Configuring Message-Level Security 2-9

2.4.3 Updating the JWS File with Policy and Policies Annotations

Use the Policy and Policies annotations in your JWS file to specify that the Web service has one or more policy files attached to it. You can use these annotations at either the class or method level. See Section 2.4.3.4, Loading a Policy From the CLASSPATH for an additional policy option. This release also support the SecurityPolicy annotation that is used for integrating Oracle Web Services Manager WSM WS-Security policies into the WebLogic Server environment, as described in Appendix A, Using Oracle Web Services Manager Security Policies . The Policies annotation simply groups two or more Policy annotations together. Use the Policies annotation if you want to attach two or more policy files to the class or method. If you want to attach just one policy file, you can use Policy on its own. The Policy annotation specifies a single policy file, where it is located, whether the policy applies to the request or response SOAP message or both, and whether to attach the policy file to the public WSDL of the service.

2.4.3.1 Setting the uri Attribute

Use the uri attribute to specify the location of the policy file, as described below: ■ To specify one of the predefined security policy files that are installed with WebLogic Server, use the policy: prefix and the name of one of the policy files, as shown in the following example: Policyuri=policy:Wssp1.2-2007-Https-BasicAuth.xml If you use the predefined policy files, you do not have to create one yourself or package it in an accessible location. For this reason, Oracle recommends that you use the predefined policy files whenever you can. See Section 2.3, Using Policy Files for Message-Level Security Configuration for information on the various types of message-level security provided by the predefined policy files. ■ To specify a user-created policy file, specify the path relative to the location of the JWS file along with its name, as shown in the following example: Policyuri=..policiesMyPolicy.xml In the example, the MyPolicy.xml file is located in the policies sibling directory of the one that contains the JWS file. ■ You can also specify a policy file that is located in a shared J2EE library; this method is useful if you want to share the file amongst multiple Web services packaged in different J2EE archives. Note: If you specify a transport-level security policy for your Web service, it must be at the class level. In addition, the transport-level security policy must apply to both the inbound and outbound directions. That is, you cannot have HTTPS for inbound and HTTP for outbound. 2-10 Securing WebLogic Web Services for Oracle WebLogic Server To specify a policy file in a shared J2EE library, use the policy prefix and then the name of the policy file, as shown in the following example: Policyuri=policy:MySharedPolicy.xml See Creating Shared Java EE Libraries and Optional Packages in Developing Applications for Oracle WebLogic Server for information on creating shared libraries and setting up your environment so the Web service can find the shared policy files.

2.4.3.2 Setting Additional Attributes