WS-Policy

Web services are composed to create an aggregate web service. A participating web service may need to communicate its policies to other participants. For example, one of the participants (a partner) may require a Kerberos security token for its access. This will be defined as a policy assertion in its policy document. Such policy documents must be shared between partners who wish to access the services provided by this partner site. A policy may consist of multiple assertions. The service provider may require all such assertions be satisfied by the requesting partner, or it may request the partner to satisfy at least one of the assertions. WS-Policy was designed for creating policy documents.

WS-Policy defines a set of constructs for specifying web service policies that can be communicated to others. The specification does not define how to transport or discover a policy. Policies may be associated with various entities and resources. The policy may be associated with arbitrary XML elements, WSDL documents, and UDDI elements. The WS-PolicyAttachment specifications define such mechanisms. The policy, specified in an XML document, is transmitted to the requester using messaging specifications discussed earlier.

Policy Outline

A general outline for defining a policy is as follows:

<wsp:Policy xmlns:wsp=”http://schemas.xmlsoap.org/ws/2002/12/policy”>
  ...
  Policy Assertions
  ...
</wsp:Policy>

The policy may include multiple policy assertions. The specification defines policy operators that decide the assertions to be used. The various operators are:

  • <wsp:All>
  • <wsp:ExactlyOne>
  • <wsp:OneOrMore>
  • <wsp:Policy>

The <wsp:All> Operator

The use of the <wsp:All> operator is illustrated in the following example:

<wsp:Policy xmlns:wsse=”http://schemas.xmlsoap.org/ws/2002/12/secext” 
    xmlns:wsp=”http://schemas.xmlsoap.org/ws/2002/12/policy”>
  <wsp:All>
 Assertion 1
 Assertion 2
    ...
    ...
  </wsp:All>
</wsp:Policy>

A typical policy defines multiple assertions. This example specifies the security assertions, so we have defined the security namespace. <wsp:All> specifies that all listed assertions must be satisfied.

The <wsp:ExactlyOne> Operator

If we use ExactlyOne in place of All in the above code, it indicates that exactly one of the assertions must be satisfied. Typically, this is useful when specifying the alternatives to an assertion. Thus, more than one alternative assertion may be listed in the policy and exactly one of the assertions must be satisfied.

The <wsp:OneOrMore> Operator

OneOrMore specifies that at least one of its child elements must be satisfied. With multiple assertions, it ensures that one or more assertions are satisfied.

The <wsp:Policy> Operator

This is equivalent to <wsp:All>.

Policy Assertions

The assertions within a policy are defined using following syntax:

<wsp:Policy TargetNamespace=”...”? >
  <Assertion wsp:Usage=”...”? wsp:Preference=”...”? /> *
    ...
</wsp:Policy>

wsp:Usage specifies how the assertion is processed. It supports the following values:

  • wsp:Required: Indicates that this is a required assertion. If this is not satisfied, a fault occurs.
  • wsp:Rejected: Indicates that this assertion is explicitly not supported. If present, it causes a fault to occur.
  • wsp:Optional: Indicates that this is an optional assertion.
  • wsp:Observed: Indicates that the service requesters are informed that the policy is applied. The assertion is applied to all the subjects.
  • wsp:Ignored: Indicates that the assertion is ignored.

The wsp:Preference operator specifies the preference given to the current assertion. This is specified as a numeric value; the higher the value, the higher is the preference.

Example

The following example illustrates how the policy is defined.

<wsp:Policy xmlns:wsse=”http://schemas.xmlsoap.org/ws/2002/12/secext” 
    xmlns:wsp=”http://schemas.xmlsoap.org/ws/2002/12/policy”>
  <wsse:SecurityToken wsp:Usage=”wsp:Required”>
    <wsse:TokenType>
      wsse:Kerberosv5TGT 
    </wsse:TokenType>
  </wsse:SecurityToken>
</wsp:Policy>

We have defined two namespaces, one for the policy and the other for security. Policy assertions are usually related to security, so we need to define the security namespace. The policy assertion is the SecurityToken. It is specified as Required. The type of token is Kerberos.

Note that we have not specified the policy operator here. If we had specified more than one assertion, say one more security token of type X.509, we could have specified the operator as ExactlyOne, indicating that only one of the token types is to be used.

Policy Inclusion

The specification allows you to include an already-defined policy expression in another policy expression. The <wsp:PolicyReference> element is used for this purpose. The PolicyReference is specified as follows:

<wsp:Policy>
  ...
  <wsp:PolicyReference URI=”...” ?/>
  ...
</wsp:Policy>

The URI specifies the location for the existing policy. The following example illustrates the use of this element:

<wsp:Policy wsu:Id=”MyPolicy” xmlns:wsu=”...” >
  ...
</wsp:Policy>

<wsp:Policy xmlns:wsse=”...”>
  <wsp:PolicyReference URI=”#MyPolicy” />
  ...
</wsp:Policy>

In this code, the existing policy specified by MyPolicy is included in the new policy definition.