2-72 Securing WebLogic Web Services for Oracle WebLogic Server

2.16 Using WS-SecurityPolicy 1.2 Policy Files

WebLogic Server includes a number of WS-SecurityPolicy files you can use in most Web services applications. The policy files are located in MW_HOMEWL_ HOME serverlibweblogic.jar. Within weblogic.jar, the policy files are located in weblogicwseepolicyruntime. There are two sets of these policies. In most of the cases, they perform identical functions, but the policy uses different namespace. The first set has a prefix of Wssp1.2-2007-. These security policy files conform to the OASIS WS-SecurityPolicy 1.2 specification and have the following namespace: wsp:Policy xmlns:wsp=http:schemas.xmlsoap.orgws200409policy xmlns:sp=http:docs.oasis-open.orgws-sxws-securitypolicy200702 The second set carries over from WebLogic Server version 10.0 and has the prefix Wssp1.2-: wsp:Policy xmlns:wsp=http:schemas.xmlsoap.orgws200409policy xmlns:sp=http:docs.oasis-open.orgws-sxws-securitypolicy200512 Oracle recommends that you use the new policy namespace, as those are official namespaces from OASIS standards and they will perform better when interoperating with other vendors. The old policies having the prefix of Wssp1.2- are mainly for users who want to interoperate with existing applications that already use this version of the policies. The following sections describe the available WS-SecurityPolicy 1.2 policy files: ■ Section 2.16.1, Transport-Level Policies ■ Section 2.16.2, Protection Assertion Policies ■ Section 2.16.3, WS-Security 1.0 Username and X509 Token Policies ■ Section 2.16.4, WS-Security 1.1 Username and X509 Token Policies ■ Section 2.16.5, WS-SecureConversation Policies ■ Section 2.16.6, SAML Token Profile Policies In addition, see Section 2.17, Choosing a Policy and Section 2.21.2, Configuring Smart Policy Selection for information about how to choose the best security policy approach for your Web services implementation and for information about WS-SecurityPolicy 1.2 elements that are not supported in this release of WebLogic Server.

2.16.1 Transport-Level Policies

These policies require use of the https protocol to access WSDL and invoke Web services operations: Configuring Message-Level Security 2-73

2.16.2 Protection Assertion Policies

Protection assertions are used to identify what is being protected and the level of protection provided. Protection assertion policies cannot be used alone; they should be used only in combination with X.509 Token Policies. For example, you might use Wssp1.2-2007-Wss1.1-X509-Basic256.xml together with Wssp1.2-2007-SignBody.xml. The following policy files provide for the protection of message parts by signing or encryption: Note: If you specify a transport-level security policy for your Web service, it must be at the class level. In addition, the transport-level security policy must apply to both the inbound and outbound directions. That is, you cannot have HTTPS for inbound and HTTP for outbound. Table 2–5 Transport Level Policies Policy File Description Wssp1.2-2007-Https.xml One way SSL. Wssp1.2-2007-Https-Basi cAuth.xml One way SSL with Basic Authentication. A 401 challenge occurs if the Authorization header is not present in the request. Wssp1.2-2007-Https-Clie ntCertReq.xml Two way SSL. The recipient checks for the initiators public certificate. Note that the client certificate can be used for authentication. Set Two Way Client Cert Behavior to Client Certs Requested But Not Enforced. See Configure two-way SSL in Oracle WebLogic Server Administration Console Help for information on how to do this. Wssp1.2-2007-Https-User nameToken-Digest.xml One way SSL with digest Username Token. Wssp1.2-2007-Https-User nameToken-Plain.xml One way SSL with plain text Username Token. Wssp1.2-Https.xml One way SSL. Wssp1.2-Https-BasicAut h.xml One way SSL with Basic Authentication. A 401 challenge occurs if the Authorization header is not present in the request. Wssp1.2-Https-Usernam eToken-Digest.xml One way SSL with digest Username Token. Wssp1.2-Https-Usernam eToken-Plain.xml One way SSL with plain text Username Token. Wssp1.2-Https-ClientCer tReq.xml Two way SSL. The recipient checks for the initiators public certificate. Note that the client certificate can be used for authentication. Table 2–6 Protection Assertion Policies Policy File Description Wssp1.2-2007-SignBody.x ml All message body parts are signed. Wssp1.2-2007-EncryptBo dy.xml All message body parts are encrypted. 2-74 Securing WebLogic Web Services for Oracle WebLogic Server

2.16.3 WS-Security 1.0 Username and X509 Token Policies