Another quick note on OES, OSDT and OWSM. As I have mentioned in a previous post here, OWSM provides an Extensibility Guide that allows customers to build custom policies and custom assertions.
So the question is: When should one have to build a custom assertion in OWSM 11g?
The short answer is when something is not supported in OWSM directly.
Here are a few scenarios:
a) If you want to build say OES integration for fine grained authorization based on content. OWSM in 11gR1 as of the writing of this post does not provide OES integration, but you can build an OES integration using the custom assertion support in OWSM 11g.
Here is an example that illustrates OWSM-OES integration using the custom assertion support in OWSM 11g. There is another example in the OWSM Extensibility Guide.
b) Another example would be - if you want to build OAuth support to secure your services with OAuth. OWSM 11g currently does not have OAuth support - but if you wanted to secure your services with OAuth - you could build a custom assertion to do the same.
c) Or you want to use a particular canoncalization method (ex:. The OOTB policies, assertion templates do not provide the flexibility of implementing your own canoncalization method) or want to use particular security transformations.
d) You wanted Liberty support in OWSM, etc.
In the rest of the post I will focus on building custom assertions that require a particular type of signing or encryption.
Custom Assertion, Signing, Encryption
Now one of things one has to worry about when building a custom assertion that deals with signing, encryption, etc is what XML security toolkit to use.
As you will notice - the OWSM Extensibility Guide does NOT provide any APIs that you can use for signing, encryption, etc.
The good news is you can use OSDT (Oracle Security Developer Toolkit) that actually exposes a lot of APIs to perform various XML security operations including signing, encryption, decryption, signature validation, etc.
Here are some doc pointers to OSDT:
Here are some OSDT javadocs:
Web Services Security: http://docs.oracle.com/cd/E23943_01/apirefs.1111/e10678/toc.htm
XML Security: http://docs.oracle.com/cd/E23943_01/apirefs.1111/e10680/toc.htm
JCE Crypto APIs: http://docs.oracle.com/cd/E23943_01/apirefs.1111/e10697/toc.htm
SAML related APIs: http://docs.oracle.com/cd/E23943_01/apirefs.1111/e10675/toc.htm
Liberty APIs :http://docs.oracle.com/cd/E23943_01/apirefs.1111/e10670/toc.htm
Note: The combination of OSDT and OWSM Extensibility Guide provides you a really powerful APIs and toolkits to build various types of security policies that deal with either XML security or Web Services (SOAP) security.
WARNING: You really need to know what you are doing when using these APIs. These are fairly low level APIs and the docs expect the developer using these APIs to be extremely knowledgeable about security technologies and concepts and how to use the various low level building blocks.
Hopefully this provides some guidance on how one can use OWSM custom assertion and OSDT to build various types of policies in OWSM.