2-74 Securing WebLogic Web Services for Oracle WebLogic Server
2.16.3 WS-Security 1.0 Username and X509 Token Policies
The following policies support the Username Token or X.509 Token specifications of WS-Security 1.0:
Wssp1.2-2007-Sign-Wsa- Headers.xml
WS-Addressing headers are signed. Wssp1.2-SignBody.xml
All message body parts are signed. Wssp1.2-EncryptBody.x
ml All message body parts are encrypted.
Wssp1.2-Sign-Wsa-Head ers.xml
WS-Addressing headers are signed. Wssp1.2-2007-SignAndE
ncryptWSATHeaders.xm l
WS-AtomicTransaction headers are signed and encrypted. Wssp1.2-2007-Wsp1.5-Sig
nAndEncryptWSATHead ers.xml
WS-AtomicTransaction headers are signed and encrypted. Web Services Policy 1.5 is used.
Table 2–7 WS-Security 1.0 Policies
Policy File Description
Wssp1.2-2007-Wss1.0-X5 09-Basic256.xml
Mutual Authentication with X.509 Certificates. The message is signed and encrypted on both request and response. The algorithm
of Basic256 should be used for both sides. Wssp1.2-2007-Wss1.0-Us
ernameToken-Digest-X50 9-Basic256.xml
Username token with digested password is sent in the request for authentication. The encryption method is Basic256.
Wssp1.2-2007-Wss1.0-Us ernameToken-Plain-X509
-Basic256.xml Username token with plain text password is sent in the request for
authentication, signed with the clients private key and encrypted with servers public key. The client also signs the request body and
includes its public certificate, protected by the signature in the message. The server signs the response body with its private key
and sends its public certificate in the message. Both request and response messages include signed time stamps. The encryption
method is Basic256.
Wssp1.2-Wss1.0-Userna meToken-Plain-X509-Basi
c256.xml Username token with plain text password is sent in the request for
authentication, signed with the clients private key and encrypted with servers public key. The client also signs the request body and
includes its public certificate, protected by the signature in the message. The server signs the response body with its private key
and sends its public certificate in the message. Both request and response messages include signed time stamps. The encryption
method is Basic256.
Wssp1.2-Wss1.0-Userna meToken-Plain-X509-Trip
leDesRsa15.xml Username token with plain text password is sent in the request for
authentication, signed with the clients private key and encrypted with servers public key. The client also signs the request body and
includes its public certificate, protected by the signature in the message. The server signs the response body with its private key
and sends its public certificate in the message. Both request and response messages include signed time stamps. The encryption
method is TripleDes.
Table 2–6 Cont. Protection Assertion Policies
Policy File Description
Configuring Message-Level Security 2-75
2.16.4 WS-Security 1.1 Username and X509 Token Policies