8-10 Oracle Fusion Middleware Security and Administrators Guide for Web Services Figure 8–7 Attachment Summary Page

9. Click Back to make any changes, or click Attach to complete the bulk attachment.

10. For ADF and WebCenter applications, restart the Web service application. You do not need to restart a SOA composite or a WebLogic Java EE Web service application. Validating Policy Subjects The type and number of assertions within a policy may be valid and, therefore, a policy may be internally consistent and valid. However, when more than one policy is attached to a policy subject, the combination of policies must also be valid. Specifically, the following must be true: ■ Only one MTOM policy can be attached to a policy subject. ■ Only one Reliable Messaging policy can be attached to a policy subject. ■ Only one WS-Addressing policy can be attached to a policy subject. ■ Only one Security policy with subtype authentication can be attached to a subject. ■ Only one Security policy with subtype sts-config can be attached to a subject. ■ Only one security policy with subtype authorization can be attached to a subject. Note: You need to wait approximately 30 seconds or the equivalent of the configured Graceful Shutdown Timeout time between stopping and restarting the application. During this time, the server is allowing all global transactions to complete before shutting down the application. If you do not wait the configured Graceful Shutdown Timeout time, then the application will not be restarted appropriately and you will not be able to access it. To avoid waiting the graceful shutdown timeout period, you can restart the application twice. Note: When you view a policy, only the major category, such as security, is displayed. To see the subtype such as authorization, see the Assertion Details section of the assertion template on which the policy is based. Note: There may be either one or two security policies attached to a policy subject. A security policy can contain an assertion that belongs to the authentication or message protection subtype categories, or an assertion that belongs to both subtype categories. The second security policy contains an assertion that belongs to the authorization subtype. Attaching Policies to Web Services 8-11 ■ If an authentication policy and an authorization policy are both attached to a policy subject, the authentication policy must precede the authorization policy. ■ If the policy requires a particular transport protocol for example, HTTP or HTTPS, it checks to see that the Web service uses the expected transport protocol. The check is done at run time. The run time automatically enforce STS-Trust configuration policies first and authorization policies last You cannot use policy subject validation to check the validity of multiple policy subjects when you use the bulk attachment feature. After you attach the policies to your subjects with this feature, you must validate each subject individually. To check for policy subject validation: 1. From the navigator pane, click the plus sign + for the Application Deployments folder to expose the applications in the farm, and select the application. The Application Deployment home page is displayed.

2. Using Fusion Middleware Control, click Application Deployment, then click Web

Services . This takes you to the Web Services summary page for your application. 3. In the Web Service Details section of the page, click on the plus + for the Web service to display the Web service ports if they are not already displayed. 4. Click the name of the port to navigate to the Web Service Endpoints page.

5. Click the Policies tab.

6. Click AttachDetach.

7. Click Validate.

If there is a validation error, a dialog box appears describing the error. Fix the error and do a policy subject validation again. Attaching Policies to Web Service Clients This section describes how to attach a policy to a Web service client, including SOA reference, ADF Data Control DC, and asynchronous Web service Callback clients. When using WLST to attach policies to a Web service client, the steps that you follow are the same for all Web service client types. The argument settings specify the type of client to which you are attaching the policy. Attaching Policies to Web Service Clients Using Fusion Middleware Control In Fusion Middleware Control, the steps you follow to attach a policy to a Web service client are the same for all Web service client types. However, how you navigate to the Note: The policy subject validation does not validate the XML schema of the policy. Therefore, if you manually edit the policy file, you must use another tool to check that the XML is valid. Note: Attaching Oracle WSM policies to WebLogic Java EE Web service clients is not supported.