2-72 Securing WebLogic Web Services for Oracle WebLogic Server
2.16 Using WS-SecurityPolicy 1.2 Policy Files
WebLogic Server includes a number of WS-SecurityPolicy files you can use in most Web services applications. The policy files are located in MW_HOMEWL_
HOME serverlibweblogic.jar. Within weblogic.jar, the policy files are
located in weblogicwseepolicyruntime. There are two sets of these policies. In most of the cases, they perform identical
functions, but the policy uses different namespace. The first set has a prefix of Wssp1.2-2007-. These security policy files conform to the
OASIS WS-SecurityPolicy 1.2 specification and have the following namespace: wsp:Policy
xmlns:wsp=http:schemas.xmlsoap.orgws200409policy xmlns:sp=http:docs.oasis-open.orgws-sxws-securitypolicy200702
The second set carries over from WebLogic Server version 10.0 and has the prefix Wssp1.2-:
wsp:Policy xmlns:wsp=http:schemas.xmlsoap.orgws200409policy
xmlns:sp=http:docs.oasis-open.orgws-sxws-securitypolicy200512
Oracle recommends that you use the new policy namespace, as those are official namespaces from OASIS standards and they will perform better when interoperating
with other vendors. The old policies having the prefix of Wssp1.2- are mainly for users who want to interoperate with existing applications that already use this version
of the policies.
The following sections describe the available WS-SecurityPolicy 1.2 policy files:
■
Section 2.16.1, Transport-Level Policies
■
Section 2.16.2, Protection Assertion Policies
■
Section 2.16.3, WS-Security 1.0 Username and X509 Token Policies
■
Section 2.16.4, WS-Security 1.1 Username and X509 Token Policies
■
Section 2.16.5, WS-SecureConversation Policies
■
Section 2.16.6, SAML Token Profile Policies In addition, see
Section 2.17, Choosing a Policy and
Section 2.21.2, Configuring Smart Policy Selection
for information about how to choose the best security policy approach for your Web services implementation and for information about
WS-SecurityPolicy 1.2 elements that are not supported in this release of WebLogic Server.
2.16.1 Transport-Level Policies
These policies require use of the https protocol to access WSDL and invoke Web services operations:
Configuring Message-Level Security 2-73
2.16.2 Protection Assertion Policies
Protection assertions are used to identify what is being protected and the level of protection provided. Protection assertion policies cannot be used alone; they should be
used only in combination with X.509 Token Policies. For example, you might use Wssp1.2-2007-Wss1.1-X509-Basic256.xml together with
Wssp1.2-2007-SignBody.xml. The following policy files provide for the protection of message parts by signing or encryption:
Note: If you specify a transport-level security policy for your Web
service, it must be at the class level. In addition, the transport-level security policy must apply to both the
inbound and outbound directions. That is, you cannot have HTTPS for inbound and HTTP for outbound.
Table 2–5 Transport Level Policies
Policy File Description
Wssp1.2-2007-Https.xml One way SSL.
Wssp1.2-2007-Https-Basi cAuth.xml
One way SSL with Basic Authentication. A 401 challenge occurs if the Authorization header is not present in the request.
Wssp1.2-2007-Https-Clie ntCertReq.xml
Two way SSL. The recipient checks for the initiators public certificate. Note that the client certificate can be used for
authentication.
Set Two Way Client Cert Behavior to Client Certs Requested But Not Enforced. See Configure two-way SSL in Oracle
WebLogic Server Administration Console Help for information on how to do this.
Wssp1.2-2007-Https-User nameToken-Digest.xml
One way SSL with digest Username Token. Wssp1.2-2007-Https-User
nameToken-Plain.xml One way SSL with plain text Username Token.
Wssp1.2-Https.xml One way SSL.
Wssp1.2-Https-BasicAut h.xml
One way SSL with Basic Authentication. A 401 challenge occurs if the Authorization header is not present in the request.
Wssp1.2-Https-Usernam eToken-Digest.xml
One way SSL with digest Username Token. Wssp1.2-Https-Usernam
eToken-Plain.xml One way SSL with plain text Username Token.
Wssp1.2-Https-ClientCer tReq.xml
Two way SSL. The recipient checks for the initiators public certificate. Note that the client certificate can be used for
authentication.
Table 2–6 Protection Assertion Policies
Policy File Description
Wssp1.2-2007-SignBody.x ml
All message body parts are signed. Wssp1.2-2007-EncryptBo
dy.xml All message body parts are encrypted.
2-74 Securing WebLogic Web Services for Oracle WebLogic Server
2.16.3 WS-Security 1.0 Username and X509 Token Policies