Contents

Title and Copyright Information

Preface

• Documentation Accessibility
• Conventions

1 Overview of Web Services Security

• Overview of Web Services Security
• What Type of Security Should You Configure?

2 Configuring Message-Level Security

• Overview of Message-Level Security
  • Web Services Security Supported Standards
    • Web Services Trust and Secure Conversation
    • Web Services SecurityPolicy 1.2
• Main Use Cases of Message-Level Security
• Using Policy Files for Message-Level Security Configuration
  • Using Policy Files With JAX-WS
  • WS-Policy Namespace
  • WS-SecurityPolicy Namespace
  • Version-Independent Policy Supported
• Configuring Simple Message-Level Security: Main Steps
  • Ensuring That WebLogic Server Can Validate the Client's Certificate
  • Updating the JWS File with @Policy and @Policies Annotations
    • Loading a Policy From the CLASSPATH
  • Using Key Pairs Other Than the Out-Of-The-Box SSL Pair
• Updating a Client Application to Invoke a Message-Secured Web Service
  • Invoking a Web Service From a Client Running in a WebLogic Server Instance
• Example of Adding Security to a JAX-WS Web Service
• Creating and Using a Custom Policy File
• Configuring the WS-Trust Client
  • Supported Token Types
  • Configuring WS-Trust Client Properties
    • Obtaining the URI of the Secure Token Service
    • Configuring STS URI for WS-SecureConversation: Standalone Client
    • Configuring STS URI for SAML: Standalone Client
    • Configuring STS URI Using WLST: Client On Server Side
    • Configuring STS URI Using Console: Client On Server Side
    • Configuring STS Security Policy: Standalone Client
    • Configuring STS Security Policy Using WLST: Client On Server Side
    • Configuring STS Security Policy: Using the Console
    • Configuring the STS SOAP and WS-Trust Version: Standalone Client
    • Configuring the SAML STS Server Certificate: Standalone Client
  • Sample WS-Trust Client for SAML 2.0 Bearer Token over HTTPS
  • Sample WS-Trust Client for SAML 2.0 Bearer Token with WSS 1.1 Message Protections
• Configuring and Using Security Contexts and Derived Keys
  • Specification Backward Compatibility
  • WS-SecureConversation and Clusters
  • Updating a Client Application to Negotiate Security Contexts
• Associating Policy Files at Runtime Using the Administration Console
• Using Security Assertion Markup Language (SAML) Tokens For Identity
  • Using SAML Tokens for Identity: Main Steps
  • Specifying the SAML Confirmation Method
    • Specifying the SAML Confirmation Method (Proprietary Policy Only)
• Associating a Web Service with a Security Configuration Other Than the Default
• Valid Class Names and Token Types for Credential Provider
• Using System Properties to Debug Message-Level Security
• Using a Client-Side Security Policy File
  • Associating a Policy File with a Client Application: Main Steps
  • Updating clientgen to Generate Methods That Load Policy Files
  • Updating a Client Application To Load Policy Files (JAX-RPC Only)
• Using WS-SecurityPolicy 1.2 Policy Files
  • Transport Level Policies
  • Protection Assertion Policies
  • WS-Security 1.0 Username and X509 Token Policies
  • WS-Security 1.1 Username and X509 Token Policies
  • WS-SecureConversation Policies
  • SAML Token Profile Policies
• Choosing a Policy
• Unsupported WS-SecurityPolicy 1.2 Assertions
• Using the Optional Policy Assertion
• Configuring Element-Level Security
  • Define and Use a Custom Element-Level Policy File
    • Adding the Policy Annotation to JWS File
  • Implementation Notes
• Smart Policy Selection
  • Example of Security Policy With Policy Alternatives
  • Configuring Smart Policy Selection
    • How the Policy Preference is Determined
    • Configuring Smart Policy Selection in the Console
    • Understanding Body Encryption in Smart Policy
    • Smart Policy Selection for a Standalone Client
  • Multiple Transport Assertions
• Example of Adding Security to MTOM Web Service
  • Files Used by This Example
  • SecurityMtomService.java
  • MtomClient.java
  • configWss.py Script File
  • Build.xml File
  • Building and Running the Example
  • Deployed WSDL for SecurityMtomService
• Example of Adding Security to Reliable Messaging Web Service
  • Overview of Secure and Reliable SOAP Messaging
  • Overview of the Example
    • How the Example Sets Up WebLogic Security
  • Files Used by This Example
  • Revised ReliableEchoServiceImpl.java
  • Revised configWss.py
  • Revised configWss_Service.py
  • Building and Running the Example
• Securing Web Services Atomic Transactions
• Proprietary Web Services Security Policy Files (JAX-RPC Only)
  • Abstract and Concrete Policy Files
  • Auth.xml
  • Sign.xml
  • Encrypt.xml
  • Wssc-dk.xml
  • Wssc-sct.xml

3 Configuring Transport-Level Security

• Configuring Transport-Level Security Through Policy
  • Configuring Transport-Level Security Through Policy: Main Steps
• Example of Using JWS Annotations in Your JWS File
• Example of Configuring Transport Security for JAX-WS
  • One-Way SSL (HTTPS and HTTP Basic Authentication Example)
• New Two-Way Persistent SSL Client API for JAX-WS
  • Example of Getting SSLSocketFactory From System Properties
• Configuring Transport-Level Security Via UserDataConstraint: Main Steps (JAX-RPC Only)
• Configuring Two-Way SSL for a Client Application
• Using a Custom SSL Adapter with Reliable Messaging

4 Configuring Access Control Security (JAX-RPC Only)

• Configuring Access Control Security: Main Steps
• Updating the JWS File With the Security-Related Annotations
• Updating the JWS File With the @RunAs Annotation
• Setting the Username and Password When Creating the Service Object

A Using Oracle Web Services Manager Security Policies

• Overview
  • When Should You Use Oracle WS-Security Policies?
• What Oracle WSM Security Policies Are Available?
  • Is There Compatibility Between WebLogic Policies and Oracle WSM Policies?
• What Oracle WSM WS-Security Policies Are Not Available?
• Where are the Oracle WSM Policies Documented?
• Adding Oracle WSM WS-Security Policies to a Web Service
  • SecurityPolicy and SecurityPolicies Annotations
  • Configuring Oracle WSM Security Policies in Administration Console
• Adding Oracle WSM WS-Security Policies to Clients
  • Associating a Policy File with a Client Application: Main Steps
• Configuring Permission-Based Authorization Policies
• Configuring the Credential Store Using WLST
  • How to Create and Use a Java Keystore
    • How to Create Private Keys and Load Trusted Certificates
  • Manage the Credential Store Framework
    • How to Update Your Credential Store Using WLST
• Policy Configuration Overrides for the Web Service Client
• Creating Custom Assertions
  • Overview of Custom Assertion Creation
  • Step 1: Create the Custom Policy File
  • Step 2: Add the Custom Policy to the Policy Store
  • Step 3: Create the Custom Assertion Class
  • Step 4: Create the Custom Assertion Class JAR File
  • Step 5: Update Your CLASSPATH
  • Step 6: Develop and Deploy a JAX-WS Web Service
  • Step 7: Attach the Custom Policy to the JAX-WS Web Service
• Monitoring and Testing the Web Service