2-74 Securing WebLogic Web Services for Oracle WebLogic Server

2.16.3 WS-Security 1.0 Username and X509 Token Policies

The following policies support the Username Token or X.509 Token specifications of WS-Security 1.0: Wssp1.2-2007-Sign-Wsa- Headers.xml WS-Addressing headers are signed. Wssp1.2-SignBody.xml All message body parts are signed. Wssp1.2-EncryptBody.x ml All message body parts are encrypted. Wssp1.2-Sign-Wsa-Head ers.xml WS-Addressing headers are signed. Wssp1.2-2007-SignAndE ncryptWSATHeaders.xm l WS-AtomicTransaction headers are signed and encrypted. Wssp1.2-2007-Wsp1.5-Sig nAndEncryptWSATHead ers.xml WS-AtomicTransaction headers are signed and encrypted. Web Services Policy 1.5 is used. Table 2–7 WS-Security 1.0 Policies Policy File Description Wssp1.2-2007-Wss1.0-X5 09-Basic256.xml Mutual Authentication with X.509 Certificates. The message is signed and encrypted on both request and response. The algorithm of Basic256 should be used for both sides. Wssp1.2-2007-Wss1.0-Us ernameToken-Digest-X50 9-Basic256.xml Username token with digested password is sent in the request for authentication. The encryption method is Basic256. Wssp1.2-2007-Wss1.0-Us ernameToken-Plain-X509 -Basic256.xml Username token with plain text password is sent in the request for authentication, signed with the clients private key and encrypted with servers public key. The client also signs the request body and includes its public certificate, protected by the signature in the message. The server signs the response body with its private key and sends its public certificate in the message. Both request and response messages include signed time stamps. The encryption method is Basic256. Wssp1.2-Wss1.0-Userna meToken-Plain-X509-Basi c256.xml Username token with plain text password is sent in the request for authentication, signed with the clients private key and encrypted with servers public key. The client also signs the request body and includes its public certificate, protected by the signature in the message. The server signs the response body with its private key and sends its public certificate in the message. Both request and response messages include signed time stamps. The encryption method is Basic256. Wssp1.2-Wss1.0-Userna meToken-Plain-X509-Trip leDesRsa15.xml Username token with plain text password is sent in the request for authentication, signed with the clients private key and encrypted with servers public key. The client also signs the request body and includes its public certificate, protected by the signature in the message. The server signs the response body with its private key and sends its public certificate in the message. Both request and response messages include signed time stamps. The encryption method is TripleDes. Table 2–6 Cont. Protection Assertion Policies Policy File Description Configuring Message-Level Security 2-75

2.16.4 WS-Security 1.1 Username and X509 Token Policies