Oracle® Fusion Middleware
Security and Administrator’s Guide for Web Services
11g Release 1 (11.1.1)
B32511-01
May 2009
oracle/wss_username_token_service_policy
This policy uses the credentials in the UsernameToken WS-Security SOAP header to authenticate
users. The plain text mechanism is supported. This policy contains the following policy assertion:
oracle/wss_username_token_service_template. See
"oracle/wss_username_token_service_template" on page C-8 for more information about the
assertion.
Settings You Can Change
See Table C–7.
Properties You Can Configure
See Table C–9.
How to Set Up WebLogic Server
Use the WebLogic Server Administration Console to add an Authentication provider of type
OAM Authenticator or another Authentication provider to the active security realm for the
WebLogic domain in which the Web service is deployed, as described in
"Configuring an Authentication Provider in WebLogic Server" on page 9-15.
Table C–7 wss_username_token_client_template Settings
Name Description Default Value
Password Type
Type of password required.
Valid values are:
none—No password.
plaintext—Unencrypted password in clear text.
digest—Not supported in this release. Client authenticates itself by
transmitting an encrypted password through the use of an MD5 digest.
Note: The plaintext type is not recommended when the token
propagation occurs on an unsecure channel. However, if SSL is being
used as the transport channel to secure a point-to-point connection
between client and server, the plaintext type can be used as the channel
takes care of protecting the password.
Nonce Required
Flag that specifies whether a nonce must be included with the username
to prevent replay attacks.
Note: If Password Type is set to digest, then this attribute must be set to
true. Otherwise, the policy to which it is attached will not validate.
Creation Time Required Flag that specifies whether a time stamp for the creation of the username
token is required.
Note: If Password Type is set to digest, then this attribute must be set to
true. Otherwise, the policy to which it is attached will not validate.
Table C–9 wss_username_token_service_template Configurations
Name Description
role
SOAP role.
Specify the following properties:
Value—Current value.
Default—Default value. This value is used if Value field is not set. Defaults to
ultimateReceiver.
Type—Specifies one of the following values:
- Constant—Property cannot be overridden.
- Required—Property is required and can be overridden.
- Optional—Property is optional and can be overridden.
This value defaults to constant. For information about overriding policies, see
"Attaching Client Policies Permitting Overrides" on page 8-6.
Description—Description of the property.
<?xml version = '1.0'?>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:oralgp="http://schemas.oracle.com/ws/2006/01/loggingpolicy"
xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" orawsp:status="enabled"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="wss_username_token_service_policy"
orawsp:displayName="i18n:oracle.wsm.resources.policydescription.PolicyDescriptionBundle_oracle/ws
s_username_token_service_policy_PolyDispNameKey"
xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy"
orawsp:description="i18n:oracle.wsm.resources.policydescription.PolicyDescriptionBundle_oracle/ws
s_username_token_service_policy_PolyDescKey" orawsp:attachTo="binding.server"
Name="oracle/wss_username_token_service_policy" xmlns:xsi="http://www.w3.org/2001/XMLSchemainstance" orawsp:category="security" orawsp:local-optimization="check-identity">
<oralgp:Logging orawsp:Silent="true" orawsp:name="Log Message1" orawsp:Enforced="false"
orawsp:category="security/logging">
<oralgp:msg-log>
<oralgp:request>all</oralgp:request>
<oralgp:response>all</oralgp:response>
<oralgp:fault>all</oralgp:fault>
</oralgp:msg-log>
</oralgp:Logging>
<orasp:wss-username-token orawsp:Silent="false" orawsp:name="WSSecurity UserName Token"
orawsp:Enforced="true" orawsp:category="security/authentication">
<orasp:username-token orasp:is-encrypted="true" orasp:is-signed="true" orasp:passwordtype="plaintext" orasp:add-created="false" orasp:add-nonce="false"/>
<orawsp:bindings>
<orawsp:Config orawsp:name="WssUsernameTokenConfig" orawsp:configType="declarative">
<orawsp:PropertySet orawsp:name="standard-security-properties">
<orawsp:Property orawsp:type="string" orawsp:contentType="constant"
orawsp:name="role">
<orawsp:Value>ultimateReceiver</orawsp:Value>
</orawsp:Property>
</orawsp:PropertySet>
</orawsp:Config>
</orawsp:bindings>
</orasp:wss-username-token>
<oralgp:Logging orawsp:Silent="true" orawsp:name="Log Message2" orawsp:Enforced="false"
orawsp:category="security/logging">
<oralgp:msg-log>
<oralgp:request>all</oralgp:request>
<oralgp:response>all</oralgp:response>
<oralgp:fault>all</oralgp:fault>
</oralgp:msg-log>
</oralgp:Logging>
</wsp:Policy>