2-66 Securing WebLogic Web Services for Oracle WebLogic Server Example 2–17 shows the SAMLAttributeStatementDataHelper class, which is a helper function that gets the SAMLAttributeStatementData object. Example 2–17 SAMLAttributeStatementDataHelper Helper Function package weblogic.wsee.security.saml; import weblogic.wsee.jaxws.framework.jaxrpc.SOAPMessageContext; import weblogic.wsee.jaxrpc.WLStub; import weblogic.wsee.jws.JwsContext; import weblogic.xml.crypto.wss.WSSecurityContext; import com.sun.xml.ws.api.message.Message; import com.sun.xml.ws.api.message.Packet; import com.sun.xml.ws.api.server.WSWebServiceContext; import javax.xml.ws.WebServiceContext; import javax.xml.rpc.handler.MessageContext; Helper function to get the SAMLAttributeStatementData object public class SAMLAttributeStatementDataHelper { public static SAMLAttributeStatementData getSAMLAttributeStatementDataWebServiceContext context { final Packet request = WSWebServiceContext context.getRequestPacket; WSSecurityContext securityCtx = WSSecurityContext request.invocationProperties .getWSSecurityContext.WS_SECURITY_CONTEXT; SAMLAttributeStatementData samlAttributes = null; if securityCtx = null securityCtx.getMessageContext = null { samlAttributes = SAMLAttributeStatementData securityCtx.getMessageContext.getPropertyWLStub.SAML_ATTRIBUTES; } return samlAttributes; } public static SAMLAttributeStatementData getSAMLAttributeStatementDataJwsContext context { MessageContext msgCtx = context.getMessageContext; this is for JAX-RPC SAMLAttributeStatementData attributes = SAMLAttributeStatementData msgCtx.getPropertyWLStub.SAML_ATTRIBUTES; return attributes; } }

2.12 Associating a Web Service with a Security Configuration Other Than the Default

Many use cases previously discussed require you to use the Administration Console to create the default Web service security configuration called default_wss. After you create this configuration, it is applied to all Web services that either do not use the Configuring Message-Level Security 2-67 weblogic.jws.security.WssConfiguration JWS annotation or specify the annotation with no attribute. There are some cases, however, in which you might want to associate a Web service with a security configuration other than the default; such use cases include specifying different timestamp values for different services. To associate a Web service with a security configuration other than the default: 1. Create a Web Service Security Configuration in the Oracle WebLogic Server Administration Console Help with a name that is not default_wss. 2. Update your JWS file, adding the WssConfiguration annotation to specify the name of this security configuration. See weblogic.jws.security.WssConfiguration in the WebLogic Web Services Reference for Oracle WebLogic Server for additional information and an example. 3. Recompile and redeploy your Web service as part of the normal iterative development process. See Invoking Web Services in Getting Started With JAX-WS Web Services for Oracle WebLogic Server and Developing WebLogic Web Services in Getting Started With JAX-RPC Web Services for Oracle WebLogic Server.

2.13 Valid Class Names and Token Types for Credential Provider

When you create a security configuration, you need to supply the class name of the credential provider for this configuration. The valid class names and token types you can use are as follows: ■ weblogic.wsee.security.bst.ClientBSTCredentialProvider. The token type is x509. ■ weblogic.wsee.security.unt.ClientUNTCredentialProvider. The token type is ut. ■ weblogic.wsee.security.wssc.v13.sct.ClientSCCredentialProvider. The token type is sct. ■ weblogic.wsee.security.wssc.v200502.sct.ClientSCCredentialProvi der. The token type is sct. ■ weblogic.wsee.security.saml.SAMLTrustCredentialProvider. The token type is saml. Note: If you are going to package additional Web services in the same Web application, and these Web services also use the WssConfiguration annotation, then you must specify the same security configuration for each Web service. See weblogic.jws.security.WssConfiguration in the WebLogic Web Services Reference for Oracle WebLogic Server for more details. Note: All Web services security configurations are required to specify the same password digest use. Inconsistent password digest use in different Web service security configurations will result in a runtime error. 2-68 Securing WebLogic Web Services for Oracle WebLogic Server

2.14 Using System Properties to Debug Message-Level Security