WS-SecurityPolicy

WS-SecurityPolicy is a web services specification, created by IBM and 12 co-authors, that has become an OASIS standard as of version 1.2. It extends the fundamental security protocols specified by the WS-Security, WS-Trust and WS-SecureConversation by offering mechanisms to represent the capabilities and requirements of web services as policies. Security policy assertions are based on the WS-Policy framework.

Policy assertions can be used to require more generic security attributes like transport layer security <TransportBinding>, message level security <AsymmetricBinding> or timestamps, and specific attributes like token types.

Most policy assertion can be found in following categories:

Policies can be used to drive development tools to generate code with certain capabilities, or may be used at runtime to negotiate the security aspects of web service communication. Policies may be attached to WSDL elements such as service, port, operation and message, as defined in WS Policy Attachment.[1]

Sample Policies

Namespaces used by the following XML-snippets:

<p:Policy 
   xmlns:p="http://www.w3.org/ns/ws-policy"
   xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802">
   ...
</p:Policy>

Include a timestamp:

<sp:IncludeTimestamp />

Use either transport layer security (https) or message level security (XML Dsig/XML Enc):

<ExactlyOne>
  <sp:TransportBinding>...</sp:TransportBinding>
  <sp:AsymmetricBinding>...</sp:AsymmetricBinding >
</ExactlyOne>

To define a SAML assertion as security token:

<sp:IssuedToken>
  <sp:RequestSecurityTokenTemplate>
    <wst:TokenType>...#SAMLV2.0</wst:TokenType>
  </sp:RequestSecurityTokenTemplate>
</sp:IssuedToken>

Issued token assertion of providers with reference to the STS and required token format:

<sp:IssuedToken>
  <sp:Issuer>
    <wsa:EndpointReference>
      <wsa:Address>http://sampleorg.com/sts</wsa:Address>
     </wsa:EndpointReference>
  </sp:Issuer>
  <sp:RequestSecurityTokenTemplate>
    <wst:TokenType>
       http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
    </wst:TokenType>
        ...
  </sp:RequestSecurityTokenTemplate>
  ...
</sp:IssuedToken>

Specify that message header and body need to be signed, and attachments are left unsigned:

<sp:SignedParts xmlns:sp="..." ... >
  <sp:Body />?
  <sp:Header Name="xs:NCName"? Namespace="xs:anyURI" ... />*
...
</sp:SignedParts>

Other WS policy languages

The term Web Services Security Policy Language is used for two different XML-based languages:

  1. As described above, based on the WS-Policy framework, as defined in,[2] published as version 1.3 in Feb. 2009
  2. WSPL, based on XACML profile for Web-services, but that was not finalized.[3]

See also

References

  1. http://www.w3.org/TR/ws-policy-attach/ WS-Policy - Attachment
  2. http://www.oasis-open.org/specs/index.php#ws-secpol WS-SecurityPolicy
  3. http://www.oasis-open.org/committees/download.php/1608/wd-xacml-wspl-use-cases-04.pdf Web-services policy language use cases and requirements (draft)

External links

This article is issued from Wikipedia - version of the Wednesday, October 15, 2014. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.