Attaching Policies to Web Services 8-3 3. Use the listWebServicePorts command to display the port name and endpoint URL for a Web service. listWebServicePortsapplication,moduleOrCompName,moduleType,serviceName For example, to display the port for the WsdlConcreteService: wls:wls-domainserverConfig listWebServicePortswls-domainAdminServerjaxwsejb30ws, jaxwsejb,web,WsdlConcreteService WsdlConcretePort http:host.us.oracle.com:7001jaxwsejbWsdlAbstract 4. Use the listWebServicePolicies command to view the policies that are attached to a Web service port. listWebServicePoliciesapplication,moduleOrCompName,moduleType,serviceName,subj ectName For example, to view the policies attached to the WsdlConcretePort port and any policy override settings: wls:wls_domainserverConfig listWebServicePolicieswls_ domainAdminServerjaxwsejb30ws, jaxwsejb,web,WsdlConcreteService,WsdlConcretePort WsdlConcretePort : addressing : oraclewsaddr_policy , enabled=true management : oraclelog_policy , enabled=true security : oraclewss_username_token_service_policy, enabled=true Attached policy or policies are valid; endpoint is secure. Attaching Policies to Web Services The following sections describe how to attach policies to a single subject, to multiple subjects bulk attachment, and to validate the subject once policies are attached: ■ Attaching a Policy to a Single Subject on page 8-3 ■ Attaching a Policy to Multiple Subjects Bulk Attachment on page 8-8 ■ Validating Policy Subjects on page 8-10 Attaching a Policy to a Single Subject A subject is an entity to which a policy can be associated. You can attach one or more policies to a subject. The order in which policies are attached to a subject or appear in the list of attached polices does not determine the order in which policies are executed. As a message is passed between the client and the Web service, the order of the interceptors in the policy interceptor chain determines the order in which the policies are executed. See How Policies are Executed on page 3-8 for more information. Note: Policy attachment is not synchronized automatically for SOA, ADF, and WebCenter services in a cluster. When using SOA, ADF, and WebCenter services in a cluster, you must attach andor detach policies to each instance of the cluster. This issue does not apply to WebLogic Java EE Web services and SOA composite services. 8-4 Oracle Fusion Middleware Security and Administrators Guide for Web Services Attaching a Policy to a Web Service Using Fusion Middleware Control Follow this procedure to attach a policy to a single Web service endpoint. See Attaching a Policy to Multiple Subjects Bulk Attachment to attach a policy to multiple Web services at the same time. To attach a policy to a Web service:

1. Navigate to the home page for the Web service, as described in

Navigating to the Web Services Summary Page for an Application on page 6-4. 2. In the Web Service Details section of the page, click on the plus + for the Web service to display the Web service endpoints, if they are not already displayed.

3. Click the name of a endpoint to navigate to the Web Service Endpoints page for a

particular Web service.

4. Click the OWSM Policies tab.

The policies that are already globally and directly attached to the endpoint are displayed as shown in Figure 8–1 .

5. Click AttachDetach.

6. Select a policy from the Available Policies list, and click Attach. See

Figure 8–3 . Figure 8–3 Attaching Policies to a Web Service Note: For WebLogic Java EE Web services policy attachment using Fusion Middleware Control: ■ Only Oracle WSM security policies can be attached. ■ Oracle WSM policies and WebLogic Web Service policies cannot be attached to the same endpoint. If a WebLogic Java EE endpoint has WebLogic polices attached, you cannot attach Oracle WSM security policies using Fusion Middleware Control. Note that WebLogic policies can be attached using the WebLogic Server Administration Console. You cannot attach WebLogic policies using Fusion Middleware Control. Attaching Policies to Web Services 8-5

7. To view details about a policy, select the policy and click the View Detail icon. A

pop-up window provides a full read-only description of the policy and lists the assertions that it contains. See Figure 8–4 . Click OK when you are finished reviewing the details of the policy. Figure 8–4 Viewing Details about a Policy

8. Continue selecting and attaching policies. When you are finished, click Validate to

verify that the combination of policies selected are valid.

9. Click OK.

10. The Web Service Endpoint page now displays the attached policy on the OWSM

Policies tab.

11. For ADF and WebCenter applications, restart the Web service application. You do

not need to restart a SOA composite or a WebLogic Java EE Web service application. Attaching a Policy to a Web Service Using WLST Use the following procedure to attach or detach a single policy, or multiple policies, to a single Web service port using WLST. Note: If you directly attach a policy that contains an assertion with the same category as a policy that is attached globally using a policy set, the globally attached policy is overridden by the directly attached policy. In this case, the globally attached policy is no longer in effect, and is not displayed in the list of policies attached to the endpoint. For more information about effective policies, see Calculating the Effective Set of Policies on page 9-22. Note: You need to wait approximately 30 seconds or the equivalent of the configured Graceful Shutdown Timeout time between stopping and restarting the application. During this time, the server is allowing all global transactions to complete before shutting down the application. If you do not wait the configured Graceful Shutdown Timeout time, then the application will not be restarted appropriately and you will not be able to access it. To avoid waiting the graceful shutdown timeout period, you can restart the application twice. 8-6 Oracle Fusion Middleware Security and Administrators Guide for Web Services 1. View the list of policies currently attached to the port as described in Using WLST in Viewing the Policies That are Attached to a Web Service on page 8-1. 2. View the list of available policies as described in Displaying a List of the Available Policies Using WLST on page 7-2. 3. To attach policies, do one of the following: ■ Use the attachWebServicePolicy command to attach a single policy to a Web service port. Specify the policy to be attached using the policyURI argument. If you specify a policy that is already attached or exists, then this command enables the policy if it is disabled. attachWebServicePolicyapplication, moduleOrCompName, moduleType, serviceName, subjectName, policyURI, [subjectType=None] For example, to attach the policy oraclewss_username_token_ service_policy to the WsdlConcretePort of the WsdlConcreteService, use the following command: wls:wls_domainserverConfig attachWebServicePolicywls_ domainAdminServerjaxwsejb30ws, jaxwsejb,web,WsdlConcreteService,WsdlConcretePort, oraclewss_username_token_service_policy ■ Use the attachWebServicePolicies command to attach multiple policies to a Web service port. Specify the policies to be attached using the policyURIs argument. If any of the policies that you specify in this command are already attached, then this command enables the policies that are already attached if they are disabled, and attaches the others. attachWebServicePoliciesapplication, moduleOrCompName, moduleType, serviceName, subjectName, policyURIs, [subjectType=None] For example, to attach the policies oraclewss_username_token_ service_policy and oraclewsrm10_policyto the WsdlConcretePort of the WsdlConcreteService, use the following command: wls:wls_domainserverConfig attachWebServicePolicieswls_ domainAdminServerjaxwsejb30ws, jaxwsejb,web,WsdlConcreteService,WsdlConcretePort, [oraclewss_username_token_service_policy,oraclewsrm10_policy] Please restart application to uptake the policy changes. Note: This procedure applies to Oracle Infrastructure Web services only.