2-4 Securing WebLogic Web Services for Oracle WebLogic Server

2.3 Using Policy Files for Message-Level Security Configuration

You specify the details of message-level security for a WebLogic Web service with one or more security policy files. The WS-SecurityPolicy specification provides a general purpose model and XML syntax to describe and communicate the security policies of a Web service. The security policy files used for message-level security are XML files that describe whether and how the SOAP messages resulting from an invoke of an operation should be digitally signed or encrypted. They can also specify that a client application authenticate itself using a username, SAML, or X.509 token. You use the Policy and Policies JWS annotations in your JWS file to associate policy files with your Web service. You can associate any number of policy files with a Web service, although it is up to you to ensure that the assertions do not contradict each other. You can specify a policy file at both the class- and method level of your JWS file.

2.3.1 Using Policy Files With JAX-WS

For maximum portability, Oracle recommends that you use WS-Policy 1.2 and OASIS WS-SecurityPolicy 1.2 with JAX-WS.

2.3.2 WS-Policy Namespace

WebLogic Server supports WS-Policy 1.2 with the following namespace: http:schemas.xmlsoap.orgws200409policy Note: Previous releases of WebLogic Server, released before the formulation of the WS-SecurityPolicy specification, used security policy files written under the WS-Policy specification, using a proprietary schema for security policy. This proprietary schema for security policy is deprecated, and it is recommended that you use the WS-SecurityPolicy 1.2 format. This release of WebLogic Server supports either security policy files that conform to the WS-SecurityPolicy 1.2 specification or the Web services security policy schema first included in WebLogic Server 9, but not both in the same Web service. The formats are mutually incompatible. For information about the predefined WS-SecurityPolicy 1.2 security policy files, see Section 2.16, Using WS-SecurityPolicy 1.2 Policy Files . Note: If you specify a transport-level security policy for your Web service, it must be at the class level. In addition, the transport-level security policy must apply to both the inbound and outbound directions. That is, you cannot have HTTPS for inbound and HTTP for outbound. Configuring Message-Level Security 2-5

2.3.3 WS-SecurityPolicy Namespace

The following OASIS WS-SX TC Web Services SecurityPolicy namespace is supported: http:docs.oasis-open.orgws-sxws-securitypolicy200702 In addition to this new version of the namespace, WebLogic Server continues to support the following Web Services SecurityPolicy namespace: http:docs.oasis-open.orgws-sxws-securitypolicy200512 In most of the cases, the policy assertions are identical for either namespaces, with the following exceptions. ■ Trust10 and Trust13 assertion. Both Trust10 and Trust13 assertions are supported. ■ SC10SecurityContextToken and SC13SecurityContextToken, as described in Section 2.9.1, Specification Backward Compatibility . ■ Derived Key using different WSSC versions 200502, 1.3.

2.3.4 Version-Independent Policy Supported