Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

• Intended Audience
• Documentation Accessibility
• Related Documents
• Conventions

1 Introduction

• Web Service Security Concepts
  • SOAP
  • Security Policies
    • Inbound Policy
    • Outbound Policy
    • Global Level Policy
    • Port-Level Policy
    • Operation-Level Policy
  • The Request Envelope
  • The Response Envelope
  • XML Digital Signatures
  • XML Encryption
  • SAML
  • Message-Level Security
  • Transport-Level Security
  • WS-Security
  • Security Tokens
    • Username Token
    • X.509 Token
    • SAML Token
    • Keystore
• Web Services Security Support in OracleAS Web Services
  • Standards Supported by OracleAS Web Services Security
  • Interceptor Framework
    • Service Security Interceptor
    • Client Security Interceptor
  • Architecture
  • Web Service Security Integration
    • Integration with JAAS
    • Integration with Java Single Sign-On
    • Integration with Oracle Identity Management
    • Integration with External LDAP Servers
    • Integration with Oracle Access Manager
• Tool Support for Web Service Security
  • Application Server Control Support for Web Service Security
    • Global- and Port-Level Keystore and Identity Certificates
    • Port- and Operation-Level Security Configuration
    • Port-Level and Operation-Level Inbound Policy Configuration
    • Port- and Operation-Level Outbound Policy Configuration
    • Web Services Agent
  • Oracle JDeveloper Support for Web Service Security
  • Oracle Web Services Manager
    • When to Use Oracle WSM to Secure Web Services

2 Configuring Web Service Security

• Security Configuration Elements
  • Keystore Elements
  • Signature and Encryption Key Elements
  • Nonce Configuration Elements
  • Security Elements for Inbound Messages
    • Username Token Elements for Inbound Messages
    • X.509 Token Elements for Inbound Messages
    • SAML Token Elements for Inbound Messages
    • Signature Verification Elements for Inbound Messages
    • Decryption Elements for Inbound Messages
  • Security Elements for Outbound Messages
    • Username Token Elements for Outbound Messages
    • X.509 Token Elements for Outbound Messages
    • SAML Token Elements for Outbound Messages
    • Elements for Retrieving SAML Tokens from an External SAML Authority
    • Signature Elements for Outbound Messages
    • Encryption Elements for Outbound Messages

3 Administering Web Services Security

• Using Keystores
  • Creating a Keystore
    • How to Obtain a Trusted Certificate
    • How to Create and Use a Java Key Store
    • How to Create and Use an Oracle Wallet
  • Configuring a Keystore
    • Configuring Instance Keystores and Keys
    • Configuring Application Keystores and Keys
  • Replacing Cleartext Passwords by Using Password Indirection
  • Manually Removing Stale Indirect User Accounts
• Integrating Security Tokens with Security Providers
• Using a Username Token
  • How to Configure the Username Token for the Server Side
    • Configure the <verify-username-token> Element
    • Configure the Service to Not Require a Password
    • Configure the Nonce Cache with a Digest Password
    • Tools for Configuring the Username Token for the Server
  • How to Configure the Username Token for the Client Side
    • Configure the <username-token> Element
    • Pass the Username and Password with a Callback Handler
    • Pass the User Name and Password with Stub Properties
    • Tools for Configuring the Username Token for the Client
  • Integrating Username Token with Security Providers (File-Based XML, LDAP, Custom, Oracle Access Manager)
    • Using Oracle Access Manager as a Security Provider for Username Token Authentication
  • Preventing Replay Attacks with Nonces
• Using an X.509 Token
  • How to Configure an X.509 Token for the Server Side
    • Configure the <verify-x509-token> Element
    • Configure the Keystore
    • Map the X.509 Certificates to Valid Users
    • Tools for Configuring the X.509 Token on the Server
  • How to Configure X.509 Token for the Client Side
    • Configure the <x509-token> Element
    • Configure the Keystore with a Signature Key
    • Authenticate an X.509 Token with a Subject Key Identifier
    • Sign the X.509 Token
    • Tools for Configuring the X.509 Token on the Client
  • Integrating X.509 Token with Security Providers (XML, LDAP, Oracle Access Manager)
    • Using Oracle Access Manager as a Security Provider for X.509 Token Authentication
• Using a SAML Token
  • How to Configure a SAML Token for the Server Side
    • Configure the <verify-saml-token> Element
    • Configure the Keystore
    • Map the SAML Assertion Subject
    • Set Options for the SAMLLoginModule
  • How to Configure a SAML Token for the Client-Side
    • Configure the <saml-token> Element
    • Providing a Static SAML Client Configuration
    • Configuring a SAML Assertion Subject by Using a Stub Property
    • Configuring a SAML Assertion Subject by Identity Propagation
    • Writing a SAML Token Callback Handler
    • Retrieving a SAML Token from an External SAML Authority
    • Configure the Keystore
    • Combining Static and Dynamic SAML Configuration
  • Integrating SAML Token with Security Providers (XML, LDAP, Oracle Access Manager)
    • Using Oracle Access Manager as a Security Provider for SAML Token Authentication
    • Authenticating SAML Tokens with an External LDAP Provider
    • Configuring Single Sign-on Using SAML
• Configuring XML Encryption
  • Configuring Encryption for Outbound Messages
  • Configuring Encryption for Inbound Elements
  • Encrypting the Body of a SOAP Message
  • Decrypting the Body of a SOAP Message
  • Encrypting Elements of a SOAP Message
  • Decrypting Elements of a SOAP Message
  • Encrypting a Message with a Signature Key
  • Accepting Multiple Keys to Decrypt Messages
• Configuring XML Signature
  • Configuring Signature for Outbound Messages
  • Configuring Signature for Inbound Messages
  • Signing the Body of a SOAP Message
  • Signing Elements of a SOAP Message
  • Verifying a Signature on a Specific Element
  • Using the Subject Key Identifier for Signing
  • Preventing Replay Attacks with Timestamps
    • Adding Timestamps
    • Verifying TimeStamps
  • Adjusting the Clock Skew Between a Client and a Web Service Application
• Combining Tokens, Encryption, and Signature in a Configuration

4 Building Secure Web Services

• Assembling a Secure Web Service
  • Assembling Security into a Web Service Top Down
  • Assembling Security into a Web Service Bottom Up
• Creating a Server-Side Security Configuration File
  • Defining a Server-Side, Port Level Security Configuration for Username Token
  • Defining a Server-Side, Operation-Level Security Configuration for Username Token
  • Defining a Server-Side, Port-Level Security Configuration to Verify XML Signature and Decryption
  • Defining a Server-Side, Operation-Level Security Configuration for XML Signature and Decryption
• Creating a Client-Side Security Configuration File
  • Defining a Client-Side, Port Level Security Configuration for Username Token
  • Defining a Client-Side, Port-Level Security Configuration for XML Signature and Encryption
  • Creating Users For Authentication
    • Adding User Entries by Using Application Server Control
• Client JAR Files
• Adding Transport-Level Security to a Web Service
  • Adding Basic Authentication
  • Adding Digest Authentication
  • Adding Client Certification Authentication
  • Adding Transport-Level Security for Web Services Based on EJBs
  • Accessing Web Services That Require a Username and Password
    • HTTP Authentication Properties
    • WS-Security Username Token Authentication Field Values
    • Passing Authentication Information Programatically
    • Passing Authentication Information Statically
  • Propagating Identities from a Web Service to an EJB
• Ant Tasks and WebServicesAssembler
• Getting an Authenticated User Identity in a Web Service Application
  • Getting an Authenticated Subject with the AccessControlContext API
  • Getting an Authenticated Principal with the ServiceLifeCycle API
• Performing JAAS Provider Authorization on a Web Service
• WS-Security and XML APIs
• Development Decisions

5 Secure Web Service Usage Scenarios

• Non-Secured Web Services
  • Basic Web Service
  • Complex Business Process
  • Intermediary
  • Federated
• HTTP-Based Security
  • Secure Sockets Layer
  • HTTP Basic Authentication and Digest Authentication
    • Basic Authentication
    • Digest Authentication
• WS-Security
  • Web Services Security Authentication
    • Username Token Profile
    • X.509 Token Profile
    • SAML Token Profile
• XML Signature
• XML Encryption
• Gateways
• Identity Management
• Interoperability

6 Troubleshooting

• General Errors
• Keystore-Related Errors
• Message Integrity Errors
• Message Confidentiality Errors
• Authentication Errors

A OracleAS Web Services Security Schema

• Hierarchy of a Security Configuration
• Elements and Attributes of the Security Schema
  • <add-timestamp>
  • <attribute>
  • <confirmation-method>
  • <decrypt>
  • <encrypt>
  • <encryption-key>
  • <encryption-method>
  • <encryption-methods>
  • <inbound>
  • <key-store>
  • <keytransport-method>
  • <keytransport-methods>
  • <nonce-config>
  • <outbound>
  • <recipient-key>
  • <saml-authority>
  • <saml-token>
  • <security>
  • <signature>
  • <signature-key>
  • <signature-method>
  • <signature-methods>
  • <subject-confirmation-method>
  • <subject-confirmation-methods>
  • <tbe-element>
  • <tbe-elements>
  • <tbs-element>
  • <tbs-elements>
  • <use-cert-request>
  • <username-token>
  • <verify-saml-token>
  • <verify-signature>
  • <verify-timestamp>
  • <verify-username-token>
  • <verify-x509-token>
  • <x509-token>
• Oracle Web Services Security Schema Listing
• Security Configuration Listing

B Security Threats and Solutions

C Third Party Licenses

• Apache
  • The Apache Software License
• Apache SOAP
  • Apache SOAP License
• JSR 110
• Jaxen
  • The Jaxen License
• SAXPath
  • The SAXPath License
• W3C DOM
  • The W3C License

Index