2-44 Securing WebLogic Web Services for Oracle WebLogic Server
■
Additional WS-SecureConversation 1.3 policy files:
– Wssp1.2-Wssc1.3-Bootstrap-Https-BasicAuth.xml
– Wssp1.2-Wssc1.3-Bootstrap-Https-ClientCertReq.xml
It is recommended that you use the predefined files if you want to configure security contexts, because these security policy files provide most of the required functionality
and typical default values. See Section 2.16.5, WS-SecureConversation Policies
for more information about these files.
Code or configure your application to use the policy through policy annotations, policy attached to the applications WSDL, or runtime policy configuration.
2.9.1 Specification Backward Compatibility
WebLogic Web services implement the Web Services Trust WS-Trust 1.3 and Web Services Secure Conversation WS-SecureConversation 1.3 specifications. Take note of
the following differences from the WS-SecureConversation version of 022005:
■
The Web Services Secure Conversation WS-SecureConversation 1.3 specification requires a token service to return wst:RequestedSecurityToken to the initiating
party in response to a wst:RequestSecurityToken. One or more wst:RequestSecurityTokenResponse elements are contained within a single
wst:RequestSecurityTokenResponseCollection.
This differs from the previous version of the specification, in which wst:RequestSecurityTokenResponse was returned by the token service.
The token service can return wst:RequestSecurityTokenResponse if the service policy specifies the SC10SecurityContextToken, as described in the next bullet
item.
■
The WS-SecurityPolicy 1.2 Errata document describes the following change to SecureConversationToken Assertion:
sp:SC10SecurityContextToken changes to
sp:SC13SecurityContextToken sp:SC10SecurityContextToken continues to be supported only when used with the
WS-SecureConversation version of 022005.
2.9.2 WS-SecureConversation and Clusters
WS-SecureConversation is pinned to a particular WebLogic Server instance in the cluster. If a SecureConversation request lands in the wrong server, it is automatically
rerouted to the correct server. If the server instance hosting the WS-SecureConversation fails, the SecureConversation will not be available until the
server instance is brought up again.
Note: If you are deploying a Web service that uses shared security
contexts to a cluster, then you are required to also configure cross-cluster session state replication. For details, see Failover and
Replication in a Cluster in Using Clusters for Oracle WebLogic Server.
Configuring Message-Level Security 2-45
2.9.3 Updating a Client Application to Negotiate Security Contexts