Configuring Message-Level Security 2-111 print found exsiting bean for: + cpName Create credential provider for DK cpName=default_dk_cp wtm=defaultWss.lookupWebserviceCredentialProvidercpName if wtm == None: wtm = defaultWss.createWebserviceCredentialProvidercpName wtm.setClassNameweblogic.wsee.security.wssc.v13. dk.DKCredentialProvider wtm.setTokenTypedk cpm = wtm.createConfigurationPropertyLabel cpm.setValueWS-SecureConversationWS-SecureConversation cpm = wtm.createConfigurationPropertyLength cpm.setValue16 else: print found exsiting bean for: DK + cpName :

2.23.6 Revised configWss_Service.py

The configWss_Service.py script is similar to configWss.py, but it is used only when the source and destination Web service are hosted in two servers. The configWss_Service.py file is the same as that in WL_ HOME \samples\server\examples\src\examples\webservices\wsrm_ security\configWss_Service.py, with the changes shown in bold. The build.xml file provides the command input. Example 2–32 configWss_Service.py : Create credential provider for SCT cpName=default_sct_cp wtm=defaultWss.lookupWebserviceCredentialProvidercpName if wtm == None: print creating new webservice credential provider : + cpName wtm = defaultWss.createWebserviceCredentialProvidercpName wtm.setClassNameweblogic.wsee.security.wssc. v13.sct.ServerSCCredentialProvider wtm.setTokenTypesct cpm = wtm.createConfigurationPropertyTokenLifeTime cpm.setValue43200000 else: print found exsiting bean for: + cpName Create credential provider for DK cpName=default_dk_cp wtm=defaultWss.lookupWebserviceCredentialProvidercpName if wtm == None: wtm = defaultWss.createWebserviceCredentialProvidercpName wtm.setClassNameweblogic.wsee.security.wssc.v13.dk. DKCredentialProvider wtm.setTokenTypedk cpm = wtm.createConfigurationPropertyLabel cpm.setValueWS-SecureConversationWS-SecureConversation cpm = wtm.createConfigurationPropertyLength Note: Long lines in this script have been formatted for readability. 2-112 Securing WebLogic Web Services for Oracle WebLogic Server cpm.setValue16 else: print found existing bean for: DK + cpName :

2.23.7 Building and Running the Example

After you have changed the example to use the new policy namespace, follow the steps in the WL_ HOME \samples\server\examples\src\examples\webservices\wsrm_ security\instructions.html file to build and run the example. There are no changes needed to these steps.

2.24 Securing Web Services Atomic Transactions

When using Web services atomic transactions, as described in Using Web Services Atomic Transactions in Programming Advanced Features of JAX-WS Web Services for Oracle WebLogic Server, it is recommended that you secure the application message headers that contain the coordination context and IssuedTokens using one of the following predefined policies: ■ Wssp1.2-2007-SignAndEncryptWSATHeaders.xml—Specifies that the WS-AtomicTransaction headers are signed and encrypted. ■ Wssp1.2-2007-Wsp1.5-SignAndEncryptWSATHeaders.xml—Specifies that the WS-AtomicTransaction headers are signed and encrypted. Web Services Policy 1.5 is used. You can attach policies using one of the following methods: ■ At design time, using the Policy and Policies annotations, as described in Section 2.6, Example of Adding Security to a JAX-WS Web Service . ■ At deployment time, using the WebLogic Server Administration Console, as described in Section 2.10, Associating Policy Files at Runtime Using the Administration Console . The following example shows how to secure a Web services atomic transaction programmatically, using the Policy and Policies annotations. Relevant code is shown in bold. package jaxws.interop.rsp; ... import javax.jws.WebService; import javax.xml.ws.BindingType; import weblogic.wsee.wstx.wsat.Transactional; import weblogic.wsee.wstx.wsat.Transactional.TransactionalFlowType; Note: Because header encryption is available as part of the WS-Security 1.1 standard, it is highly recommended that you use only WS-Security 1.1 binding policies in conjunction with the policies listed above to secure the application request messages. WS-Security 1.1 binding policies contain sp:Wss11 assertion in the policy and -Wss1.1 in the predefined policy name. If WS-Security 1.0 policies are used, WebLogic Server encrypts the header into WS-Security 1.0 non-standard format.