11-4 Oracle Fusion Middleware Security and Administrators Guide for Web Services Example for Partial Encryption In this example, a part of the SOAP message is encrypted using Fusion Middleware Control:

1. Create a simple Web service that approves a credit card number cardNr. A

sample payload is shown in Example 11–1 . Example 11–1 Example of a Payload soapenv:Body wsu:Id=Body-2grW1pYwjwsoskbLuMJZzg22 xmlns:wsu=http:docs.oasis-open.orgwss200401oasis-200401-wss-ws security-utility-1.0.xsd aaav:validateTheCard xmlns:aaav=http:aaavalidatecred aaav:cardNrstringaaav:cardNr aaav:firstNamestringaaav:firstName aaav:lastNamestringaaav:lastName aaav:validUntilDatestringaaav:validUntilDate aaav:validateTheCard soapenv:Body 2. In Fusion Middleware Control, select a message protection policy and click Edit. 3. In the Settings tab, select the Request tab. 4. In the Message Encrypt Setting section, deselect Include Entire Body Figure 11–1 . 5. Expand Body Elements and click Add. 6. Enter the Namespace and the Element Name. In this example, only the card number is encrypted as follows: Namespace = http:aaavalidatecred Element Name = aaav:cardNr For more information on other fields in the Edit Policy page, see Table C–91 . Example 11–2 shows what the policy would look like. Example 11–2 Sample Policy with Partial Encryption orasp:encrypted-elements orasp:element orasp:namespace=http:aaavalidatecred orasp:name=cardNrnaorasp:element orasp:encrypted-elements 7. Click Yes to add the Body Elements and Save to save the modified policy. Configuring Policies 11-5 Figure 11–1 Example of Partial Encryption of Message Protection Policies Security SwA Attachments Packaging as attachments in SOAP messages has become common for any data that cannot be placed inside SOAP Envelope. The primary SOAP message can reference additional entities as attachments or attachments with MIME headers. Each SwA attachment is a MIME part and contains the MIME header. Include SwA Attachment signs the attachment but not the MIME header corresponding to that. Include MIME Headers signs the corresponding MIME headers as well as the attachments. Which Policies Offer Message Protection? The following policies offer message protection. The subsequent sections for each of these policies later in this chapter describe how each policy implements message protection. ■ oraclewss10_message_protection_client_policy ■ oraclewss10_message_protection_service_policy ■ oraclewss10_username_id_propagation_with_msg_protection_client_policy ■ oraclewss10_username_id_propagation_with_msg_protection_service_policy ■ oraclewss10_username_token_with_message_protection_client_policy ■ oraclewss10_username_token_with_message_protection_service_policy ■ oraclewss10_username_token_with_message_protection_ski_basic256_client_ policy ■ oraclewss10_username_token_with_message_protection_ski_basic256_service_ policy ■ oraclewss10_x509_token_with_message_protection_client_policy ■ oraclewss10_x509_token_with_message_protection_service_policy ■ oraclewss10_saml_token_with_message_protection_client_policy 11-6 Oracle Fusion Middleware Security and Administrators Guide for Web Services ■ oraclewss10_saml_token_with_message_protection_service_policy ■ oraclewss10_saml20_token_with_message_protection_client_policy ■ oraclewss10_saml20_token_with_message_protection_service_policy ■ oraclewss10_saml_hok_token_with_message_protection_client_policy ■ oraclewss10_saml_hok_token_with_message_protection_service_policy ■ oraclewss10_saml_token_with_message_protection_ski_basic256_client_policy ■ oraclewss10_saml_token_with_message_protection_ski_basic256_service_policy ■ oraclewss11_message_protection_client_policy ■ oraclewss11_message_protection_service_policy ■ oraclewss11_kerberos_token_with_message_protection_client_policy ■ oraclewss11_kerberos_token_with_message_protection_service_policy ■ oraclewss11_kerberos_token_with_message_protection_basic128_client_policy ■ oraclewss11_kerberos_token_with_message_protection_basic128_service_policy ■ oraclewss11_saml_token_with_message_protection_client_policy ■ oraclewss11_saml_token_with_message_protection_service_policy ■ oraclewss11_saml20_token_with_message_protection_client_policy ■ oraclewss11_saml20_token_with_message_protection_service_policy ■ oraclewss11_sts_issued_saml_hok_with_message_protection_client_policy ■ oraclewss11_sts_issued_saml_hok_with_message_protection_service_policy ■ oraclewss11_sts_issued_saml_with_message_protection_client_policy ■ oraclewss11_username_token_with_message_protection_client_policy ■ oraclewss11_username_token_with_message_protection_service_policy ■ oraclewss11_x509_token_with_message_protection_client_policy ■ oraclewss11_x509_token_with_message_protection_service_policy Both the WS-Security 1.0 and WS-Security 1.1 standards are supported. Use the assertion template or predefined policy that supports the standard which both the Web service and client share in common. If you are starting anew, use the WS-Security 1.1 standard because it provides more options and requires less PKI deployment. The assertion templates support partial signing and encryption as well as full signing and encryption of the message body. For those assertion templates or predefined policies that provide SOAP message protection, the default behavior is to protect the entire SOAP message body by signing and encrypting the entire SOAP body. You can configure the assertions and policies to protect selected elements, if you wish. Authentication-Only Policies and Configuration Steps Table B–1 in Appendix B, Predefined Policies summarizes the security policies that enforce authentication only, and indicates whether the token is inserted at the transport layer or SOAP header. This section lists the authentication-only predefined policies, indicates the type of Web service to which they apply, and provides a link to the configuration steps you must perform to use them.