One of the major advantages of Inbound Web Services (IWS) is the support for security based around the WS-Policy standard. By supporting WS-Policy it is now possible to support a wide range of transport and message security standards within each individual web service. It is also possible to support multiple policies. This allows maximum flexibility for interfacing to Oracle Utilities products using the WS-Policy support provided by Oracle WebLogic and IBM WebSphere (for selected products).This means the Web Services client calling our Inbound Web Services must comply with at least one of the WS-Policy directives attached to the service.
The support for WS-Policy is implemented in a number of areas:
- It is possible to attach custom WS-Policy compliant policies directly to the Inbound Web Service as an annotation. The Oracle Utilities product supplies an optional default annotation to implement backward compatibility with XML Application Integration (XAI). This allows customers using XAI to more for Inbound Web Services. Oracle recommends not to attach policies within the Inbound Web Services definition as that can reduce the flexibility of your interfaces.
- It is possible to attach policies within the J2EE Web Application service AFTER deployment to individual web services. This information is retained across deployments using a deployment file that is generated by the container at deployment time. In Oracle WebLogic this is contained in the deployment plan generated by the deployment activity, it will reapply the policies during each redeployment process automatically. For Oracle WebLogic, a large number of WS-Policy files are supported for message and transport.
- For Oracle WebLogic EE customers, it is possible to also use Oracle Web Services Manager to attach additional WS-Policy security policies supported by that product. Again this is done by deployment time. The advantage of Oracle Web Services Manager is that it reuses all of the policies supplied with Oracle WebLogic, adds advanced policies and also adds access control functionality rules you can attach to an Inbound Web Service to control when, who and where it is used.
The bottom line is that you can use any policy (supplied with the J2EE container or custom) that is supported by the J2EE container. You cannot introduce a policy that is not compatible with the container itself as we delegate security to the container.
The only thing we do not support at the present is applying a WS-Policy to part of a message or at the operation level. The WS-Policy is applies across the web service.