSM to integrate with any backend service which requires <wsse11:Salt>
or <wsse11:Iteration>
element in the username token. These elements are used in Username token to facilitate password-derived keys support. This client policy is for message protection using signature.
Display Name: Wss11 Username Token With Message Protection Signature using Password Derived Keys Client Policy
Category: Security
Description
The web service consumer inserts username and password credentials, and signs the outgoing SOAP message. The web service provider then verifies the message signature.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed. The web service provider verifies and authenticates the signature.
To prevent replay attacks, the assertion provides the option to include time stamps and verification by the web service provider.
Note:
Only BASIC128 ALgosuite is supported for this policy.-
The client creates a secret key using the password associated with the user. This secret key is used to create a symmetric signature of data.
-
When the service receives the message, it derives the same secret key as the client using its knowledge of the password and two additional elements, that is, salt and iteration as received in the request token.
-
The Web service authenticates the user passed through the UsernameToken and verifies the message using this password derived key.
-
It then uses the same secret key to sign the response that it sends back to the client.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-101. For more information, see Overriding Policy Configuration Properties.
-
Set up the OWSM keystore to specify a key (username/password).
-
Configure the policy assertion for message signing.
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Configure the policy assertion for message signing.
17.113 wss11_username_token_derivedkey_message_protection_encryption_client
The oracle/wss11_username_token_derivedkey_with_message_protection_encryption_only_client_policy
enables use of OWSM to integrate with any backend service which requires <wsse11:Salt>
or <wsse11:Iteration>
element in the username token. These elements are used in Username token to facilitate password-derived keys support. This client policy is for message protection using encryption.
Display Name: Wss11 Username Token With Message Protection Encryption using Password Derived Keys Client Policy
Category: Security
Description
The web service consumer inserts username and password credentials, and encrypts the outgoing SOAP message. The web service provider decrypts the message.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is encrypted. The web service provider decrypts the message, and authenticates the user.
To prevent replay attacks, the assertion provides the option to include time stamps and verification by the web service provider.
Note:
Only BASIC128 ALgosuite is supported for this policy.-
The client creates a secret key using the password associated with the user. This secret key is used for encryption.
Note:
The UsernameToken header encryption is not supported. -
When the service receives the message, it derives the same secret key as the client using its knowledge of the password and two additional elements, that is, salt and iteration as received in the request token.
-
The Web service authenticates the user passed through the UsernameToken and the message using this password derived key.
-
It then uses the same secret key to encrypt the response that it sends back to the client.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-101. For more information, see Overriding Policy Configuration Properties.
-
Set up the OWSM keystore to specify a key (username/password)
-
Configure the policy assertion for message encryption.
Design Time Considerations
At design time:
-
Override configuration settings, as described in About Overriding Client Policy Configuration Properties at Design Time.
-
Configure the policy assertion for message encryption.
17.114 oracle/pii_security_policy
The oracle/pii_security_policy encrypts the Personally Identifiable Information (PII) data you want to protect.
Display Name: PII Security Policy
Category: Security
Description
Encrypts the Personally Identifiable Information (PII) data you want to protect.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is not advertised in the WSDL.
Configuration
Override the configuration properties defined in Table 18-109. For more information, see "Overriding Policy Configuration Properties".
17.115 oracle/sts_trust_config_client_policy
The oracle/sts_trust_config_client_policy specifies the STS client configuration information that is used to invoke the STS for token exchange.
Display Name: STS Trust Configuration Client Policy
Category: Security
Description
Use this policy only if you are not using Automatic (Client STS) Policy Configuration, as described in "Setting Up Automatic Policy Configuration for STS"
If you attach multiple instances of oracle/sts_trust_config_client_policy
, no error is generated. However, only one instance is enforced, and you cannot control which instance that is.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is not advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-111. For more information, see "Overriding Policy Configuration Properties".
-
Configure the STS configuration policy from the web service, as described in "Setting Up Automatic Policy Configuration for STS".
-
However, if you did not configure the STS configuration policy from the web service, or if you are using the SAML sender vouches confirmation method, then you must configure it from the web service client. For more information, see "Manually Configuring the STS Config Policy From the Web Service Client: Main Steps".
Design Time Considerations
At design time, you can set up and attach the oracle/sts_trust_config_client_policy
policy programmatically, as shown in the following example.
URL endpointUrl = new URL(getWebConnectionString() + "/jaxws-test-service/jaxws-test-port"); ServiceDelegateImpl client = new ServiceDelegateImpl( new URL(endpointUrl.toString() + "?WSDL"), new QName("http://jaxws.example.com/targetNamespace/JaxwsService", "JaxwsService"), OracleService.class); JaxwsService port = client.getPort( new QName("http://jaxws.example.com/targetNamespace/JaxwsService", "JaxwsServicePort"), test.jaxws.client.JaxwsService.class); ((BindingProvider)port).getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY,endpointUrl.toExternalForm()); ((BindingProvider)port).getRequestContext().put(ClientConstants.CLIENT_CONFIG, fileToElement(new File("./jaxws/client/dat/oracle-webservice-client.xml")));
The following example shows the related oracle-webservice-client.xml
file with the STS config policy and STS issue policy.
<?xml version="1.0" encoding="UTF-8"?> <oracle-webservice-clients> <webservice-client> <port-info> <policy-references> <policy-reference uri="oracle/sts_trust_config_client_policy" category="security"/> <policy-reference uri="oracle/wss11_sts_issue_saml_hok_with_message_protection_client_policy " category="security"/> </policy-references> </port-info> </webservice-client> </oracle-webservice-clients>
17.116 oracle/sts_trust_config_service_policy
The oracle/sts_trust_config_service_policy specifies the STS configuration information that is used to invoke the STS for token exchange.
Display Name: STS Trust Configuration Service Policy
Category: Security
Description
Specifies the STS configuration information that is used to invoke the STS for token exchange.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-113. For more information, see "Overriding Policy Configuration Properties".
-
Set up the web service, as described in "Setting Up Automatic Policy Configuration for STS".
17.117 oracle/wss_saml_bearer_or_username_token_service_policy
The oracle/wss_saml_bearer_or_username_token_service_policy enforces one authentication policy, based on whether the client uses a SAML or username token.
Display Name: WSSecurity SAML Token Bearer or WSSecurity UserName Token
Category: Security
Description
Enforces one of the following authentication policies, based on whether the client uses a SAML or username token, respectively:
-
SAML token within WS-Security SOAP header using the bearer confirmation type.
-
WS-Security UsernameToken SOAP header to authenticate users against the configured identity store.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
Assertions (OR Group)
This policy contains the following assertions as an OR group—meaning either type of policy can be enforced by a client:
The assertions are advertised in the WSDL.
17.118 oracle/wss_saml_or_username_token_service_policy
The oracle/wss_saml_or_username_token_service_policy enforces an authentication policy, based on whether the client uses a SAML or username token.
Display Name: Wss SAML Token or Wss Username Token Service Policy
Category: Security
Description
Enforces one of the following authentication policies, based on whether the client uses a SAML or username token, respectively:
-
SAML token within WS-Security SOAP header using the sender-vouches confirmation type.
-
WS-Security UsernameToken SOAP header to authenticate users against the configured identity store.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
Assertions (OR Group)
This policy contains an assertion that is based on the following assertion templates, as an OR group—meaning either one of the tokens can be sent by the client:
The assertions are advertised in the WSDL.
Configuration
For information about configuring this policy, refer to the following policy descriptions:
17.119 oracle/wss_saml_or_username_token_over_ssl_service_policy
The oracle/wss_saml_or_username_token_over_ssl_service_policy enforces message protection (integrity and confidentiality) and an authentication policy, based on whether the client uses a SAML or username token.
Display Name: Wss SAML Token or Wss Username Token Over SSL Service Policy
Category: Security
Description
Enforces message protection (integrity and confidentiality) and one of the following authentication policies, based on whether the client uses a SAML or username token, respectively:
-
SAML token within WS-Security SOAP header using the sender-vouches confirmation type.
-
WS-Security UsernameToken SOAP header to authenticate users against the configured identity store.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
Assertions (OR Group)
This policy contains an assertion that is based on the following assertion templates as an OR group—meaning either one of the tokens can be sent by the client:
The assertions are advertised in the WSDL.
Configuration
For information about configuring this policy, refer to the following policy descriptions:
17.120 oracle/wss_saml_token_bearer_client_policy
The oracle/wss_saml_token_bearer_client_policy includes SAML tokens in outbound SOAP request messages.
Display Name: Wss SAML Token (confirmation method as bearer) Client Policy
Category: Security
Description
The SAML token with confirmation method Bearer is created automatically.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-59. For more information, see "Overriding Policy Configuration Properties".
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Configure SAML on the client side, as described in "Configuring SAML Web Service Client at Design Time".
17.121 oracle/wss_saml_token_bearer_over_ssl_client_policy
The oracle/wss_saml_token_bearer_over_ssl_client_policy includes SAML tokens in outbound SOAP request messages. The policy also verifies that the transport protocol provides SSL message protection.
Display Name: Wss SAML Token (confirmation method as bearer) Over SSL Client Policy
Category: Security
Description
The SAML token with confirmation method Bearer is created automatically. This policy can be attached to any SOAP-based client.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
This policy uses the sender vouches confirmation with message protection using SSL, therefore the issuer key identifier used in SSL certificate must be trusted. Configure trusted issuers and DN lists, as described in Configuring SAML and JWT Trusted Issuers, DN Lists, and Token Attribute Rules Using WLST
Note:
You do not need to configure trusted issuers and DN lists, If the DN is not configured for the issuer or you are using the default trusted SAML issuer (www.oracle.com
) for token issuer trust document. -
Override the configuration properties defined in Table 18-59. For more information, see "Overriding Policy Configuration Properties".
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
-
Specify a value for
propagate.identity.context
, as described in "Overriding Policy Configuration Properties". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Configure SAML on the client side, as described in "Configuring SAML Web Service Client at Design Time".
17.122 oracle/wss_saml_token_bearer_over_ssl_service_policy
The oracle/wss_saml_token_bearer_over_ssl_service_policy authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.
Display Name: Wss SAML Token (confirmation method as bearer) Over SSL Service Policy
Category: Security
Description
The credentials in the SAML token are authenticated against a SAML login module. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based endpoint.
The SAML login module extracts the username from the verified token and passes it to the Authentication provider.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-60. For more information, see "Overriding Policy Configuration Properties".
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
-
Specify a value for
propagate.identity.context
, as described in "Overriding Policy Configuration Properties". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies". -
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
Configure the
saml.loginmodule
login module. See "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control" for more information. The SAML login module extracts the username from the verified token and passes it to the Authentication provider. -
Configure SAML and set up OPSS, as described in "About SAML Configuration".
17.123 oracle/wss_http_token_over_ssl_client_policy
The oracle/wss_http_token_over_ssl_client_policy includes credentials in the HTTP header for outbound client requests, authenticates users against the OPSS identity store, and verifies that the transport protocol is HTTPS. The client must pass the credentials in the HTTP header.
Display Name: Wss HTTP Token Over SSL Client Policy
Category: Security
Description
Requests over a non-HTTPS transport protocol are refused. This policy can be enforced on any HTTP-based client.
Note:
Currently only HTTP basic authentication is supported.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-52. For more information, see "Overriding Policy Configuration Properties".
-
Configure one-way SSL, as described in "Configuring One-Way SSL for a Web Service Client".
-
Specify a value for
csf-key
, as described in "Overriding Policy Configuration Properties". The value signifies a key that maps to a username/password. For information about how to add the key to the credential store, see "Adding Keys and User Credentials to Configure the Credential Store".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
The client must pass the credentials in the HTTP header.
17.124 oracle/wss_http_token_over_ssl_service_policy
The oracle/wss_http_token_over_ssl_service_policy extracts the credentials in the HTTP header and authenticates users against the OPSS identity store, and verifies that the transport protocol is HTTPS.
Display Name: Wss HTTP Token Over SSL Service Policy
Category: Security
Description
Requests over a non-HTTPS transport protocol are refused. This policy can be enforced on any HTTP-based endpoint.
Note:
This policy functions similarly to oracle/http_basic_auth_over_ssl_service_policy. The only difference is that oracle/wss_http_token_over_ssl_service_policy
enables the include-timestamp
attribute in the require-tls
element to prevent replay attacks, which is not applicable to RESTful services. For more information about the require-tls
element, see "orasp:require-tls Element".
Currently only HTTP basic authentication is supported.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-53. For more information, see "Overriding Policy Configuration Properties".
-
Configure one-way SSL, as described in "Configuring One-Way SSL for a Web Service Client".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
17.125 oracle/wss_saml_token_over_ssl_client_policy
The oracle/wss_saml_token_over_ssl_client_policy includes SAML tokens in outbound WS-Security SOAP headers using the sender-vouches confirmation type. The policy verifies that the transport protocol provides SSL message protection.
Display Name: Wss SAML Token Over SSL Client Policy
Category: Security
Description
This policy can be enforced on any SOAP-based client.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
This policy uses the sender vouches confirmation with message protection using SSL, therefore the issuer key identifier used in SSL certificate must be trusted. Configure trusted issuers and DN lists, as described in Configuring SAML and JWT Trusted Issuers, DN Lists, and Token Attribute Rules Using WLST.
Note:
You do not need to configure trusted issuers and DN lists, If the DN is not configured for the issuer or you are using the default trusted SAML issuer (www.oracle.com
) for token issuer trust document. -
Override the configuration properties defined in Table 18-65. For more information, see "Overriding Policy Configuration Properties".
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
-
Specify a value for
propagate.identity.context
, as described in "Overriding Policy Configuration Properties". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Configure SAML on the client side, as described in "Configuring SAML Web Service Client at Design Time".
17.126 oracle/wss_saml_token_over_ssl_service_policy
The oracle/wss_saml_token_over_ssl_service_policy enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type, and verifies that the transport protocol provides SSL message protection.
Display Name: Wss SAML Token Over SSL Service Policy
Category: Security
Description
The SAML token is mapped to a user in the configured identity store. This policy can be enforced on any SOAP-based endpoint.
The SAML login module extracts the username from the verified token and passes it to the Authentication provider.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-66. For more information, see "Overriding Policy Configuration Properties".
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
-
Specify a value for
propagate.identity.context
, as described in "Overriding Policy Configuration Properties". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies". -
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
Configure the
saml.loginmodule
login module, as described in "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control". The SAML login module extracts the username from the verified token and passes it to the provider. -
Configure SAML and set up OPSS, as described in "About SAML Configuration".
17.127 oracle/wss_saml20_token_bearer_over_ssl_client_policy
The oracle/wss_saml20_token_bearer_over_ssl_client_policy includes SAML tokens in outbound SOAP request messages, and verifies that the transport protocol provides SSL message protection.
Display Name: Wss SAML V2.0 Token (confirmation method as bearer) Over SSL Client Policy
Category: Security
Description
The SAML token with confirmation method Bearer is created automatically. This policy can be attached to any SOAP-based client.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-62. For more information, see "Overriding Policy Configuration Properties".
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
-
Specify a value for
propagate.identity.context
on the Configurations page, or override it on a per-client basis using the Security Configuration Details control when you attach the policy. Thepropagate.identity.context
property defaults to a value of blank. See "Propagating Identity Context Using SAML Policies" for additional considerations.
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Configure SAML on the client side, as described in "Configuring SAML Web Service Client at Design Time".
17.128 oracle/wss_saml20_token_bearer_over_ssl_service_policy
The oracle/wss_saml20_token_bearer_over_ssl_service_policy authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header, and verifies that the transport protocol provides SSL message protection.
Display Name: Wss SAML V2.0 Token (confirmation method as bearer) Over SSL Service Policy
Category: Security
Description
The credentials in the SAML token are authenticated against a SAML login module. This policy can be enforced on any SOAP-based endpoint.
The SAML login module extracts the username from the verified token and passes it to the Authentication provider.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-63. For more information, see "Overriding Policy Configuration Properties".
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
-
Specify a value for
propagate.identity.context
, as described in "Overriding Policy Configuration Properties". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies". -
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
Configure the
saml2.loginmodule
login module, as described in "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control". The SAML login module extracts the username from the verified token and passes it to the provider. -
Configure SAML and set up OPSS, as described in "About SAML Configuration".
17.129 oracle/wss_saml20_token_over_ssl_client_policy
The oracle/wss_saml20_token_over_ssl_client_policy includes SAML tokens in outbound WS-Security SOAP headers using the sender-vouches confirmation type, and verifies that the transport protocol provides SSL message protection.
Display Name: Wss SAML V2.0 Token Over SSL Client Policy
Category: Security
Description
This policy can be enforced on any SOAP-based client.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-68. For more information, see "Overriding Policy Configuration Properties".
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
-
Specify a value for
propagate.identity.context
, as described in "Overriding Policy Configuration Properties". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Configure SAML on the client side, as described in "Configuring SAML Web Service Client at Design Time".
17.130 oracle/wss_saml20_token_over_ssl_service_policy
The oracle/wss_saml20_token_over_ssl_service_policy enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type, and verifies that the transport protocol provides SSL message protection.
Display Name: Wss SAML V2.0 Token Over SSL Service Policy
Category: Security
Description
The SAML token is mapped to a user in the configured identity store. This policy can be enforced on any SOAP-based endpoint.
The SAML login module extracts the username from the verified token and passes it to the Authentication provider.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-63. For more information, see "Overriding Policy Configuration Properties".
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
-
Specify a value for
propagate.identity.context
, as described in "Overriding Policy Configuration Properties". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies". -
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
Configure the
saml2.loginmodule
login module, as described in "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control". The SAML login module extracts the username from the verified token and passes it to the provider. -
Configure SAML and set up OPSS, as described in "About SAML Configuration".
17.131 oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy
The oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy inserts a SAML bearer assertion issued by a trusted STS. Messages are protected using SSL.
Display Name: Wss Issued Token with Saml Bearer Over SSL Client Policy
Category: Security
Description
Inserts a SAML bearer assertion issued by a trusted STS. Messages are protected using SSL.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-115. For more information, see "Overriding Policy Configuration Properties". For examples of overriding STS configuration settings, see "Programmatically Overriding Policy Configuration for WS-Trust Client Policies".
-
Set up the web service client, as described in "Main Steps in Setting Up Automatic Policy Configuration".
-
Set up the OWSM keystore to specify a key (username/password or X.509) to authenticate to the STS, as described in "Overview of Configuring Keystores for Message Protection".
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Configure SAML on the client side, as described in "Configuring SAML Web Service Client at Design Time".
17.132 oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy
The oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy authenticates a SAML bearer assertion issued by a trusted STS.
Display Name: Wss Issued Token with Saml Bearer Over SSL Service Policy
Category: Security
Description
Authenticates a SAML bearer assertion issued by a trusted STS. Messages are protected using SSL.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
See also "WS-Trust Assertion Templates" for more information about the assertion.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-116. For more information, see "Overriding Policy Configuration Properties". For examples of overriding STS configuration settings, see "Programmatically Overriding Policy Configuration for WS-Trust Client Policies".
-
Set up the web service, as described in "Main Steps in Setting Up Automatic Policy Configuration".
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
17.133 oracle/wss_username_token_over_ssl_client_policy
The oracle/wss_username_token_over_ssl_client_policy includes credentials in the WS-Security UsernameToken header in outbound SOAP request messages, and verifies that the transport protocol provides SSL message protection. Both plain text and digest mechanisms are supported.
Display Name: Wss Username Token Over SSL Client Policy
Category: Security
Description
This policy can be attached to any SOAP-based client.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-71. For more information, see "Overriding Policy Configuration Properties".
-
If you specify a password type of None on the Settings page, you do not need to include a password in the key.
-
Specify a value for
csf-key
, as described in "Overriding Policy Configuration Properties". The value signifies a key that maps to a username/password. For information about how to add the key to the credential store, see "Adding Keys and User Credentials to Configure the Credential Store". -
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Include a WS-Security UsernameToken element (
<wsse:UsernameToken/>
) in the SOAP request message. The client provides a username and password for authentication.
17.134 oracle/wss_username_token_over_ssl_service_policy
The oracle/wss_username_token_over_ssl_service_policy uses the credentials in the WS-Security UsernameToken SOAP header to authenticate users against the OPSS configured identity store, and verifies that the transport protocol provides SSL message protection.
Display Name: Wss Username Token Over SSL Service Policy
Category: Security
Description
Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based endpoint.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-72. For more information, see "Overriding Policy Configuration Properties".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
The username and password must exist and be valid.
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
17.135 oracle/wss_username_token_over_ssl_wssc_client_policy
The oracle/wss_username_token_over_ssl_wssc_client_policy includes credentials in the WS-Security UsernameToken header in outbound SOAP request messages, and verifies that the transport protocol provides SSL message protection.
Display Name: Wss Username Token Over SSL with secure conversation enabled Client Policy
Category: Security
Description
Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
This policy has secure conversation enabled. For more information, see Configuring Secure Conversation Using Oracle Web Services Manager.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-71. For more information, see "Overriding Policy Configuration Properties".
-
Configure secure conversation, as describe in Configuring Secure Conversation Using Oracle Web Services Manager.
-
Specify a value for
csf-key
, as described in "Overriding Policy Configuration Properties". The value signifies a key that maps to a username/password. See "Adding Keys and User Credentials to Configure the Credential Store" for information about how to add the key to the credential store. -
If you specify a password type of None on the Settings page, you do not need to include a password in the key.
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Include a WS-Security UsernameToken element (
<wsse:UsernameToken/>
) in the SOAP request message. The client provides a username and password for authentication.
17.136 oracle/wss_username_token_over_ssl_wssc_service_policy
The oracle/wss_username_token_over_ssl_wssc_service_policy uses the credentials in the WS-Security UsernameToken SOAP header to authenticate users against the OPSS configured identity store, and verifies that the transport protocol provides SSL message protection.
Display Name: Wss Username Token Over SSL with secure conversation enabled Service Policy
Category: Security
Description
Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based endpoint.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
This policy has secure conversation enabled. For more information, see Configuring Secure Conversation Using Oracle Web Services Manager.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-72. For more information, see "Overriding Policy Configuration Properties".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
The username and password must exist and be valid.
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
17.137 oracle/wss_username_token_over_ssl_notimestamp_client_policy
Display Name: Wss Username Token Over SSL No Timestamp Client Policy
Category: Security
Description
The oracle/wss_username_token_over_ssl_notimestamp_client_policy includes credentials in the WS-Security UsernameToken header in outbound SOAP request messages. Only plain text mechanism is supported. The credentials can be provided either programmatically through the Java Authentication and Authorization Service (JAAS) subject, or by a reference in the policy to the configured credential store. The policy also verifies that the transport protocol provides SSL message protection. This policy can be attached to any SOAP-based client. Timestamp is not added to the message.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-71. For more information, see "Overriding Policy Configuration Properties".
-
If you specify a password type of None on the Settings page, you do not need to include a password in the key.
-
Specify a value for
csf-key
, as described in "Overriding Policy Configuration Properties". The value signifies a key that maps to a username/password. For information about how to add the key to the credential store, see "Adding Keys and User Credentials to Configure the Credential Store". -
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Include a WS-Security UsernameToken element (
<wsse:UsernameToken/>
) in the SOAP request message. The client provides a username and password for authentication.
17.138 oracle/wss_username_token_over_ssl_notimestamp_service_policy
Display Name: Wss Username Token Over SSL No Timestamp Service Policy
Category: Security
Description
The oracle/wss_username_token_over_ssl_notimestamp_service_policy uses the credentials in the UsernameToken WS-Security SOAP header to authenticate users against the configured identity store. Only plain text mechanism is supported. The policy verifies that the transport protocol provides SSL message protection. This policy can be attached to any SOAP-based endpoint. Timestamp should not be present in the incoming message.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-72. For more information, see "Overriding Policy Configuration Properties".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
The username and password must exist and be valid.
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
17.139 oracle/wss10_saml_hok_token_with_message_protection_client_policy
The oracle/wss10_saml_hok_token_with_message_protection_client_policy provides message protection (integrity and confidentiality) and SAML holder of key based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.
Display Name: Wss10 SAML Holder-Of-Key Token With Message Protection Client Policy
Category: Security
Description
A SAML token, included in the SOAP message, is used in SAML-based authentication with holder of key confirmation.
The policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-74. For more information, see "Overriding Policy Configuration Properties".
-
Configure the policy assertion for message signing, message encryption, or both.
-
Specify a value for
saml.issuer.name
, as described in "Overriding Policy Configuration Properties". Thesaml.issuer.name
property defaults to a value ofwww.oracle.com
. See "Adding an Additional SAML Assertion Issuer Name" for additional considerations. -
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties". -
Override the
saml.assertion.filename
property to point to the file that has the holder-of-key assertion, as described in "Overriding Policy Configuration Properties". -
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Set up the web service client keystore, as described in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
-
Override the
saml.assertion.filename
property to point to the file that has the holder-of-key assertion. For more information, see "About Overriding Client Policy Configuration Properties at Design Time".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Configure SAML for the web service client at design time, as described in "Configuring SAML Web Service Client at Design Time".
-
Configure the policy assertion for message signing, message encryption, or both.
Example 17-* shows the typical structure of a signature included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element of the SOAP message is signed.
Example 17-* shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element is encrypted.
17.140 oracle/wss10_saml_hok_token_with_message_protection_service_policy
The oracle/wss10_saml_hok_token_with_message_protection_service_policy enforces message protection (integrity and confidentiality) and SAML holder of key based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
Display Name: Wss10 SAML Holder-Of-Key Token With Message Protection Service Policy
Category: Security
Description
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-75. For more information, see "Overriding Policy Configuration Properties".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
Configure the
saml.loginmodule
login module. See "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control" for more information. The SAML login module extracts the username from the verified token and passes it to the Authentication provider. -
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
Note:
A
CertificateExpiredException
is returned if an expired certificate is present in the keystore, regardless of whether this certificate is being referenced. To resolve this exception, remove the expired certificate from the keystore. -
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
-
To set up OPSS:
-
Configure SAML, as described in "About SAML Configuration".
-
Configure the policy assertion for message signing, message encryption, or both.
-
Store the trusted certificate of the SAML authority in the keystore.
-
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. Store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name. -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties".
-
17.141 oracle/wss10_saml_token_with_message_integrity_client_policy
The oracle/wss10_saml_token_with_message_integrity_client_policy provides message-level integrity and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. A SAML token, included in the SOAP message, is used in SAML-based authentication with sender vouches confirmation.
Display Name: Wss10 SAML Token With Message Integrity Client Policy
Category: Security
Description
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies and SHA-1 hashing algorithm for message integrity. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-77. For more information, see "Overriding Policy Configuration Properties".
-
Specify a value for
saml.issuer.name
, as described in "Overriding Policy Configuration Properties". Thesaml.issuer.name
property defaults to a value ofwww.oracle.com
. For additional considerations, see "Adding an Additional SAML Assertion Issuer Name". -
Specify a value for
user.roles.include
, as described in "Overriding Policy Configuration Properties". -
Specify a value for
propagate.identity.context
, as described in "Overriding Policy Configuration Properties". Thepropagate.identity.context
property defaults to a value of blank. See "Propagating Identity Context Using SAML Policies" for additional considerations. -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties". For more information, see "Overriding Policy Configuration Properties". -
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Configure SAML, as described in "About SAML Configuration".
-
Set up the web service client keystore, as described in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Configure the client for SAML at design time, as described in "Configuring SAML Web Service Client at Design Time".
-
Include a WS-Security Header Element (
<saml:Assertion>
) that inserts a SAML token in the outbound SOAP message. The confirmation type is alwayssender-vouches
.
Example 17-* shows the typical structure of a signature included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element of the SOAP message is signed.
Example 17-*shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element is encrypted.
17.142 oracle/wss10_saml_token_with_message_integrity_service_policy
The oracle/wss10_saml_token_with_message_integrity_service_policy enforces message-level integrity protection and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
Display Name: Wss10 SAML Token With Message Integrity Service Policy
Category: Security
Description
It extracts the SAML token from the WS-Security binary security token or the current Java Authentication and Authorization Service (JAAS) subject, and uses those credentials to validate users against the Oracle Platform Security Services identity store.
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies and SHA-1 hashing algorithm for message integrity. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-78. For more information, see "Overriding Policy Configuration Properties".
-
Override the
keystore.sig.csf.key
andkeystore.enc.csf.key
server-side configuration properties, as described in "Overview of Policy Configuration Overrides". -
Configure SAML, as described in "About SAML Configuration".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
Configure the
saml.loginmodule
login module. For more information, see "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control". The SAML login module extracts the username from the verified token and passes it to the Authentication provider. -
Specify a value for
propagate.identity.context
, as described in "Overriding Policy Configuration Properties". Thepropagate.identity.context
property defaults to a value of blank. See "Propagating Identity Context Using SAML Policies" for additional considerations.
17.143 oracle/wss10_saml_token_with_message_protection_client_policy
The oracle/wss10_saml_token_with_message_protection_client_policy provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. The web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches.
Display Name: Wss10 SAML Token With Message Protection Client Policy
Category: Security
Description
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the web service provider.
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-77. For more information, see "Overriding Policy Configuration Properties".
-
Configure the policy assertion for message signing, message encryption, or both.
-
Specify a value for
saml.issuer.name
, as described in "Overriding Policy Configuration Properties". Thesaml.issuer.name
property defaults to a value ofwww.oracle.com
. For additional considerations, see "Adding an Additional SAML Assertion Issuer Name". -
Specify a value for
user.roles.include
, as described in "Overriding Policy Configuration Properties". -
Specify a value for
propagate.identity.context
, as described in "Overriding Policy Configuration Properties". Thepropagate.identity.context
property defaults to a value of blank. See "Propagating Identity Context Using SAML Policies" for additional considerations. -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties". For more information, see "Overriding Policy Configuration Properties". -
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Configure SAML, as described in "About SAML Configuration".
-
Set up the web service client keystore, as described in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Configure the client for SAML at design time, as described in "Configuring SAML Web Service Client at Design Time".
-
Configure the policy assertion for message signing, message encryption, or both.
Example 17-* shows the typical structure of a signature included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element of the SOAP message is signed.
Example 17-* shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element is encrypted.
17.144 oracle/wss10_saml_token_with_message_protection_service_policy
The oracle/wss10_saml_token_with_message_protection_service_policy enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
Display Name: Wss10 SAML Token With Message Protection Service Policy
Category: Security
Description
The web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the web service provider.
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-78. For more information, see "Overriding Policy Configuration Properties".
-
Configure the policy assertion for message signing, message encryption, or both.
-
Specify a value for
propagate.identity.context
, as described in "Overriding Policy Configuration Properties". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies". -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties". -
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
Configure the
saml.loginmodule
login module. For more information, see "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control". The SAML login module extracts the username from the verified token and passes it to the Authentication provider. -
Set up the web service client keystore, as described in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
-
To set up OPSS:
-
Configure SAML, as described in "About SAML Configuration".
-
Configure the policy assertion for message signing, message encryption, or both.
-
Store the trusted certificate of the SAML authority in the keystore.
-
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. Store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name. -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties".
-
17.145 oracle/wss10_saml_token_with_message_protection_ski_basic256_client_policy
The oracle/wss10_saml_token_with_message_protection_ski_basic256_client_policy provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.
Display Name: Wss10 SAML Token With Message Protection SKI Basic 256 Client Policy
Category: Security
Description
The web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the web service provider.
The policy uses WS-Security's Basic 256 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-256 bit encryption. This policy uses Subject Key Identifier (ski) reference mechanism for encryption key in the request and for both signature and encryption keys in the response. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Note:
Due to the import restrictions of some countries, the jurisdiction policy files distributed with the JDK 5.0 software have built-in restrictions on available cryptographic strength.
By default, policies that use the basic192 algorithms and above do not work with the bundled JRE/JDK. To use these algorithms, you need to download the JCE Extension jars (Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 5.0) file from http://www.oracle.com/technetwork/java/javase/downloads/index-jdk5-jsp-142662.html
.
To use these policy files, you need to replace the following JAR files in $JAVA_HOME/jre/lib/security
with the corresponding JARs from the JCE Extension:
-
US_export_policy.jar
-
local_policy.jar
You should back up your existing JAR files before replacing them.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-77. For more information, see "Overriding Policy Configuration Properties".
-
Configure the policy assertion for message signing, message encryption, or both.
-
Configure SAML, as described in "About SAML Configuration".
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Specify a value for
saml.issuer.name
, as described in "Overriding Policy Configuration Properties". Thesaml.issuer.name
property defaults to a value ofwww.oracle.com
. For additional considerations, see "Adding an Additional SAML Assertion Issuer Name". -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties". -
Specify a value for
user.roles.include
, as described in "Overriding Policy Configuration Properties". -
Specify a value for
propagate.identity.context
, as described in "Overriding Policy Configuration Properties". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies". -
Set up the web service client keystore, as described in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Configure SAML, as described in "Configuring SAML Web Service Client at Design Time".
-
Configure the policy assertion for message signing, message encryption, or both.
Example 17-* shows the typical structure of a signature included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element of the SOAP message is signed.
Example 17-* shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element is encrypted.
17.146 oracle/wss10_saml_token_with_message_protection_ski_basic256_service_policy
The oracle/wss10_saml_token_with_message_protection_ski_basic256_service_policy enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. The policy uses WS-Security's Basic 256 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-256 bit encryption.
Display Name: Wss10 SAML Token With Message Protection SKI Basic 256 Service Policy
Category: Security
Description
The web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the web service provider.
This policy uses Subject Key Identifier (ski) reference mechanism for encryption key in the request and for both signature and encryption keys in the response. For more information about the available algorithms for message protection, see "Supported Algorithm Suites"
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Note:
Due to the import restrictions of some countries, the jurisdiction policy files distributed with the JDK 5.0 software have built-in restrictions on available cryptographic strength.
By default, policies that use the basic192 algorithms and above do not work with the bundled JRE/JDK. To use these algorithms, you need to download the JCE Extension jars (Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 5.0) file from http://www.oracle.com/technetwork/java/javase/downloads/index-jdk5-jsp-142662.html
.
To use these policy files, you need to replace the following JAR files in $JAVA_HOME/jre/lib/security
with the corresponding JARs from the JCE Extension:
-
US_export_policy.jar
-
local_policy.jar
You should back up your existing JAR files before replacing them.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-78. For more information, see "Overriding Policy Configuration Properties".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
Configure the
saml.loginmodule
login module. For more information, see "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control". The SAML login module extracts the username from the verified token and passes it to the Authentication provider. -
Override the
keystore.sig.csf.key
andkeystore.enc.csf.key
server-side configuration properties, as described in "Overview of Policy Configuration Overrides". -
Specify a value for
propagate.identity.context
, as described in "Overriding Policy Configuration Properties". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies". -
To set up OPSS:
-
Configure SAML, as described in "About SAML Configuration".
-
Configure the policy assertion for message signing, message encryption, or both.
-
This policy requires you to set up the keystore. When using the ski reference mechanism, use OpenSSL or another such utility to create the certificate.
-
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. Store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name.
-
17.147 oracle/wss10_saml20_token_with_message_protection_client_policy
The oracle/wss10_saml20_token_with_message_protection_client_policy provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption.
Display Name: Wss10 SAML V2.0 Token With Message Protection Client Policy
Category: Security
Description
The web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the web service provider.
For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-80. For more information, see "Overriding Policy Configuration Properties".
-
Configure SAML, as described in "About SAML Configuration".
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties". -
Specify a value for
user.roles.include
, as described in "Overview of Configuring Keystores for Message Protection". -
Specify a value for
propagate.identity.context
, as described in "Overview of Configuring Keystores for Message Protection". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies". -
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages.
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Configure SAML, as described in "Configuring SAML Web Service Client at Design Time".
-
Set up the web service client keystore, as described in Understanding Web Service Security Concepts. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
Example 17-* shows the typical structure of a signature included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element of the SOAP message is signed.
Example 17-* shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element is encrypted.
17.148 oracle/wss10_saml20_token_with_message_protection_service_policy
The oracle/wss10_saml20_token_with_message_protection_service_policy enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption.
Display Name: Wss10 SAML V2.0 Token With Message Protection Service Policy
Category: Security
Description
The web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the web service provider.
For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-81. For more information, see "Overriding Policy Configuration Properties".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
Configure the
saml2.loginmodule
login module. See "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control" for more information. The SAML login module extracts the username from the verified token and passes it to the Authentication provider. -
Override the
keystore.sig.csf.key
andkeystore.enc.csf.key
server-side configuration properties, as described in "Overview of Policy Configuration Overrides". -
To set up OPSS:
-
Configure SAML, as described in "About SAML Configuration".
-
Configure the policy assertion for message signing, message encryption, or both.
-
This policy requires you to set up the keystore. When using the ski reference mechanism, use OpenSSL or another such utility to create the certificate.
-
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. Store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name.
-
17.149 oracle/wss10_username_id_propagation_with_msg_protection_client_policy
The oracle/wss10_username_id_propagation_with_msg_protection_client_policy provides message protection (integrity and confidentiality) and identity propagation for outbound SOAP requests in accordance with the WS-Security 1.0 standard. Message protection is provided using WS-Security's Basic128 suite of asymmetric key technologies. Specifically RSA key mechanisms for confidentiality, SHA-1 hashing algorithm for integrity and AES-128 bit encryption.
Display Name: Wss10 Username Id Propagation With Message Protection Client Policy
Category: Security
Note:
In this release, the policy oracle/wss10_username_id_propagation_with_msg_protection_client_policy has been deprecated.
Description
Credentials (only username) are included in outbound SOAP request messages via a WS-Security UsernameToken header. No password is included.This policy can be enforced on any SOAP-based client.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-83. For more information, see "Overriding Policy Configuration Properties".
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Set up the web service client keystore, as described in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
-
Include a WS-Security UsernameToken element (
<wsse:UsernameToken/>
) in the SOAP request message. The client provides a username and password for authentication.
Example 17-* shows the typical structure of a signature included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element of the SOAP message is signed.
Example 17-* shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element is encrypted.
17.150 oracle/wss10_username_id_propagation_with_msg_protection_service_policy
The oracle/wss10_username_id_propagation_with_msg_protection_service_policy enforces message level protection (i.e., integrity and confidentiality) and identity propagation for inbound SOAP requests using mechanisms described in WS-Security 1.0. Message protection is provided using WS-Security 1.0's Basic128 suite of asymmetric key technologies. Specifically RSA key mechanisms for confidentiality, SHA-1 hashing algorithm for integrity and AES-128 bit encryption.
Display Name: Wss10 Username Id Propagation With Message Protection Service Policy
Category: Security
Note:
In this release, the policy oracle/wss10_username_id_propagation_with_msg_protection_service_policy has been deprecated.
Description
This policy can be enforced on any SOAP-based endpoint.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-84. For more information, see "Overriding Policy Configuration Properties".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server". The SAML login module extracts the username from the verified token and passes it to the Authentication provider.
-
To set up OPSS:
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. Store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name. -
Override the
keystore.sig.csf.key
andkeystore.enc.csf.key
server-side configuration properties, as described in "Overview of Policy Configuration Overrides".
-
17.151 oracle/wss10_username_token_with_message_protection_client_policy
The oracle/wss10_username_token_with_message_protection_client_policy provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.0 standard. This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption.
Display Name: Wss10 Username Token With Message Protection Client Policy
Category: Security
Description
Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-83. For more information, see "Overriding Policy Configuration Properties".
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Specify a value for
csf-key
, as described in "Overriding Policy Configuration Properties". The value signifies a key that maps to a username/password. For more information about the how to add the key to the credential store, see "Adding Keys and User Credentials to Configure the Credential Store". -
Override the
keystore.sig.csf.key
andkeystore.enc.csf.key
server-side configuration properties, as described in "Overview of Policy Configuration Overrides".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Set up the web service client keystore, as described in Understanding Web Service Security Concepts. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
-
Configure the policy assertion for message signing, message encryption, or both.
Example 17-* shows the typical structure of a signature included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element of the SOAP message is signed.
Example 17-* shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element is encrypted.
17.152 oracle/wss10_username_token_with_message_protection_service_policy
The oracle/wss10_username_token_with_message_protection_service_policy enforces message protection (message integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption.
Display Name: Wss10 Username Token With Message Protection Service Policy
Category: Security
Description
Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based endpoint.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-84. For more information, see "Overriding Policy Configuration Properties".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
To set up OPSS:
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. Store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name. -
Override the
keystore.sig.csf.key
andkeystore.enc.csf.key
server-side configuration properties, as described in "Overview of Policy Configuration Overrides".
-
17.153 oracle/wss10_username_token_with_message_protection_ski_basic256_client_policy
The oracle/wss10_username_token_with_message_protection_ski_basic256_client_policy provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.0 standard. This policy uses WS-Security's Basic 256 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-256 bit encryption.
Display Name: Wss10 Username Token With Message Protection SKI Basic 256 Client Policy
Category: Security
Description
Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
This policy uses Subject Key Identifier (ski) reference mechanism for encryption key in the request and for both signature and encryption keys in the response. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Note:
Due to the import restrictions of some countries, the jurisdiction policy files distributed with the JDK 5.0 software have built-in restrictions on available cryptographic strength.
By default, policies that use the basic192 algorithms and above do not work with the bundled JRE/JDK. To use these algorithms, you need to download the JCE Extension jars (Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 5.0) file from http://www.oracle.com/technetwork/java/javase/downloads/index-jdk5-jsp-142662.html
.
To use these policy files, you need to replace the following JAR files in $JAVA_HOME/jre/lib/security
with the corresponding JARs from the JCE Extension:
-
US_export_policy.jar
-
local_policy.jar
You should back up your existing JAR files before replacing them.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-83. For more information, see "Overriding Policy Configuration Properties".
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Specify a value for
csf-key
, as described in "Overriding Policy Configuration Properties". The value signifies a key that maps to a username/password. For more information about the how to add the key to the credential store, see "Adding Keys and User Credentials to Configure the Credential Store". -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Set up the web service client keystore, as described in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
-
Configure the policy assertion for message signing, message encryption, or both.
Example 17-* shows the typical structure of a signature included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element of the SOAP message is signed.
Example 17-* is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element is encrypted.
17.154 oracle/wss10_username_token_with_message_protection_ski_basic256_service_policy
The oracle/wss10_username_token_with_message_protection_ski_basic256_service_policy enforces message protection (message integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. This policy uses WS-Security's Basic 256 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-256 bit encryption.
Display Name: Wss10 Username Token With Message Protection SKI Basic 256 Service Policy
Category: Security
Description
Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based endpoint.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
This policy uses Subject Key Identifier (ski) reference mechanism for encryption key in the request and for both signature and encryption keys in the response. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Note:
Due to the import restrictions of some countries, the jurisdiction policy files distributed with the JDK 5.0 software have built-in restrictions on available cryptographic strength.
By default, policies that use the basic192 algorithms and above do not work with the bundled JRE/JDK. To use these algorithms, you need to download the JCE Extension jars (Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 5.0) file from http://www.oracle.com/technetwork/java/javase/downloads/index-jdk5-jsp-142662.html
.
To use these policy files, you need to replace the following JAR files in $JAVA_HOME/jre/lib/security
with the corresponding JARs from the JCE Extension:
-
US_export_policy.jar
-
local_policy.jar
You should back up your existing JAR files before replacing them.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-84. For more information, see "Overriding Policy Configuration Properties".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
To set up OPSS:
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the keystore. When using the ski reference mechanism, use OpenSSL or another such utility to create the certificate.
-
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. Store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name. -
Override the
keystore.sig.csf.key
andkeystore.enc.csf.key
server-side configuration properties, as described in "Overview of Policy Configuration Overrides".
-
17.155 oracle/wss10_x509_token_with_message_protection_client_policy
The oracle/wss10_x509_token_with_message_protection_client_policy provides message protection (integrity and confidentiality) and certificate credential population for outbound SOAP requests in accordance with the WS-Security 1.0 standard.
Display Name: Wss10 X509 Token With Message Protection Client Policy
Category: Security
Description
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-86. For more information, see "Overriding Policy Configuration Properties".
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Set up the web service client keystore, as described in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
-
Provide valid X.509 authentication credentials in the SOAP message through the WS-Security binary security token.
-
Configure the policy assertion for message signing, message encryption, or both.
Example 17-* shows the typical structure of a signature included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element of the SOAP message is signed.
Example 17-* shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element is encrypted.
17.156 oracle/wss10_x509_token_with_message_protection_service_policy
The oracle/wss10_x509_token_with_message_protection_service_policy enforces message protection (integrity and confidentiality) and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
Display Name: Wss10 X509 Token With Message Protection Service Policy
Category: Security
Description
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-87. For more information, see "Overriding Policy Configuration Properties".
-
Configure an Authentication provider, as described in "Supported Authentication Providers in WebLogic Server".
-
To set up OPSS:
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. Store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name. -
Override the
keystore.sig.csf.key
andkeystore.enc.csf.key
server-side configuration properties, as described in "Overview of Policy Configuration Overrides".
-
17.157 oracle/wss11_kerberos_token_with_message_protection_client_policy
The oracle/wss11_kerberos_token_with_message_protection_client_policy includes a Kerberos token in the WS-Security header, and uses Kerberos keys to guarantee message integrity and confidentiality, in accordance with the WS-Security Kerberos Token Profile v1.1 standard.
Display Name: Wss11 Kerberos Token With Message Protection Client Policy
Category: Security
Description
This policy can be enforced on any SOAP-based client.
This policy is compatible with MIT Kerberos KDC and with newer versions of Active Directory KDC. It is not compatible with versions of Active Directory earlier than 2008 because it uses Triple DES encryption. With these earlier versions, use "oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-89. For more information, see "Overriding Policy Configuration Properties".
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties". -
Configure Kerberos tokens, as described in "Understanding Kerberos Token Configuration".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Set up the web service client keystore, as described in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
-
Configure the policy assertion for message signing, message encryption, or both.
Example 17-* shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.
17.158 oracle/wss11_kerberos_token_with_message_protection_service_policy
The oracle/wss11_kerberos_token_with_message_protection_service_policy is enforced in accordance with the WS-Security Kerberos Token Profile v1.1 standard. It extracts the Kerberos token from the SOAP header and authenticates the user, and it enforces message integrity and confidentiality using Kerberos keys. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services.
Display Name: Wss11 Kerberos Token With Message Protection Service Policy
Category: Security
Description
This policy can be enforced on any SOAP-based endpoint.
This policy is compatible with MIT Kerberos KDC and with newer versions of Active Directory KDC. It is not compatible with versions of Active Directory earlier than 2008 because it uses Triple DES encryption. With these earlier versions, use "oracle/wss11_kerberos_token_with_message_protection_basic128_service_policy".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-89. For more information, see "Overriding Policy Configuration Properties".
-
Configure the
krb5.loginmodule
login module. See "Configuring the Kerberos Login Module". -
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
To set up OPSS:
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. Store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name. -
Override the
keystore.enc.csf.key
server-side configuration property, as described in "Overview of Policy Configuration Overrides". -
Configure Kerberos, as described in "Understanding Kerberos Token Configuration".
-
17.159 oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy
The oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy includes a Kerberos token in the WS-Security header, and uses Kerberos keys to guarantee message integrity and confidentiality, in accordance with the WS-Security Kerberos Token Profile v1.1 standard.
Display Name: Wss11 Kerberos Token With Message Protection Basic 128 Client Policy
Category: Security
Description
This policy is compatible with Active Directory KDCs. This policy can be enforced on any SOAP-based client.
This policy uses the WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-92. For more information, see "Overriding Policy Configuration Properties".
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties". -
Configure Kerberos tokens, as described in "Understanding Kerberos Token Configuration".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Set up the web service client keystore, as described in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
-
Configure the policy assertion for message signing, message encryption, or both.
Example 17-* shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.
17.160 oracle/wss11_kerberos_token_with_message_protection_basic128_service_policy
The oracle/wss11_kerberos_token_with_message_protection_basic128_service_policy is enforced in accordance with the WS-Security Kerberos Token Profile v1.1 standard. This policy uses the WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption.
Display Name: Wss11 Kerberos Token With Message Protection Basic 128 Service Policy
Category: Security
Description
This policy is compatible with Active Directory KDCs. This policy can be attached to any SOAP-based endpoint.
For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy extracts the Kerberos token from the SOAP header and authenticates the user, and it enforces message integrity and confidentiality using Kerberos keys. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services.
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-93. For more information, see "Overriding Policy Configuration Properties".
-
Configure the
krb5.loginmodule
login module. See "Configuring the Kerberos Login Module". -
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
To set up OPSS:
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. Store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name. -
Configure Kerberos, as described in "Understanding Kerberos Token Configuration".
-
Override the
keystore.enc.csf.key
server-side configuration property, as described in "Overview of Policy Configuration Overrides".
-
17.161 oracle/wss11_saml_or_username_token_with_message_protection_service_policy
Display Name: Wss11 SAML Token or Wss11 Username Token With Message Protection or Wss SAML Token (Confirmation Method As Bearer) Over SSL or Wss Username Token Over SSL or Http Basic Auth Over SSL or HTTP JWT Token Over SSL Service Policy
Category: Security
Description
The oracle/wss11_saml_or_username_token_with_message_protection_service_policy enforces message protection (integrity and confidentiality) and an authentication policy, based on whether the client uses a SAML, username, or HTTP token.
Enforces message protection (integrity and confidentiality) and one of the following authentication policies, based on whether the client uses a SAML, username, or HTTP token, respectively:
-
SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
-
Username token authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
-
SAML-based authentication using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header. Verifies that the transport protocol provides SSL message protection.
-
Username token authentication using the credentials in the UsernameToken WS-Security SOAP header to authenticate users against the configured identity store. Verifies that the transport protocol provides SSL message protection.
-
HTTP authentication using credentials extracted from the HTTP header to authenticate users against the configured identity store. Verifies that the transport protocol is HTTPS.
-
HTTP authentication using the username provided in the JWT token in the HTTP header to authenticates users. This policy also verifies that the transport protocol is HTTPS.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
This policy uses the symmetric key technology for signing and encryption, the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures, the RSA key mechanisms for message confidentiality, the SHA-1 or SHA-2 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertions (OR Group)
This policy contains the following assertions, as an OR group—meaning any one of the tokens can be sent by the client:
-
oracle/wss11_saml_token_with_message_protection_service_template
-
oracle/wss11_username_token_with_message_protection_service_template
The assertions are advertised in the WSDL.
17.162 oracle/wss11_saml_or_username_token_with_message_protection_sha256_service_policy
Display Name: Wss11 Saml Token or Wss11 Username Token With Message Protection or Wss SAML Token (Confirmation Method As Bearer) Over SSL or Wss Username Token Over SSL or Http Basic Auth Over SSL Sha256 or HTTP JWT Token Over SSL Service Policy
Category: Security
Description
The oracle/wss11_saml_or_username_token_with_message_protection_sha256_service_policy enforces message protection (integrity and confidentiality) and an authentication policy, based on whether the client uses a SAML, username, or HTTP token.
Enforces message protection (integrity and confidentiality) and one of the following authentication policies, based on whether the client uses a SAML, username, or HTTP token, respectively:
-
SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
-
Username token authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
-
SAML-based authentication using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header. Verifies that the transport protocol provides SSL message protection.
-
Username token authentication using the credentials in the UsernameToken WS-Security SOAP header to authenticate users against the configured identity store. Verifies that the transport protocol provides SSL message protection.
-
HTTP authentication using credentials extracted from the HTTP header to authenticate users against the configured identity store. Verifies that the transport protocol is HTTPS.
-
HTTP authentication using the username provided in the JWT token in the HTTP header to authenticates users. This policy also verifies that the transport protocol is HTTPS.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
This policy uses the symmetric key technology for signing and encryption, the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures, specifically RSA key mechanisms for message confidentiality, SHA-2 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
Assertions (OR Group)
This policy contains the following assertions, as an OR group—meaning any one of the tokens can be sent by the client:
-
oracle/wss11_saml_token_with_message_protection_service_template
-
oracle/wss11_username_token_with_message_protection_service_template
The assertions are advertised in the WSDL.
17.163 oracle/wss11_saml_token_identity_switch_with_message_protection_client_policy
The oracle/wss11_saml_token_identity_switch_with_message_protection_client_policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.
Display Name: Wss11 Saml Token Identity Switch With Message Protection Client Policy
Category: Security
Description
A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-95. For more information, see "Overriding Policy Configuration Properties".
-
subject.precedence
is set tofalse
to allow for the use of a client-specified username rather than the authenticated subject. (Ifsubject.precedence
isfalse
, the user name to create the SAML assertion is obtained only from thecsf-key
username property.) Thewss11_saml_token_identity_switch_with_message_protection_client_policy policy
requires that an application to which the policy is attached must have theWSIdentityPermission
permission. That is, applications from which OWSM accepts the externally-supplied identity must have theWSIdentityPermission
permission. This is to avoid potentially rogue applications from providing an identity to OWSM. -
For information about configuring this policy, see "About SAML Web Service Client Configuration for Identity Switching". In particular, you need to set the javax.xml.ws.security.auth.username property, as described in "Setting the javax.xml.ws.security.auth.username Property", and the WSIdentityPermission permission, as descried in "Setting the Permission Using WSIdentityPermission".
-
For additional SAML considerations, see "Configuring SAML Web Service Client at Design Time".
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Configure the policy assertion for message signing, message encryption, or both.
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties". -
Specify a value for
saml.issuer.name
, as described in "Overriding Policy Configuration Properties". Thesaml.issuer.name
property defaults to a value ofwww.oracle.com
. For additional considerations, see "Adding an Additional SAML Assertion Issuer Name". -
Specify a value for
saml.issuer.uri
, as described in "Overriding Policy Configuration Properties". -
Specify a value for
user.roles.include
, as described in "Overriding Policy Configuration Properties".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Set up the web service client keystore, as described in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
-
Configure SAML, as described in "Configuring SAML Web Service Client at Design Time".
-
Configure the policy assertion for message signing, message encryption, or both.
Example 17-* shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.
17.164 oracle/wss11_saml_token_identity_switch_with_message_protection_sha256_client_policy
Display Name: Wss11 Saml Token Identity Switch With Message Protection Sha256 Client Policy
Category: Security
Description
The oracle/wss11_saml_token_identity_switch_with_message_protection_sha256_client_policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures, specifically RSA key mechanisms for message confidentiality, SHA-2 hashing algorithm for message integrity, and AES-128 bit encryption. The keystore on the client is configured either on a per-request basis or through the security configuration. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation. These credentials are provided either programmatically or through the security configuration. This policy performs dynamic identity switching by propagating a different identity than the one based on authenticated Subject. This policy can be attached to any SOAP-based client.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-95. For more information, see "Overriding Policy Configuration Properties".
-
subject.precedence
is set tofalse
to allow for the use of a client-specified username rather than the authenticated subject. (Ifsubject.precedence
isfalse
, the user name to create the SAML assertion is obtained only from thecsf-key
username property.) Thewss11_saml_token_identity_switch_with_message_protection_client_policy policy
requires that an application to which the policy is attached must have theWSIdentityPermission
permission. That is, applications from which OWSM accepts the externally-supplied identity must have theWSIdentityPermission
permission. This is to avoid potentially rogue applications from providing an identity to OWSM. -
For information about configuring this policy, see "About SAML Web Service Client Configuration for Identity Switching". In particular, you need to set the javax.xml.ws.security.auth.username property, as described in "Setting the javax.xml.ws.security.auth.username Property", and the WSIdentityPermission permission, as descried in "Setting the Permission Using WSIdentityPermission".
-
For additional SAML considerations, see "Configuring SAML Web Service Client at Design Time".
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Configure the policy assertion for message signing, message encryption, or both.
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties". -
Specify a value for
saml.issuer.name
, as described in "Overriding Policy Configuration Properties". Thesaml.issuer.name
property defaults to a value ofwww.oracle.com
. For additional considerations, see "Adding an Additional SAML Assertion Issuer Name". -
Specify a value for
saml.issuer.uri
, as described in "Overriding Policy Configuration Properties". -
Specify a value for
user.roles.include
, as described in "Overriding Policy Configuration Properties".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Set up the web service client keystore, as described in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
-
Configure SAML, as described in "Configuring SAML Web Service Client at Design Time".
-
Configure the policy assertion for message signing, message encryption, or both.
Example 17-* shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.
17.165 oracle/wss11_saml_token_with_message_protection_client_policy
The oracle/wss11_saml_token_with_message_protection_client_policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.
Display Name: Wss11 Saml Token With Message Protection Client Policy
Category: Security
Description
A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-95. For more information, see "Overriding Policy Configuration Properties".
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Configure the policy assertion for message signing, message encryption, or both.
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties". -
Specify a value for
saml.issuer.name
, as described in "Overriding Policy Configuration Properties". Thesaml.issuer.name
property defaults to a value ofwww.oracle.com
. For additional considerations, see "Adding an Additional SAML Assertion Issuer Name". -
Specify a value for
user.roles.include
, as described in "Overriding Policy Configuration Properties". -
Specify a value for
propagate.identity.context
, as described in "Overview of Configuring Keystores for Message Protection". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Set up the web service client keystore, as described in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
-
Configure SAML, as described in "Configuring SAML Web Service Client at Design Time".
-
Configure the policy assertion for message signing, message encryption, or both.
Example 17-* shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.
17.166 oracle/wss11_saml_token_with_message_protection_service_policy
The oracle/wss11_saml_token_with_message_protection_service_policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.
Display Name: Wss11 Saml Token With Message Protection Service Policy
Category: Security
Description
A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-96. For more information, see "Overriding Policy Configuration Properties".
-
Configure SAML, as described in "About SAML Configuration".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
Configure the
saml.loginmodule
login module, as described in "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control". The SAML login module extracts the username from the verified token and passes it to the Authentication provider. -
To set up OPSS:
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. Store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name. -
Override the
keystore.enc.csf.key
server-side configuration property, as described in "Overview of Policy Configuration Overrides".
-
17.167 oracle/wss11_saml_token_with_message_protection_sha256_client_policy
Display Name: Wss11 Saml Token With Message Protection Sha256 Client Policy
Category: Security
Description
The oracle/wss11_saml_token_with_message_protection_sha256_client_policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of symmetric key technology for endorsing signatures, the RSA key mechanisms for message confidentiality, the SHA-2 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
The keystore on the client is configured either on a per-request basis or through the security configuration. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation. These credentials are provided either programmatically or through the security configuration. This policy can be attached to any SOAP-based client.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-95. For more information, see "Overriding Policy Configuration Properties".
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Configure the policy assertion for message signing, message encryption, or both.
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties". -
Specify a value for
saml.issuer.name
, as described in "Overriding Policy Configuration Properties". Thesaml.issuer.name
property defaults to a value ofwww.oracle.com
. For additional considerations, see "Adding an Additional SAML Assertion Issuer Name". -
Specify a value for
user.roles.include
, as described in "Overriding Policy Configuration Properties". -
Specify a value for
propagate.identity.context
, as described in "Overview of Configuring Keystores for Message Protection". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Set up the web service client keystore, as described in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
-
Configure SAML, as described in "Configuring SAML Web Service Client at Design Time".
-
Configure the policy assertion for message signing, message encryption, or both.
Example 17-* shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.
17.168 oracle/wss11_saml_token_with_message_protection_sha256_service_policy
Display Name: Wss11 Saml Token With Message Protection Sha256 Service Policy
Category: Security
Description
The oracle/wss11_saml_token_with_message_protection_sha256_service_policy enables message protection (integrity and confidentiality) and SAML token population for inbound SOAP requests using mechanisms described in WS-Security 1.1.
This policy uses the symmetric key technology for signing and encryption, the WS-Security's Basic 128 suite of symmetric key technology for endorsing signatures, the RSA key mechanisms for message confidentiality, the SHA-2 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
The keystore is configured through the security configuration. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the configured identity store. This policy can be attached to any SOAP-based endpoint.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-96. For more information, see "Overriding Policy Configuration Properties".
-
Configure SAML, as described in "About SAML Configuration".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
Configure the
saml.loginmodule
login module, as described in "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control". The SAML login module extracts the username from the verified token and passes it to the Authentication provider. -
To set up OPSS:
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. Store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name. -
Override the
keystore.enc.csf.key
server-side configuration property, as described in "Overview of Policy Configuration Overrides".
-
17.169 oracle/wss11_saml_token_with_message_protection_wssc_client_policy
The oracle/wss11_saml_token_with_message_protection_wssc_client_policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.
Display Name: Wss11 Saml Token With Message Protection with secure conversation enabled Client Policy
Category: Security
Description
A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy has secure conversation enabled.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-95. For more information, see "Overriding Policy Configuration Properties".
-
Configure Secure Conversation, as described in Configuring Secure Conversation Using Oracle Web Services Manager.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Configure the policy assertion for message signing, message encryption, or both.
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties". -
Specify a value for
saml.issuer.name
, as described in "Overriding Policy Configuration Properties". Thesaml.issuer.name
property defaults to a value ofwww.oracle.com
. For additional considerations, see "Adding an Additional SAML Assertion Issuer Name". -
Specify a value for
user.roles.include
, as described in "Overriding Policy Configuration Properties". -
Specify a value for
propagate.identity.context
, as described in "Overview of Configuring Keystores for Message Protection". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Set up the web service client keystore, as described in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
-
Configure SAML, as described in "Configuring SAML Web Service Client at Design Time".
-
Configure Secure Conversation, as described in Configuring Secure Conversation Using Oracle Web Services Manager.
-
Configure the policy assertion for message signing, message encryption, or both.
Example 17-* shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.
17.170 oracle/wss11_saml_token_with_message_protection_wssc_service_policy
The oracle/wss11_saml_token_with_message_protection_wssc_service_policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.
Display Name: Wss11 Saml Token With Message Protection with secure conversation enabled Service Policy
Category: Security
Description
A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy has secure conversation enabled. See Configuring Secure Conversation Using Oracle Web Services Manager.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-96. For more information, see "Overriding Policy Configuration Properties".
-
Configure SAML, as described in "About SAML Configuration".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
Configure the
saml.loginmodule
login module, as described in "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control". The SAML login module extracts the username from the verified token and passes it to the Authentication provider. -
To set up OPSS:
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. Store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name. -
Override the
keystore.enc.csf.key
server-side configuration property, as described in "Overview of Policy Configuration Overrides".
-
17.171 oracle/wss11_saml_token_with_message_protection_wssc_reauthn_client_policy
The oracle/wss11_saml_token_with_message_protection_wssc_reauthn_client_policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.
Display Name: Wss11 Saml Token With Message Protection with secure conversation and re-authenticate mode enabled Client Policy
Category: Security
Description
A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy has secure conversation enabled.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-95. For more information, see "Overriding Policy Configuration Properties".
-
Configure Secure Conversation, as described in Configuring Secure Conversation Using Oracle Web Services Manager.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Configure the policy assertion for message signing, message encryption, or both.
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties". -
Specify a value for
saml.issuer.name
, as described in "Overriding Policy Configuration Properties". Thesaml.issuer.name
property defaults to a value ofwww.oracle.com
. For additional considerations, see "Adding an Additional SAML Assertion Issuer Name". -
Specify a value for
user.roles.include
, as described in "Overriding Policy Configuration Properties". -
Specify a value for
propagate.identity.context
, as described in "Overview of Configuring Keystores for Message Protection". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Set up the web service client keystore, as described in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
-
Configure SAML, as described in "Configuring SAML Web Service Client at Design Time".
-
Configure Secure Conversation, as described in Configuring Secure Conversation Using Oracle Web Services Manager.
-
Configure the policy assertion for message signing, message encryption, or both.
Example 17-* is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.
17.172 oracle/wss11_saml_token_with_message_protection_wssc_reauthn_service_policy
The oracle/wss11_saml_token_with_message_protection_wssc_reauthn_service_policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.
Display Name: Wss11 Saml Token With Message Protection with secure conversation and re-authenticate mode enabled Service Policy
Category: Security
Description
A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy has secure conversation enabled. See Configuring Secure Conversation Using Oracle Web Services Manager.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-96. For more information, see "Overriding Policy Configuration Properties".
-
Configure SAML, as described in "About SAML Configuration".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
Configure the
saml.loginmodule
login module, as described in "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control". The SAML login module extracts the username from the verified token and passes it to the Authentication provider. -
To set up OPSS:
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. Store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name. -
Override the
keystore.enc.csf.key
server-side configuration property, as described in "Overview of Policy Configuration Overrides".
-
17.173 oracle/wss11_saml20_token_with_message_protection_client_policy
The oracle/wss11_saml20_token_with_message_protection_client_policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.
Display Name: Wss11 Saml V2.0 Token With Message Protection Client Policy
Category: Security
Description
A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-98. For more information, see "Overriding Policy Configuration Properties".
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Configure the policy assertion for message signing, message encryption, or both.
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties". -
Specify a value for
saml.issuer.name
, as described in "Overriding Policy Configuration Properties". Thesaml.issuer.name
property defaults to a value ofwww.oracle.com
. For additional considerations, see "Adding an Additional SAML Assertion Issuer Name". -
Specify a value for
user.roles.include
, as described in "Overriding Policy Configuration Properties". -
Specify a value for
propagate.identity.context
, as described in "Overview of Configuring Keystores for Message Protection". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Set up the web service client keystore, as described in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
-
Configure SAML, as described in "Configuring SAML Web Service Client at Design Time".
-
Configure Secure Conversation, as described in Configuring Secure Conversation Using Oracle Web Services Manager.
-
Configure the policy assertion for message signing, message encryption, or both.
Example 17-* shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.
17.174 oracle/wss11_saml20_token_with_message_protection_service_policy
The oracle/wss11_saml20_token_with_message_protection_service_policy enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
Display Name: Wss11 Saml V2.0 Token With Message Protection Service Policy
Category: Security
Description
It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-99. For more information, see "Overriding Policy Configuration Properties".
-
Configure SAML, as described in "About SAML Configuration".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
Configure the
saml.loginmodule
login module, as described in "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control". The SAML login module extracts the username from the verified token and passes it to the Authentication provider. -
To set up OPSS:
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. Store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name. -
Override the
keystore.enc.csf.key
server-side configuration property, as described in "Overview of Policy Configuration Overrides".
-
17.175 oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy
The Wss11 Issued Token with Saml Holder of Key with Message Protection Client Policy inserts a SAML HOK assertion issued by a trusted STS (Security Token Service).
Display Name: Wss11 Issued Token with Saml Holder of Key with Message Protection Client Policy
Category: Security
Description
Inserts a SAML HOK assertion issued by a trusted STS (Security Token Service). Messages are protected using proof key material provided by the STS.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-118. For more information, see "Overriding Policy Configuration Properties".
Note:
When using Oracle STS, the asymmetric proof key (HoK) use-case works only when a client cert csf key is configured in the policy using the
sts.auth.x509.csf.key
configuration override.This value is used for signing the WS-Trust request sent to the STS and by Oracle STS as the proof key. The public key in the SAML assertion also corresponds to this keypair.
-
Set up the web service client, as described in "Main Steps in Setting Up Automatic Policy Configuration".
-
Set up the OWSM keystore to specify a key (username/password or X.509) to authenticate to the STS, as described in "Overview of Configuring Keystores for Message Protection".
-
Configure the policy assertion for message signing, message encryption, or both.
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time". For examples of overriding STS configuration settings, see "Programmatically Overriding Policy Configuration for WS-Trust Client Policies".
-
Set up the web service client, as described in "Main Steps in Setting Up Automatic Policy Configuration".
-
Set up the OWSM keystore to specify a key (username/password or X.509) to authenticate to the STS, as described in "Overview of Configuring Keystores for Message Protection".
-
Configure the policy assertion for message signing, message encryption, or both.
17.176 oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy
The oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy authenticates a SAML HOK assertion issued by a trusted STS (Security Token Service). Messages are protected using WS-Security's Basic 128 suite of symmetric key technologies.
Display Name: Wss11 Issued Token with Saml Holder of Key with Message Protection Service Policy
Category: Security
Description
You also have the option to override the keystore.enc.csf.key
server-side configuration property, as described in "Overview of Policy Configuration Overrides".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-119. For more information, see "Overriding Policy Configuration Properties".
-
Set up the web service, as described in "Main Steps in Setting Up Automatic Policy Configuration".
-
Specify a value for
keystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties".
17.177 oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy
The Wss11 Issued Token with Saml Holder of Key with Message Protection Client Policy inserts a SAML HOK assertion issued by a trusted STS (Security Token Service).
Display Name: Wss11 Issued Token with Saml Holder of Key with Message Protection Client Policy
Category: Security
Description
This policy inserts a SAML HOK assertion issued by a trusted STS (Security Token Service). Messages are protected using proof key material provided by the STS.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-118. For more information, see "Overriding Policy Configuration Properties".
-
Set up the web service client, as described in "Main Steps in Setting Up Automatic Policy Configuration".
-
Set up the OWSM keystore to specify a key (username/password or X.509) to authenticate to the STS, as described in "Overview of Configuring Keystores for Message Protection".
-
Configure the policy assertion for message signing, message encryption, or both.
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time". For examples of overriding STS configuration settings, see "Programmatically Overriding Policy Configuration for WS-Trust Client Policies".
-
Set up the web service client, as described in "Main Steps in Setting Up Automatic Policy Configuration".
-
Set up the OWSM keystore to specify a key (username/password or X.509) to authenticate to the STS, as described in "Overview of Configuring Keystores for Message Protection".
-
Configure the policy assertion for message signing, message encryption, or both.
17.178 oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy
The oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy authenticates a SAML HOK assertion issued by a trusted STS (Security Token Service).
Display Name: Wss11 Issued Token with Saml Holder of Key with Message Protection Service Policy
Category: Security
Description
This policy authenticates a SAML HOK assertion issued by a trusted STS (Security Token Service). Messages are protected using WS-Security's Basic 128 suite of symmetric key technologies.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-119. For more information, see "Overriding Policy Configuration Properties".
-
Set up the web service, as described in "Main Steps in Setting Up Automatic Policy Configuration".
-
Specify a value for
keystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties".
17.179 oracle/wss11_sts_issued_saml_with_message_protection_client_policy
The Wss11 Issued Token with Saml Sender Vouches with Message Protection Client Policy inserts a SAML sender vouches assertion issued by a trusted STS (Security Token Service).
Display Name: Wss11 Issued Token with Saml Sender Vouches with Message Protection Client Policy
Category: Security
Description
This policy inserts a SAML sender vouches assertion issued by a trusted STS (Security Token Service). Messages are protected using the client's private key.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-121. For more information, see "Overriding Policy Configuration Properties".
-
Set up the web service client, as described in "Main Steps in Setting Up Automatic Policy Configuration".
-
Set up the OWSM keystore to specify a key (username/password or X.509) to authenticate to the STS, as described in "Overview of Configuring Keystores for Message Protection".
-
Configure the policy assertion for message signing, message encryption, or both.
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time". For examples of overriding STS configuration settings, see "Programmatically Overriding Policy Configuration for WS-Trust Client Policies".
-
Set up the web service client, as described in "Main Steps in Setting Up Automatic Policy Configuration".
-
Set up the OWSM keystore to specify a key (username/password or X.509) to authenticate to the STS, as described in "Overview of Configuring Keystores for Message Protection".
-
Configure the policy assertion for message signing, message encryption, or both.
17.180 oracle/wss11_username_token_with_message_protection_client_policy
The oracle/wss11_username_token_with_message_protection_client_policy Provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.
Display Name: Wss11 Username Token With Message Protection Client Policy
Category: Security
Description
The web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The web service provider decrypts and verifies the message and the signature.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
To prevent replay attacks, the assertion provides the option to include time stamps and verification by the web service provider. The message can be protected with ciphers of different strengths.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-101. For more information, see "Overriding Policy Configuration Properties".
-
Set up the OWSM keystore to specify a key (username/password or X.509) to authenticate to the STS, as described in "Overview of Configuring Keystores for Message Protection".
-
Configure the policy assertion for message signing, message encryption, or both.
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
This policy uses symmetric key technology, which is an encryption method that uses the same shared key to encrypt and decrypt data. The symmetric key is used to sign the message.
-
Configure the policy assertion for message signing, message encryption, or both.
Example 17-* shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.
17.181 oracle/wss11_username_token_with_message_protection_service_policy
The oracle/wss11_username_token_with_message_protection_service_policy enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. Both plain text and digest mechanisms are supported.
Display Name: Wss11 Username Token With Message Protection Service Policy
Category: Security
Description
The web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The web service provider decrypts and verifies the message and the signature. This policy can be attached to any SOAP-based endpoint.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
To prevent replay attacks, the assertion provides the option to include time stamps and verification by the web service provider. The message can be protected with ciphers of different strengths.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-102. For more information, see "Overriding Policy Configuration Properties".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
To set up OPSS:
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. Store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name. -
Override the
keystore.enc.csf.key
server-side configuration property, as described in "Overview of Policy Configuration Overrides".
-
17.182 oracle/wss11_username_token_with_message_protection_sha256_client_policy
Display Name: Wss11 Username Token With Message Protection Sha256 Client Policy
Category: Security
Description
The oracle/wss11_username_token_with_message_protection_sha256_client_policy provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard. Only plain text mechanism is supported. This policy can be attached to any SOAP-based client.
The web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The web service provider decrypts and verifies the message and the signature.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
To prevent replay attacks, the assertion provides the option to include time stamps and verification by the web service provider. The message can be protected with ciphers of different strengths.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures, specifically RSA key mechanisms for message confidentiality, SHA-2 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
The keystore on the client side is configured either on a per-request basis or through the security configuration. Credentials are included in the WS-Security UsernameToken header of outbound SOAP request messages. Credentials are provided either programmatically through the current Java Authentication and Authorization Service (JAAS) subject or by a reference in the policy to the configured credential store.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-101. For more information, see "Overriding Policy Configuration Properties".
-
Set up the OWSM keystore to specify a key (username/password or X.509) to authenticate to the STS, as described in "Overview of Configuring Keystores for Message Protection".
-
Configure the policy assertion for message signing, message encryption, or both.
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Specify a value for
keystore.sig.csf.key
andkeystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
This policy uses symmetric key technology, which is an encryption method that uses the same shared key to encrypt and decrypt data. The symmetric key is used to sign the message.
-
Configure the policy assertion for message signing, message encryption, or both.
Example 17-* shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.
17.183 oracle/wss11_username_token_with_message_protection_sha256_service_policy
Display Name: Wss11 Username Token With Message Protection Sha256 Service Policy
Category: Security
Description
The oracle/wss11_username_token_with_message_protection_sha256_service_policy enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. Only plain text mechanism is supported.
The web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The web service provider decrypts and verifies the message and the signature. This policy can be attached to any SOAP-based endpoint.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
To prevent replay attacks, the assertion provides the option to include time stamps and verification by the web service provider. The message can be protected with ciphers of different strengths.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures, specifically RSA key mechanisms for message confidentiality, SHA-2 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
The keystore is configured through the security configuration. Credentials are provided through the UsernameToken WS-Security SOAP header. The credentials are authenticated against the configured identity store.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-102. For more information, see "Overriding Policy Configuration Properties".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
To set up OPSS:
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. Store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name. -
Override the
keystore.enc.csf.key
server-side configuration property, as described in "Overview of Policy Configuration Overrides".
-
17.184 oracle/wss11_username_token_with_message_protection_wssc_client_policy
The oracle/wss11_username_token_with_message_protection_wssc_client_policy provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.
Display Name: Wss11 Username Token With Message Protection with secure conversation enabled Client Policy
Category: Security
Description
The web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The web service provider decrypts and verifies the message and the signature.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
To prevent replay attacks, the assertion provides the option to include time stamps and verification by the web service provider. The message can be protected with ciphers of different strengths.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy has secure conversation enabled.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-101. For more information, see "Overriding Policy Configuration Properties".
-
Set up the OWSM keystore to specify a key (username/password or X.509) to authenticate to the STS, as described in "Overview of Configuring Keystores for Message Protection".
-
Configure the policy assertion for message signing, message encryption, or both.
-
Configure Secure Conversation, as described in Configuring Secure Conversation Using Oracle Web Services Manager.
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Specify a value for
keystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
This policy uses symmetric key technology, which is an encryption method that uses the same shared key to encrypt and decrypt data. The symmetric key is used to sign the message.
-
Configure Secure Conversation, as described in Configuring Secure Conversation Using Oracle Web Services Manager.
-
Configure the policy assertion for message signing, message encryption, or both.
Example 17-* shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.
17.185 oracle/wss11_username_token_with_message_protection_wssc_service_policy
The oracle/wss11_username_token_with_message_protection_wssc_service_policy enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. Both plain text and digest mechanisms are supported.
Display Name: Wss11 Username Token With Message Protection with secure conversation enabled Service Policy
Category: Security
Description
The web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The web service provider decrypts and verifies the message and the signature. This policy can be attached to any SOAP-based endpoint.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
To prevent replay attacks, the assertion provides the option to include time stamps and verification by the web service provider. The message can be protected with ciphers of different strengths.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy has secure conversation enabled. See Configuring Secure Conversation Using Oracle Web Services Manager.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-102. For more information, see "Overriding Policy Configuration Properties".
-
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
To set up OPSS:
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. Store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name. -
Override the
keystore.enc.csf.key
server-side configuration property, as described in "Overview of Policy Configuration Overrides".
-
17.186 oracle/wss11_x509_token_with_message_protection_client_policy
The oracle/wss11_x509_token_with_message_protection_client_policy provides message protection (integrity and confidentiality) and certificate-based authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard.
Display Name: Wss11 X509 Token With Message Protection Client Policy
Category: Security
Description
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-104. For more information, see "Overriding Policy Configuration Properties".
-
Set up the OWSM keystore to specify a key (username/password or X.509) to authenticate to the STS, as described in "Overview of Configuring Keystores for Message Protection".
-
Configure the policy assertion for message signing, message encryption, or both.
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages. -
Specify a value for
keystore.enc.csf.key
, as described in "Overriding Policy Configuration Properties".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Set up the web service client keystore, as described in Understanding Web Service Security Concepts. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
-
The web service client needs to provide valid X.509 authentication credentials in the SOAP message through the WS-Security binary security token.
-
Configure the policy assertion for message signing, message encryption, or both.
Example 17-* shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.
17.187 oracle/wss11_x509_token_with_message_protection_service_policy
The Wss11 X509 Token With Message Protection Service Policy enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
Display Name: Wss11 X509 Token With Message Protection Service Policy
Category: Security
Description
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-105. For more information, see "Overriding Policy Configuration Properties".
-
Configure the Authentication provider, as described in "Supported Authentication Providers in WebLogic Server".
-
To set up OPSS:
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. Store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name. -
Override the
keystore.enc.csf.key
server-side configuration property, as described in "Overview of Policy Configuration Overrides".
-
17.188 oracle/wss11_x509_token_with_message_protection_wssc_client_policy
The Wss11 X509 Token With Message Protection with secure conversation enabled Client Policy provides message protection (integrity and confidentiality) and certificate-based authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard.
Display Name: Wss11 X509 Token With Message Protection with secure conversation enabled Client Policy
Category: Security
Description
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy has secure conversation enabled.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-104. For more information, see "Overriding Policy Configuration Properties".
-
Set up the OWSM keystore to specify a key (username/password or X.509) to authenticate to the STS, as described in "Overview of Configuring Keystores for Message Protection".
-
Configure the policy assertion for message signing, message encryption, or both.
-
Configure Secure Conversation, as described in Configuring Secure Conversation Using Oracle Web Services Manager.
-
The web service's base64-encoded public certificate is published in the WSDL for use by the web service client, as described in "Understanding Service Identity Certificate Extensions". As an alternative, you can specify a value for
keystore.recipient.alias
, as described in "Overriding Policy Configuration Properties". Thekeystore.recipient.alias
specifies the alias used to look up the public key in the keystore when retrieving a key for encryption of outbound SOAP messages.
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Configure Secure Conversation, as described in Configuring Secure Conversation Using Oracle Web Services Manager.
-
The web service client needs to provide valid X.509 authentication credentials in the SOAP message through the WS-Security binary security token.
-
Set up the web service client keystore, as described in Understanding Web Service Security Concepts. The policy specifically requires that the client's and web service's respective keystores already contain digital certificates containing each other's public key.
-
The web service client needs to provide valid X.509 authentication credentials in the SOAP message through the WS-Security binary security token.
-
Configure the policy assertion for message signing, message encryption, or both.
Example 17-* shows the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.
17.189 oracle/wss11_x509_token_with_message_protection_wssc_service_policy
The Wss11 X509 Token With Message Protection with secure conversation enabled Service Policy enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
Display Name: Wss11 X509 Token With Message Protection with secure conversation enabled Service Policy
Category: Security
Description
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy has secure conversation enabled. See Configuring Secure Conversation Using Oracle Web Services Manager.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-105. For more information, see "Overriding Policy Configuration Properties".
-
Configure the Authentication provider, as described in "Supported Authentication Providers in WebLogic Server".
-
To set up OPSS:
-
Configure the policy assertion for message signing, message encryption, or both.
-
Set up the OWSM keystore, as described in "Overview of Configuring Keystores for Message Protection".
-
Store the trusted certificate that corresponds to the client's private key (used to sign the message) in the keystore. Store the service's private key in the keystore for decrypting the message, and the CA root certificate.
-
Store the password for the decryption key in the credential store, as described in "Adding Keys and User Credentials to Configure the Credential Store". Use
keystore.enc.csf.key
as the key name. -
Override the
keystore.enc.csf.key
server-side configuration property, as described in "Overview of Policy Configuration Overrides".
-
17.190 oracle/wss_saml_bearer_or_username_token_sha256_service_policy
The oracle/wss_saml_bearer_or_username_token_sha256_service_policy enforces one authentication policy, based on whether the client uses a SAML bearer or username token.
Display Name: WSSecurity SAML Token Bearer or WSSecurity UserName Token Sha256 Service Policy
Category: Security
Description
Enforces one of the following authentication policies, based on whether the client uses a SAML or username token, respectively:
-
SAML token within WS-Security SOAP header using the bearer confirmation type.
-
WS-Security UsernameToken SOAP header to authenticate users against the configured identity store.
By default, SAML Bearer token is expected to be signed with an enveloped signature using RSA with SHA256 signature method. This policy can be applied to any SOAP-based endpoint.
To protect against replay attacks, the assertion provides the option to require nonce and creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
Assertions (OR Group)
This policy contains the following assertions as an OR group—meaning either type of policy can be enforced by a client:
The assertions are advertised in the WSDL.
17.191 oracle/wss_saml_token_bearer_identity_switch_client_policy
The oracle/wss_saml_token_bearer_identity_switch_client_policy performs dynamic identity switching by propagating a different identity than the one based on the authenticated subject. This policy includes SAML tokens in outbound SOAP request messages.
Display Name: Wss SAML Token Bearer Identity Switch Client Policy
Category: Security
Description
The SAML token with confirmation method Bearer is created automatically. This policy can be attached to any SOAP-based client.
Assertion
This policy contains the following assertion:
oracle/wss_saml_token_bearer_client_template
See "oracle/wss_saml_token_bearer_client_template" for more information about the assertion.
Configuration
This policy includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method Bearer is created automatically. The policy also verifies that the transport protocol provides SSL message protection. This policy can be attached to any SOAP-based client.
This policy contains the following policy assertion: oracle/wss_saml_token_bearer_over_ssl_client_template. See "oracle/wss_saml_token_bearer_client_template" for more information about the assertion.
Settings
See Table 18-54.
Configuration Properties
See Table 18-55.
17.192 oracle/wss_saml_token_bearer_identity_switch_sha256_client_policy
The oracle/wss_saml_token_bearer_identity_switch_sha256_client_policy performs dynamic identity switching by propagating a different identity than the one based on the authenticated subject. This policy includes SAML tokens in outbound SOAP request messages.
Display Name: Wss SAML Token Bearer Identity Switch Sha256 Client Policy
Category: Security
Description
The SAML token with confirmation method Bearer is created automatically and is by default signed with an enveloped signature using RSA with SHA256 signature method. The policy also verifies that the transport protocol provides SSL message protection. This policy can be attached to any SOAP-based client.
Assertion
This policy contains the following assertion:
oracle/wss_saml_token_bearer_client_template
See "oracle/wss_saml_token_bearer_client_template" for more information about the assertion.
Configuration
This policy includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method Bearer is created automatically. The policy also verifies that the transport protocol provides SSL message protection. This policy can be attached to any SOAP-based client.
This policy contains the following policy assertion: oracle/wss_saml_token_bearer_over_ssl_client_template. See "oracle/wss_saml_token_bearer_client_template" for more information about the assertion.
Settings
See Table 18-54.
Configuration Properties
See Table 18-55.
17.193 oracle/wss_saml_token_bearer_over_ssl_sha256_client_policy
The oracle/wss_saml_token_bearer_over_ssl_sha256_client_policy includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method Bearer is created automatically.
Display Name: Wss SAML Token (confirmation method as bearer) Over SSL Sha256 Client Policy
Category: Security
Description
The SAML token is signed using RSA with SHA256 signature method. The issuer name and subject name are provided either programmatically or through the current Java Authentication and Authorization Service (JAAS) subject. The policy also verifies that the transport protocol provides SSL message protection. This policy can be attached to any SOAP-based client.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-59. For more information, see "Overriding Policy Configuration Properties".
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
-
Specify a value for
propagate.identity.context
, as described in "Overriding Policy Configuration Properties". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies".
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Configure SAML on the client side, as described in "Configuring SAML Web Service Client at Design Time".
17.194 oracle/wss_saml_token_bearer_over_ssl_sha256_service_policy
The oracle/wss_saml_token_bearer_over_ssl_sha256_service_policy authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header. It accepts SAML tokens signed using RSA with SHA256 signature method.
Display Name: Wss SAML Token (confirmation method as bearer) Over SSL Sha256 Service Policy
Category: Security
Description
The credentials in the SAML token are authenticated against a SAML login module. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based endpoint.
The SAML login module extracts the username from the verified token and passes it to the Authentication provider.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-60. For more information, see "Overriding Policy Configuration Properties".
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
-
Specify a value for
propagate.identity.context
, as described in "Overriding Policy Configuration Properties". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies". -
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
Configure the
saml.loginmodule
login module. See "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control" for more information. The SAML login module extracts the username from the verified token and passes it to the Authentication provider. -
Configure SAML and set up OPSS, as described in "About SAML Configuration".
17.195 oracle/wss_saml_token_bearer_service_policy
The oracle/wss_saml_token_bearer_service_policy authenticates users using credentials provided in SAML Bearer token in the WS-Security SOAP header. By default, SAML Bearer token is expected to be signed with an enveloped signature.
Display Name: WSSecurity SAML Token Bearer Service Policy
Category: Security
Description
This policy can be applied to any SOAP-based endpoint.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
17.196 oracle/wss_saml_token_bearer_sha256_client_policy
The oracle/wss_saml_token_bearer_sha256_client_policy includes SAML Bearer tokens in outbound SOAP request messages.
Display Name: Wss SAML Token (confirmation method as bearer) Sha256 Client Policy
Category: Security
Description
The SAML token with confirmation method Bearer is created automatically and is by default signed with an enveloped signature using RSA with SHA256 signature method.
The issuer name and subject name are provided either programmatically or through the current Java Authentication and Authorization Service (JAAS) subject.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-59. For more information, see "Overriding Policy Configuration Properties".
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Configure SAML on the client side, as described in "Configuring SAML Web Service Client at Design Time".
17.197 oracle/wss_saml_token_bearer_sha256_service_policy
The oracle/wss_saml_token_bearer_sha256_service_policy authenticates users using credentials provided in SAML Bearer token in the WS-Security SOAP header. SAML Bearer token is expected to be signed with an enveloped signature using RSA with SHA256 signature method.
Display Name: WSSecurity SAML Token Bearer Sha256 Service Policy
Category: Security
Description
This policy can be applied to any SOAP-based endpoint.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
17.198 oracle/binding_oes_authorization_policy
The oracle/binding_oes_authorization_policy sets authorization based on the policy defined in Oracle Entitlements Server (OES). Authorization is based on attributes, the current authenticated subject, and the web service action invoked by the client. This policy is used for fine-grained authorization on any operation on the web service.
Display Name: Fine-grained authorization using Oracle Entitlements Server
Category: Security
Description
This policy should follow an authentication policy where the subject is established. You can attach this policy to any SOAP endpoint.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is not advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-107. For more information, see "Overriding Policy Configuration Properties".
17.199 oracle/binding_oes_masking_policy
The oracle/binding_oes_masking_policy does response masking based on the policy defined in OES. Masking is based on attributes, the current authenticated subject, and the web service action invoked by the client. This template is used for fine-grained masking on any operation of a web service.
Display Name: Response masking using Oracle Entitlements Server
Category: Security
Description
This policy should follow an authentication policy where the subject is established. You can attach this policy to any SOAP endpoint.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-107. For more information, see "Overriding Policy Configuration Properties".
17.200 oracle/component_oes_authorization_policy
The oracle/component_oes_authorization_policy does user authorization based on the policy defined in Oracle Entitlements Server (OES).
Display Name: SCA Component fine-grained authorization using Oracle Entitlements Server
Category: Security
Description
This policy does user authorization based on the policy defined in Oracle Entitlements Server (OES)
17.201 oracle/jms_transport_client_policy
The JMS Transport Client Policy enables and configures support for SOAP over JMS transport for web service clients.
Display Name: JMS Transport Client Policy
Category: SOAP Over JMS Transport
Description
Enables and configures support for SOAP over JMS transport for web service clients.
Note:
This policy cannot be duplicated, and the assertion template associated with this template is not available for generating new policies.
This policy is not supported for Java EE (WebLogic) web services.
Configuration
Table 17-48 lists the configuration properties that you can override for SOAP over JMS transport clients.
Table 17-48 Configuration Properties for oracle/jms_transport_client_policy
Name | Description | Default | Required? |
---|---|---|---|
|
JNDI name of the destination queue or topic. |
|
Required |
|
Destination type. Valid values include: |
|
Required |
|
JMS header properties. Each property is specified using name-value pairs, separated by semicolons (;). For example: |
None |
Optional |
|
JMS message properties. Each property is specified using name-value pairs, separated by semicolons (;). For example: |
None |
Optional |
|
JNDI name of the connection factory that is used to establish a JMS connection. |
|
Required |
|
JNDI properties. Each property is specified using name-value pairs, separated by semicolons (;). For example: The properties are added to the |
None |
Optional |
|
Name of the initial context factory class used for JNDI lookup. This value maps to the |
|
Required |
|
JNDI provider URL. This value maps to the |
|
Required |
|
Message type to use with the request message. Valid values are For more information, see "Configuring the JMS Message Type" in Developing JAX-WS Web Services for Oracle WebLogic Server. |
|
Required |
|
JMS priority associated with the request and response message. Specify this value as a positive Integer from 0, the lowest priority, to 9, the highest priority. The default value is |
|
Required |
|
JNDI name of the JMS destination to which the response message is sent. For a two-way operation, a temporary response queue is generated by default. Using the default temporary response queue minimizes the configuration that is required. However, in the event of a server failure, the response message may be lost. This property enables the client to use a previously defined, "permanent" queue or topic rather than use the default temporary queue or topic, for receiving replies. For more information about configuring the JMS response queue, see "Configuring the Response Queue" in Developing JAX-WS Web Services for Oracle WebLogic Server. The value maps to the |
None |
Optional |
|
Port component name of the web service. This value is used by the service implementation to dispatch the service request. If not specified, the service name from the WSDL or This value maps to the |
None |
Optional |
|
Lifetime, in milliseconds, of the request message. A value of 0 indicates an infinite lifetime. On the service side, |
|
Required |
|
See "reference.priority". |
None |
Optional |
17.202 oracle/jms_transport_service_policy
The JMS Transport Service Policy overrides configuration properties for SOAP over JMS transport for web services.
Display Name: JMS Transport Service Policy
Category: SOAP Over JMS Transport
Description
Note:
This policy cannot be duplicated, and the assertion template associated with this template is not available for generating new policies.
This policy is not supported for Java EE (WebLogic) web services.
Configuration
Table 17-49 lists the configuration properties that you can override for SOAP over JMS transport for web services.
Table 17-49 Configuration Properties for oracle/jms_transport_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
Version of the SOAP JMS binding. This value must be set to This value maps to the |
|
Required |
|
Delivery mode indicating whether the request message is persistent. Valid values are |
|
Required |
|
Boolean flag that specifies whether to publish the WSDL through HTTP. |
|
Optional |
|
Principal used to run the listening MDB. |
None |
Optional |
|
Role used to run the listening MDB. |
None |
Optional |
|
Boolean flag that specifies whether to create one listening message-driven bean (MDB) for each requested destination. If set to |
|
Optional |
|
Activation configuration properties passed to the JMS provider. Each property is specified using name-value pairs, separated by semicolons (;). For example: For a list of activation configuration properties that are supported by this property, see "Summary of JMS Transport Configuration Properties" in Developing JAX-WS Web Services for Oracle WebLogic Server. |
None |
Optional |
|
JNDI name of the destination queue or topic. |
|
Required |
|
Destination type. Valid values include: |
|
Required |
|
JMS header properties. Each property is specified using name-value pairs, separated by semicolons (;). For example: |
None |
Optional |
|
JMS message properties. Each property is specified using name-value pairs, separated by semicolons (;). For example: |
None |
Optional |
|
JNDI name of the connection factory that is used to establish a JMS connection. |
|
Required |
|
JNDI properties. Each property is specified using name-value pairs, separated by semicolons (;). For example: The properties are added to the |
None |
Optional |
|
Name of the initial context factory class used for JNDI lookup. This value maps to the |
|
Required |
|
JNDI provider URL. This value maps to the |
|
Required |
17.203 oracle/no_jms_transport_client_policy
The oracle/no_jms_transport_client_policy is a no behavior policy, when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached SOAP over JMS transport client policy at a higher scope.
Display Name: No Jms Transport Client Policy
Category: SOAP Over JMS Transport
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no_behavior policy is not supported for Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-50 lists the configuration property that you can override for the no behavior policy.
Table 17-50 Configuration Property for oracle/no_jms_transport_client_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.204 oracle/no_jms_transport_service_policy
The oracle/no_jms_transport_service_policy is a no behavior policy, when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached SOAP over JMS transport service policy at a higher scope.
Display Name: No Jms Transport Client Policy
Category: SOAP Over JMS Transport
Description
For details about using this no behavior policy, see "Disabling a Globally Attached Policy".
Note:
Please note the following:
-
This no behavior policy cannot be duplicated.
-
The assertion template associated with this no behavior policy is not available for generating new policies.
-
This no_behavior policy is not supported for Java EE (WebLogic) web services.
Assertion
All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".
Configuration
Table 17-51 lists the configuration property that you can override for the no behavior policy.
Table 17-51 Configuration Property for oracle/no_jms_transport_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See "reference.priority". |
None |
Optional |
17.205 oracle/http_oauth2_token_over_ssl_salesforce_jwt_client_policy
You can attach the oracle/http_oauth2_token_over_ssl_salesforce_jwt_client_policy to client applications that need to obtain an Access Token from the Salesforce OAuth2 server in order to access certain resources.
Display Name: HTTP Oauth2 Token Over SSL Salesforce JWT Client Policy
Category: Security
Description
The oracle/http_oauth2_token_over_ssl_salesforce_jwt_client_policy can be attached to client applications that need to obtain an Access Token from the Salesforce OAuth2 server in order to access certain resources. It has been customized with certain properties that are required by OWSM to generate a JWT token that would be acceptable by the Salesforce OAuth2 server in order to issue an Access Token in its return.
The policy verifies that the outbound transport protocol is HTTPS. If a non-HTTPS transport protocol is used, the request is refused. This policy can be attached to any HTTP-based client.
Assertion
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion:
oracle/http_oauth2_token_over_ssl_client_template
See "oracle/http_oauth2_token_over_ssl_client_template" for more information about the assertion.
Configuration
The oracle/http_oauth2_token_over_ssl_salesforce_jwt_client_policy is the same as http_oauth2_token_client_policy, except that the AT is propagated over 1-way SSL to the resource. This policy includes the OAuth2 access token in the HTTP header. The AT is obtained from the Salesforce OAuth2 server.
You can override the following properties when you attach the policy:
-
csf-key
-
oauth2.client.csf.key
-
audience.uri
You must use WLST or edit the policy file manually; you cannot edit the policy using Fusion Middleware Control. See "oracle/http_oauth2_token_over_ssl_client_template" for information about the assertion attributes that you can configure.
See "Overriding Policy Configuration Properties" for a description of the configuration settings you can override.
You attach this policy and the oracle/oauth2_config_client_policy to the client application. The required token.uri
property of the oracle/oauth2_config_client_policy policy specifies the OAuth2 server.
Settings
See Table 18-30.
Configuration Properties
See Table 18-27.
17.206 oracle/multi_token_rest_access_service_policy
The oracle/multi_token_rest_access_service_policy allows access to endpoint with anonymous subject when there is no security token in the request. It also masks 403 response from service if security token is not present in the request.
Display Name: Multi Token RESTful Access Service Policy
Category: Security
Description
This policy enforces exactly one of the following authentication policies based on the token sent by the client:
-
HTTP Basic—Extracts username and password credentials from the HTTP header.
-
SAML v2.0 Bearer token in the HTTP header—Extracts SAML 2.0 Bearer assertion in the HTTP header.
-
JWT token security —Extracts username from the JWT token in the HTTP header.
-
HTTP OAM security (disabled by default) —Verifies that the OAM agent has authenticated user and establishes identity. (Provides non-SSL OAM protection on the server-side only.)
If there is no security token in the request, this policy bypasses the request to the service and establishes an anonymous subject in the context, which can be later verified by the service itself.
If there is a security token associated with the request, then the policy establishes a valid non-anonymous subject in the context.
If service sends 403 response and anonymous subject was established, OWSM masks response code to 401 Unauthorized and adds a WWW-Authenticate challenge header in the response.
If there is a non-anonymous subject established in the context and the service still returns a 403 Forbidden response, OWSM passes on the 403 Forbidden response.
Assertions (OR Group)
This policy contains assertions that are based on the following assertion templates as an OR group—meaning any one of the tokens can be sent by the client:
-
No Behavior Assertion: An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. See Rebuilding the OWSM Repository.
The oracle/http_saml20_token_bearer_service_template
policy assertions are advertised.
The wss_http_token_service_template
assertions are not advertised in the WSDL.
Note:
Advertisement of policy assertions in a WADL file is not supported. The Advertised option has no effect when this policy is attached to a RESTful web service.
Configuration
Table 17-52 lists the configuration property that you can use to configure this policy.
Table 17-52 Configuration Property for oracle/multi_token_rest_access_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See anonymous.access. |
True |
Optional |
17.207 oracle/multi_token_rest_access_over_ssl_service_policy
The oracle/multi_token_rest_access_over_ssl_service_policy allows access to endpoint over SSL with anonymous subject when there is no security token in the request. Also, masks 403 response from service if security token is not present in request.
Display Name: Multi Token RESTful Access Over SSL Service Policy
Category: Security
Description
This policy enforces exactly one of the following authentication policies based on the token sent by the client:
-
HTTP Basic—Extracts username and password credentials from the HTTP header.
-
SAML v2.0 Bearer token in the HTTP header—Extracts SAML 2.0 Bearer assertion in the HTTP header.
-
JWT token security —Extracts username from the JWT token in the HTTP header.
-
HTTP OAM security (disabled by default) —Verifies that the OAM agent has authenticated user and establishes identity. (Provides non-SSL OAM protection on the server-side only.)
If there is no security token in the request, this policy bypasses the request to the service and establishes an anonymous subject in the context, which can be later verified by the service itself.
If there is a security token associated with the request, then the policy establishes a valid non-anonymous subject in the context.
If service sends 403 response and anonymous subject was established, OWSM masks response code to 401 Unauthorized and adds a WWW-Authenticate challenge header in the response.
If there is a non-anonymous subject established in the context and the service still returns a 403 Forbidden response, OWSM passes on the 403 Forbidden response.
This policy expects that the service invocation to be done over SSL.
Assertions (OR Group)
This policy contains assertions that are based on the following assertion templates as an OR group—meaning any one of the tokens can be sent by the client:
-
No Behavior Assertion: An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. See Rebuilding the OWSM Repository.
The oracle/http_saml20_token_bearer_service_template
policy assertions are advertised.
The wss_http_token_service_template
assertions are not advertised in the WSDL.
Note:
Advertisement of policy assertions in a WADL file is not supported. The Advertised option has no effect when this policy is attached to a RESTful web service.
Configuration
Table 17-53 lists the configuration properties that you can use to configure this policy.
Table 17-53 Configuration Property for oracle/multi_token_rest_access_over_ssl_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See anonymous.access. |
True |
Optional |
17.208 oracle/http_anonymous_rest_service_policy
The oracle/http_anonymous_rest_service_policy allows access to endpoint with anonymous subject in context.
Display Name: Http Anonymous RESTful Service Policy
Category: Security
Description
This policy is an extension of functionality provided by no_authentication_service_policy.
If there is a security token or there is no security token in the request, then in both the cases this policy bypasses the request to the service and establishes an anonymous subject in the context.
Assertions (OR Group)
This policy contains assertions that are based on the following assertion templates as an OR group—meaning any one of the tokens can be sent by the client:
-
No Behavior Assertion: An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. See Rebuilding the OWSM Repository.
Note:
Advertisement of policy assertions in a WADL file is not supported. The Advertised option has no effect when this policy is attached to a RESTful web service.
Configuration
Table 17-54lists the configuration property that you can use to configure this policy.
Table 17-54 Configuration Property for oracle/http_anonymous_rest_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See anonymous.access. |
True |
Optional |
17.209 oracle/http_anonymous_rest_over_ssl_service_policy
The oracle/http_anonymous_rest_over_ssl_service_policy allows access to endpoint over SSL with anonymous subject in context.
Display Name: Http Anonymous RESTful Over SSL Service Policy
Category: Security
Description
This policy is an extension of functionality provided by no_authentication_service_policy.
If there is a security token or there is no security token in the request, then in both the cases this policy bypasses the request to the service and establishes an anonymous subject in the context.
This policy expects that the service invocation to be done over SSL.
Assertions (OR Group)
This policy contains assertions that are based on the following assertion templates as an OR group—meaning any one of the tokens can be sent by the client:
-
No Behavior Assertion: An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. See Rebuilding the OWSM Repository.
Note:
Advertisement of policy assertions in a WADL file is not supported. The Advertised option has no effect when this policy is attached to a RESTful web service.
Configuration
Table 17-55 lists the configuration property that you can use to configure this policy.
Table 17-55 Configuration Property for oracle/http_anonymous_rest_over_ssl_service_policy
Name | Description | Default | Required? |
---|---|---|---|
|
See anonymous.access. |
True |
Optional |
17.210 oracle/http_oauth2_token_over_ssl_google_jwt_client_policy
The oracle/http_oauth2_token_over_ssl_google_jwt_client_policy can be be used by clients that need to access Google APIs.
Display Name: HTTP oauth2 token over ssl google jwt client policy
Category: Security
Description
The oracle/http_oauth2_token_over_ssl_google_jwt_client_policy can be attached to client applications that need to access Google APIs. This policy enables a client to obtain the OAuth2 access token from the Google OAUTH2 server. This token is set in the HTTP Header of the client request issued to access the corresponding Google API. It has been customized with certain properties that are required by OWSM to generate a JWT token that would be acceptable by the Google OAUTH2 server.
The policy also verifies that the outbound transport protocol is HTTPS. If a non-HTTPS transport protocol is used, the request is refused. This policy can be attached to any Http-based client.
Assertion
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion:
oracle/http_oauth2_token_over_ssl_client_template
Configuration
You can attach oracle/http_oauth2_token_over_ssl_google_jwt_client_policy to client applications that need to access Google APIs.
Here is a list of the respective properties to be used:
-
oracle/oauth2_config_client_policy
-
token.uri = https://accounts.google.com/o/oauth2/token
-
-
oracle/http_oauth2_token_over_ssl_google_jwt_client_policy.
-
subject.precedence = false (default)
-
oauth2.client.csf.key = google-service-credential (See Adding Keys and User Credentials to Configure the Credential Store)
-
include.client.credentials = false (default)
-
issuer.name = ${client.id} (determined at runtime)
-
audience.uri = https://accounts.google.com/o/oauth2/token
-
keystore.sig.csf.key = privatekey (See Configuring the OWSM Keystore)
-
custom.jwt.claims = scope=api1 api2 apiN (See
OWSM sends request to the Google OAuth2 server with the JWT token. The Request must look like this -
Post /o/oauth2/token
host: https://accounts.google.com
Content-Type: application/x-www-form-urlencoded
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=<JWT Token>
Note:
The "audience.uri" and "issuer.name" have default values provided in the policy.
Note:
OWSM generates a new JWT token for the outgoing request, requesting a new Access Token, if there is a change in the value of the custom.jwt.claims. In other words the cached JWT token cannot be used if there is a change in this value. -
OWSM sends a request to the Google OAuth2 server with the JWT which is generated by the WSM agent for authentication. If the JWT token is authenticated successfully by the Google server, an Access Token is sent in the response. The default validity of the token is 1 hour.
You must use WLST or edit the policy file manually; you cannot edit the policy using Fusion Middleware Control. See "oracle/http_oauth2_token_over_ssl_client_template" for information about the assertion attributes that you can configure.
See "Overriding Policy Configuration Properties" for a description of the configuration settings you can override.
You attach this policy and the oracle/oauth2_config_client_policy to the client application. The required token.uri
property of the oracle/oauth2_config_client_policy policy specifies the OAuth2 server.
Settings
See Table 18-30.
Configuration Properties
See Table 18-27.
17.211 oracle/wss_saml20_token_bearer_over_ssl_notimestamp_client_policy
The oracle/wss_saml20_token_bearer_over_ssl_notimestamp_client_policy includes SAML tokens in outbound SOAP request messages, and verifies that the transport protocol provides SSL message protection.
Display Name: Wss SAML V2.0 Token (confirmation method as bearer) Over SSL With No Timestamp Client Policy
Category: Security
Description
The SAML token with confirmation method Bearer is created automatically. This policy can be attached to any SOAP-based client. Timestamp is not added to the message.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-62. For more information, see "Overriding Policy Configuration Properties".
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
-
Specify a value for
propagate.identity.context
on the Configurations page, or override it on a per-client basis using the Security Configuration Details control when you attach the policy. Thepropagate.identity.context
property defaults to a value of blank. See "Propagating Identity Context Using SAML Policies" for additional considerations.
Design Time Considerations
At design time:
-
Override configuration settings, as described in "About Overriding Client Policy Configuration Properties at Design Time".
-
Configure SAML on the client side, as described in "Configuring SAML Web Service Client at Design Time".
17.212 oracle/wss_saml20_token_bearer_over_ssl_notimestamp_service_policy
The oracle/wss_saml20_token_bearer_over_ssl_notimestamp_service_policy authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header, and verifies that the transport protocol provides SSL message protection.
Display Name: Wss SAML V2.0 Token (confirmation method as bearer) Over SSL With No Timestamp Service Policy
Category: Security
Description
The credentials in the SAML token are authenticated against a SAML login module. This policy can be enforced on any SOAP-based endpoint.
The SAML login module extracts the username from the verified token and passes it to the Authentication provider. Timestamp should not be present in the incoming message.
Assertion
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
This assertion is advertised in the WSDL.
Configuration
To configure the policy:
-
Override the configuration properties defined in Table 18-63. For more information, see "Overriding Policy Configuration Properties".
-
Configure one-way or two-way SSL, as described in "Configuring One-Way SSL on WebLogic Server" or "Configuring Two-Way SSL for a Web Service Client", respectively.
-
Specify a value for
propagate.identity.context
, as described in "Overriding Policy Configuration Properties". Thepropagate.identity.context
property defaults to a value of blank. For additional considerations, see "Propagating Identity Context Using SAML Policies". -
Add an Authentication provider to the active security realm for the WebLogic domain in which the web service is deployed, as described in "Supported Authentication Providers in WebLogic Server".
-
Configure the
saml2.loginmodule
login module, as described in "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control". The SAML login module extracts the username from the verified token and passes it to the provider. -
Configure SAML and set up OPSS, as described in "About SAML Configuration".
17.213 oracle/http_oauth2_token_idcs_client_policy
The oracle/http_oauth2_token_idcs_client_policy includes the OAuth2 access token in the HTTP header. The access token is obtained from the IDCS OAuth Server. It also verifies that the outbound transport protocol is HTTPS. If a non-HTTPS transport protocol is used, the request is refused. This policy can be attached to any HTTP-based SOAP or REST client, invoking the service over SSL.
Display Name: HTTP Oauth2 Token IDCS Client Policy
Category: Security
Description
This policy also performs dynamic identity switching by propagating a different identity than the one based on the authenticated subject.
The subject.precedence property set to true by default. The oracle.oauth2.service property is set to true by default, which ensures that the client ID is used as the issuer for the user and client JWT tokens for the OAuth2 server.
The set.client.ID is set to false by default. If it is set to true, OWSM sends client ID to OAuth2 provider in access token request as query param.
Assertion
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion:
oracle/http_oauth2_token_client_template
See "oracle/http_oauth2_token_client_template" for more information about the assertion.
Configuration
This policy includes the OAuth2 access token in the HTTP header. The access token is obtained from the OAuth Server in the Oracle Cloud.
The property oracle.oauth2.service
is set to true by default, which ensures that the client ID is used as the issuer for the user and client JWT tokens for the OAuth2 server. If scope
is empty (the default), Oracle WSM automatically gets the service URL and uses the address:port portion as the scope.
It also verifies that the outbound transport protocol is HTTPS. If a non-HTTPS transport protocol is used, the request is refused. This policy can be attached to any HTTP-based SOAP or REST client, invoking the service over SSL.
This policy also performs dynamic identity switching by propagating a different identity than the one based on the authenticated subject.
You can override the following properties when you attach the policy:
-
For OAuth2 token request:
-
scope
-
authz.code (Not used in this release.)
-
redirect.uri (Not used in this release.)
-
-
For local token creation:
-
subject.precedence
-
csf.map
-
csf-key
-
oauth2.client.csf.key
-
federated.client.token
-
user.attributes
-
issuer.name
-
oracle.oauth2.service
-
user.roles.include
-
keystore.sig.csf.key
-
propagate.identity.context
-
user.tenant.name
-
include.certificate
-
-
General:
-
audience.uri
-
reference.priority
-
time.in.millis
-
set.client.id
-
You must use WLST or edit the policy file manually; you cannot edit the policy using Fusion Middleware Control. See "oracle/http_oauth2_token_over_ssl_client_template" for information about the assertion attributes that you can configure.
You attach this policy and the oracle/oauth2_config_client_policy to the client application. The token.uri
property of the required oracle/oauth2_config_client_policy policy specifies the OAuth2 server. It also has the oauth2.client.csf.key
property.
You also attach any of the following Oracle WSM JWT service policies to the web service. The Oracle WSM server-side agent validates the AT.
-
oracle/http_jwt_token_over_ssl_service_policy
-
oracle/multi_token_over_ssl_rest_service_policy (REST)
-
oracle/wss11_saml_or_username_token_with_message_protection_service_policy (SOAP)
subject.precedence
is set to true
to allow for the use of a client-specified username rather than the authenticated subject. The user name is obtained only from the username property of the csf-key
.
If subject.precedence
is set to false and csf-key
and user name are configured, the web service client application must have the oracle.wsm.security.WSIdentityPermission
permission. That is, applications from which Oracle WSM accepts the externally-supplied identity must have the WSIdentityPermission
permission. This is to avoid potentially rogue applications from providing an identity to Oracle WSM. See granting WSIdentityPermission
permission, as described in "Setting the Permission Using WSIdentityPermission".
By default, the oracle/http_oauth2_token_idcs_client_policy assertion content is defined as follows:
<orasp:http-oauth2-security xmlns:ns0="http://schemas.oracle.com/ws/2006/01/policy" ns0:Silent="true" ns0:name="Http OAuth2 Security" ns0:Enforced="true" ns0:category="security/authentication"> <orasp:auth-header orasp:mechanism="oauth2"/> <orawsp:bindings> <orawsp:Config orawsp:name="HttpOAuth2Config" orawsp:configType="declarative"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="subject.precedence"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf.map"/> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf-key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="oauth2.client.csf.key"> <orawsp:Value/> <orawsp:DefaultValue>NONEorawsp:DefaultValue>NONE> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="federated.client.token"> <orawsp:Value/> <orawsp:DefaultValue>trueorawsp:DefaultValue>true> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="set.client.id"> <orawsp:Value/> <orawsp:DefaultValue>falseorawsp:DefaultValue>false> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="scope"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="authz.code"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="redirect.uri"> <orawsp:Value/> </orawsp:Property> <!-- Begin : properties needed for local token creation for end user--> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="user.attributes"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="issuer.name"> <orawsp:Value/> <orawsp:DefaultValue>www.oracle.comorawsp:DefaultValue>www.oracle.com> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="oracle.oauth2.service"> <orawsp:Value/> <orawsp:DefaultValue>falseorawsp:DefaultValue>false> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="user.roles.include"> <orawsp:Value/> <orawsp:DefaultValue>falseorawsp:DefaultValue>false> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="reference.priority"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:name="propagate.identity.context" orawsp: type="string" orawsp:contentType="optional"> <orawsp:Value>orawsp:Value>> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="user.tenant.name"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="audience.uri"> <orawsp:Value/> <orawsp:DefaultValue>NONEorawsp:DefaultValue>NONE> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="include.certificate"> <orawsp:Value/> <orawsp:DefaultValue>falseorawsp:DefaultValue>false> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="time.in.millis"> <orawsp:Value/> <orawsp:DefaultValue>trueorawsp:DefaultValue>true> </orawsp:Property> <!--End properties for local token creation for end user --> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:http-oauth2-security>
Settings
See Table 18-30.
Configuration Properties
See Table 18-27.
17.214 oracle/http_oauth2_token_over_ssl_idcs_client_policy
The oracle/http_oauth2_token_over_ssl_idcs_client_policy includes the OAuth2 access token in the HTTP header. The access token is obtained from the IDCS OAuth Server. It also verifies that the outbound transport protocol is HTTPS. If a non-HTTPS transport protocol is used, the request is refused. This policy can be attached to any HTTP-based SOAP or REST client, invoking the service over SSL.
Display Name: HTTP Oauth2 Token Over SSL IDCS Client Policy
Category: Security
Description
This policy also performs dynamic identity switching by propagating a different identity than the one based on the authenticated subject.
The subject.precedence property set to true by default. The oracle.oauth2.service property is set to true by default, which ensures that the client ID is used as the issuer for the user and client JWT tokens for the OAuth2 server.
The set.client.ID is set to false by default. If it is set to true, OWSM sends client ID to OAuth2 provider in access token request as query param.
Assertion
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion:
oracle/http_oauth2_token_over_ssl_client_template
See "oracle/http_oauth2_token_over_ssl_client_template" for more information about the assertion.
Configuration
This policy includes the OAuth2 access token in the HTTP header. The access token is obtained from the OAuth Server in the Oracle Cloud.
The property oracle.oauth2.service
is set to true by default, which ensures that the client ID is used as the issuer for the user and client JWT tokens for the OAuth2 server. If scope
is empty (the default), Oracle WSM automatically gets the service URL and uses the address:port portion as the scope.
It also verifies that the outbound transport protocol is HTTPS. If a non-HTTPS transport protocol is used, the request is refused. This policy can be attached to any HTTP-based SOAP or REST client, invoking the service over SSL.
This policy also performs dynamic identity switching by propagating a different identity than the one based on the authenticated subject.
You can override the following properties when you attach the policy:
-
For OAuth2 token request:
-
scope
-
authz.code (Not used in this release.)
-
redirect.uri (Not used in this release.)
-
-
For local token creation:
-
subject.precedence
-
csf.map
-
csf-key
-
oauth2.client.csf.key
-
federated.client.token
-
user.attributes
-
issuer.name
-
oracle.oauth2.service
-
user.roles.include
-
keystore.sig.csf.key
-
propagate.identity.context
-
user.tenant.name
-
include.certificate
-
-
General:
-
audience.uri
-
reference.priority
-
time.in.millis
-
set.client.id
-
You must use WLST or edit the policy file manually; you cannot edit the policy using Fusion Middleware Control. See "oracle/http_oauth2_token_over_ssl_client_template" for information about the assertion attributes that you can configure.
You attach this policy and the oracle/oauth2_config_client_policy to the client application. The token.uri
property of the required oracle/oauth2_config_client_policy specifies the OAuth2 server. It also has the oauth2.client.csf.key
property.
You also attach any of the following Oracle WSM JWT service policies to the web service. The Oracle WSM server-side agent validates the AT.
-
oracle/http_jwt_token_over_ssl_service_policy
-
oracle/multi_token_over_ssl_rest_service_policy (REST)
-
oracle/wss11_saml_or_username_token_with_message_protection_service_policy (SOAP)
subject.precedence
is set to true
to allow for the use of a client-specified username rather than the authenticated subject. The user name is obtained only from the username property of the csf-key
.
If subject.precedence
is set to false and csf-key
and user name are configured, the web service client application must have the oracle.wsm.security.WSIdentityPermission
permission. That is, applications from which Oracle WSM accepts the externally-supplied identity must have the WSIdentityPermission
permission. This is to avoid potentially rogue applications from providing an identity to Oracle WSM. See granting WSIdentityPermission
permission, as described in "Setting the Permission Using WSIdentityPermission".
By default, the oracle/http_oauth2_token_over_ssl_idcs_client_policy assertion content is defined as follows:
<orasp:http-oauth2-security xmlns:ns0="http://schemas.oracle.com/ws/2006/01/policy" ns0:Silent="true" ns0:name="Http OAuth2 Security" ns0:Enforced="true" ns0:category="security/authentication,security/msg-protection"> <orasp:auth-header orasp:mechanism="oauth2"/> <> <orawsp:bindings> <orawsp:Config orawsp:name="HttpOAuth2Config" orawsp:configType="declarative"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="subject.precedence"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf.map"/> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf-key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf.map"/> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf-key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="oauth2.client.csf.key"> <orawsp:Value/> <orawsp:DefaultValue>NONEorawsp:DefaultValue>NONE> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="federated.client.token"> <orawsp:Value/> <orawsp:DefaultValue>trueorawsp:DefaultValue>true> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="set.client.id"> <orawsp:Value/> <orawsp:DefaultValue>falseorawsp:DefaultValue>false> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="scope"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="authz.code"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="redirect.uri"> <orawsp:Value/> </orawsp:Property> <!-- Begin : properties needed for local token creation for end user--> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="user.attributes"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="issuer.name"> <orawsp:Value/> <orawsp:DefaultValue>www.oracle.comorawsp:DefaultValue>www.oracle.com> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="oracle.oauth2.service"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="user.roles.include"> <orawsp:Value/> <orawsp:DefaultValue>falseorawsp:DefaultValue>false> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="reference.priority"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:name="propagate.identity.context" orawsp:type="string" orawsp:contentType="optional"> <orawsp:Value>orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="user.tenant.name"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="audience.uri"> <orawsp:Value/> <orawsp:DefaultValue>NONE</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="include.certificate"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="time.in.millis"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> <!--End properties for local token creation for end user --> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:http-oauth2-security>
Settings
See Table 18-30.
Configuration Properties
See Table 18-27.
17.215 oracle/http_oauth2_token_identity_switch_over_ssl_idcs_client_policy
The oracle/http_oauth2_token_identity_switch_over_ssl_idcs_client_policy includes the OAuth2 access token in the HTTP header. The access token is obtained from the IDCS OAuth Server. It also verifies that the outbound transport protocol is HTTPS. If a non-HTTPS transport protocol is used, the request is refused. This policy can be attached to any HTTP-based SOAP or REST client, invoking the service over SSL.
Display Name: HTTP Oauth2 Token Identity Switch Over SSL IDCS Client Policy
Category: Security
Description
This policy also performs dynamic identity switching by propagating a different identity than the one based on the authenticated subject.
The subject.precedence property set to false by default. The oracle.oauth2.service property is set to true by default, which ensures that the client ID is used as the issuer for the user and client JWT tokens for the OAuth2 server.
The set.client.ID is set to false by default. If it is set to true, OWSM sends client ID to OAuth2 provider in access token request as query param.
Assertion
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion:
oracle/http_oauth2_token_over_ssl_client_template
See "oracle/http_oauth2_token_over_ssl_client_template" for more information about the assertion.
Configuration
This policy includes the OAuth2 access token in the HTTP header. The access token is obtained from the OAuth Server in the Oracle Cloud.
The property oracle.oauth2.service
is set to true by default, which ensures that the client ID is used as the issuer for the user and client JWT tokens for the OAuth2 server. If scope
is empty (the default), Oracle WSM automatically gets the service URL and uses the address:port portion as the scope.
It also verifies that the outbound transport protocol is HTTPS. If a non-HTTPS transport protocol is used, the request is refused. This policy can be attached to any HTTP-based SOAP or REST client, invoking the service over SSL.
This policy also performs dynamic identity switching by propagating a different identity than the one based on the authenticated subject.
You can override the following properties when you attach the policy:
-
For OAuth2 token request:
-
scope
-
authz.code (Not used in this release.)
-
redirect.uri (Not used in this release.)
-
-
For local token creation:
-
subject.precedence (It has a constant value of false)
-
csf.map
-
csf-key
-
oauth2.client.csf.key
-
federated.client.token
-
user.attributes
-
issuer.name
-
oracle.oauth2.service
-
user.roles.include
-
keystore.sig.csf.key
-
propagate.identity.context
-
user.tenant.name
-
include.certificate
-
-
General:
-
audience.uri
-
reference.priority
-
time.in.millis
-
set.client.id
-
You must use WLST or edit the policy file manually; you cannot edit the policy using Fusion Middleware Control. See "oracle/http_oauth2_token_over_ssl_client_template" for information about the assertion attributes that you can configure.
You attach this policy and the oracle/oauth2_config_client_policy to the client application. The token.uri
property of the required oracle/oauth2_config_client_policy specifies the OAuth2 server. It also has the oauth2.client.csf.key
property.
You also attach any of the following Oracle WSM JWT service policies to the web service. The Oracle WSM server-side agent validates the AT.
-
oracle/http_jwt_token_over_ssl_service_policy
-
oracle/multi_token_over_ssl_rest_service_policy (REST)
-
oracle/wss11_saml_or_username_token_with_message_protection_service_policy (SOAP)
subject.precedence
is set to false
to allow for the use of a client-specified username rather than the authenticated subject. The user name is obtained only from the username property of the csf-key
.
If subject.precedence
is set to false and csf-key
and user name are configured, the web service client application must have the oracle.wsm.security.WSIdentityPermission
permission. That is, applications from which Oracle WSM accepts the externally-supplied identity must have the WSIdentityPermission
permission. This is to avoid potentially rogue applications from providing an identity to Oracle WSM. See granting WSIdentityPermission
permission, as described in "Setting the Permission Using WSIdentityPermission".
By default, the oauth2_token_identity_switch_over_ssl_idcs_client assertion content is defined as follows:
<orasp:http-oauth2-security xmlns:ns0="http://schemas.oracle.com/ws/2006/01/policy" ns0:Silent="true" ns0:name="Http OAuth2 Security" ns0:Enforced="true" ns0:category="security/authentication,security/msg-protection"> <orasp:auth-header orasp:mechanism="oauth2"/> <> <orawsp:bindings> <orawsp:Config orawsp:name="HttpOAuth2Config" orawsp:configType="declarative"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="subject.precedence"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf.map"/> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf-key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf.map"/> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf-key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="oauth2.client.csf.key"> <orawsp:Value/> <orawsp:DefaultValue>NONEorawsp:DefaultValue>NONE> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="federated.client.token"> <orawsp:Value/> <orawsp:DefaultValue>trueorawsp:DefaultValue>true> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="set.client.id"> <orawsp:Value/> <orawsp:DefaultValue>falseorawsp:DefaultValue>false> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="scope"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="authz.code"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="redirect.uri"> <orawsp:Value/> </orawsp:Property> <!-- Begin : properties needed for local token creation for end user--> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="user.attributes"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="issuer.name"> <orawsp:Value/> <orawsp:DefaultValue>www.oracle.comorawsp:DefaultValue>www.oracle.com> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="oracle.oauth2.service"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="user.roles.include"> <orawsp:Value/> <orawsp:DefaultValue>falseorawsp:DefaultValue>false> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="reference.priority"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:name="propagate.identity.context" orawsp:type="string" orawsp:contentType="optional"> <orawsp:Value>orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="user.tenant.name"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="audience.uri"> <orawsp:Value/> <orawsp:DefaultValue>NONE</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="include.certificate"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="time.in.millis"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> <!--End properties for local token creation for end user --> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:http-oauth2-security>
Settings
See Table 18-30.
Configuration Properties
See Table 18-27.