WS-Policy reference

Reference information on WS-Policies.

5 minute read

AsymmetricBinding WS-Policies

AsymmetricBinding with Encrypted UsernameToken: The service exposes an AsymmetricBinding where the client and server use their respective X.509 v3 tokens to sign and encrypt the message. An encrypted UsernameToken with hash password must be included in all messages from the client to the server.

AsymmetricBinding with SAML 1.1 (Sender Vouches) Assertion and Signed Supporting Token: The service is secured with an AsymmetricBinding where the client and server use their respective X.509 v3 certificates to secure the message. The client must include a SAML 1.1 Assertion (sender vouches) in all messages it sends to the service.

AsymmetricBinding with Signed and Encrypted UsernameToken: The service exposes an AsymmetricBinding where the client and server use their respective X.509 v3 tokens to sign and encrypt the message. A signed and encrypted UsernameToken with plaintext password must be included in all messages from the client to the service.

AsymmetricBinding with WSS 1.0 Mutual Authentication with X509 Certificates, Sign, Encrypt: The service exposes an AsymmetricBinding interface where the client and server use their respective X.509 v3 certificates for mutual authentication, signing, and encrypting.

AsymmetricBinding with X509v3 Tokens: The service exposes an AsymmetricBinding where the client and server use their respective X.509 v3 tokens to sign and encrypt the message.

Message-level WS-Policies

Encrypt SOAP Body: The SOAP body must be encrypted.

Sign and Encrypt SOAP Body: The SOAP body must be signed and encrypted.

Sign SOAP Body: The SOAP body must be encrypted.

Oracle Web Services Manager WS-Policies

WS-Security 1.0 Mutual Auth with Certificates: AsymmetricBinding where the client and server use their respective X.509 v3 certificates to secure the message.

WS-Security 1.0 SAML with Certificates: AsymmetricBinding with SAML assertion as SignedSupportingToken.

WS-Security 1.0 Username with Certificate: AsymmetricBinding with WS-Security UsernameToken as SignedSupportingToken.

WS-Security 1.1 Mutual Auth with Certificates: SymmetricBinding where the same X.509 v3 certificate is used to secure all messages between the client and the service.

WS-Security 1.1 Username with Certificates: SymmetricBinding with a WS-Security UsernameToken as a SignedSupportingToken. The message is endorsed with an asymmetric Signature.

WS-Security SAML Token Over SSL: TransportBinding with a SAML Token as a SupportingToken.

WS-Security UsernameToken Over SSL: TransportBinding with a WS-Security UsernameToken as a SupportingToken.

Simple WS-Policies

SAML 1.1 Bearer: The client must include a SAML 1.1 Assertion (bearer) representing the requestor in all messages from the client to the service.

Username SupportingToken Hash Password: The client must authenticate with a WS-Security SAML UsernameToken with hash password.

Username SupportingToken No Password: The client must authenticate with a WS-Security UsernameToken without a password.

Username SupportingToken Plaintext Password: The client must authenticate with a WS-Security UsernameToken with a plaintext password.

SymmetricBinding WS-Policies

SymmetricBinding with SAML 2.0 (Sender Vouches) Assertion and Endorsing Supporting Token: The service exposes a SymmetricBinding that requires the client to send a SAML 2.0 Assertion to the service. An X.509 v3 token is also included in all messages from the client to the service as an EndorsingSupportingToken.

SymmetricBinding with Signed and Encrypted UsernameToken: The service uses a SymmetricBinding where the client and service use the same X.509 v3 token to sign and encrypt the message. A signed and encrypted UsernameToken with plaintext password must be included in all messages from the client to the service. The policy uses WSS SOAP Message Security 1.1 options.

SymmetricBinding with WSS 1.1 Anonymous Authentication with X.509v3, Sign, Encrypt: The service is secured by a SymmetricBinding where the same X.509 v3 certificate is used to secure all messages between the client and the service. Derived keys are used for signing and encrypting and Signature Confirmation is required by the policy.

SymmetricBinding with WSS 1.1 Mutual Authentication with X.509v3, Sign, Encrypt: The service exposes a SymmetricBinding where the same X.509 v3 certificate is used to secure all messages between the client and the service. The client also endorses the primary message signature using another X.509v3 certificate.

TransportBinding WS-Policies

SAML 1.1 Holder-of-Key over SSL: The client includes a SAML 1.1 Assertion (sender vouches) in all messages from the client to the service. The client provides an endorsing signature to prove that it is the holder-of-key. A TransportBinding is used to sign and encrypt the message.

SAML 1.1 Sender-Vouches over SSL: The client includes a SAML 1.1 Assertion (sender vouches) on behalf of the requestor to all messages from the client to the service. The service uses a TransportBinding to ensure that all messages are signed and encrypted.

SAML 2.0 Holder-of-Key over SSL: The client includes a SAML 2.0 Assertion (sender vouches) in all messages from the client to the service. The client provides an endorsing signature to prove that it is the holder-of-key. A TransportBinding is used to sign and encrypt the message.

SAML 2.0 Sender-Vouches over SSL: The client includes a SAML 2.0 Assertion (sender vouches) on behalf of the requestor to all messages from the client to the service. The service uses a TransportBinding to ensure that all messages are signed and encrypted.

SSL Transport Binding: The service is secured by SSL (HTTPS).

Username Token over SSL with no Timestamp: The service is secured over SSL (HTTPS), the client is authenticated with a UsernameToken, and no timestamp should be included in the Security header.

Username Token over SSL with Timestamp: The service is secured over SSL (HTTPS), the client is authenticated with a UsernameToken. The Security header contains a timestamp.