2-26 Securing WebLogic Web Services for Oracle WebLogic Server if debug { e.printStackTrace; } } } }

2.7 Creating and Using a Custom Policy File

Although WebLogic Server includes a number of predefined Web services security policy files that typically satisfy the security needs of most programmers, you can also create and use your own WS-SecurityPolicy file if you need additional configuration. See Section 2.3, Using Policy Files for Message-Level Security Configuration for general information about security policy files and how they are used for message-level security configuration. When you create a custom policy file, you can separate out the three main security categories authentication, encryption, and signing into three separate policy files, as do the predefined files, or create a single policy file that contains all three categories. You can also create a custom policy file that changes just one category such as authentication and use the predefined files for the other categories Wssp1.2-2007-SignBody.xml, Wssp1.2-SignBody.xml and Wssp1.2-2007-EncryptBody, Wssp1.2-EncryptBody. In other words, you can mix and match the number and content of the policy files that you associate with a Web service. In this case, however, you must always ensure yourself that the multiple files do not contradict each other. Your custom policy file needs to comply with the standard format and assertions defined in WS-SecurityPolicy 1.2. Note, however, that this release of WebLogic Server does not completely implement WS-SecurityPolicy 1.2. For more information, see Section 2.18, Unsupported WS-SecurityPolicy 1.2 Assertions . The root element of your WS-SecurityPolicy file must be Policy. The following namespace declaration is recommended in this release: wsp:Policy xmlns:wsp=http:schemas.xmlsoap.orgws200409policy xmlns:sp=http:docs.oasis-open.orgws-sxws-securitypolicy200702 . . . wsp:Policy WLS also supports other namespaces for Security Policy. For example, the following two namespaces are also supported: wsp:Policy xmlns:wsp=http:schemas.xmlsoap.orgws200409policy xmlns:sp=http:docs.oasis-open.orgws-sxws-securitypolicy200512 . . . wsp:Policy Note: Use of element-level security always requires one or more custom policy files to specify the particular element path and name to be secured. Configuring Message-Level Security 2-27 or wsp:Policy xmlns:wsp=http:www.w3.orgnsws-policy xmlns:sp=http:docs.oasis-open.orgws-sxws-securitypolicy200702 . . . wsp:Policy You can also use the predefined WS-SecurityPolicy files as templates to create your own custom files. See Section 2.16, Using WS-SecurityPolicy 1.2 Policy Files .

2.8 Configuring the WS-Trust Client