WS-SecurityPolicy is a WS* specification, created by IBM

IBM

International Business Machines Corporation or IBM is an American multinational technology and consulting corporation headquartered in Armonk, New York, United States. IBM manufactures and sells computer hardware and software, and it offers infrastructure, hosting and consulting services in areas...

 and 12 co-authors, that has become an OASIS

OASIS (organization)

The Organization for the Advancement of Structured Information Standards is a global consortium that drives the development, convergence and adoption of e-business and web service standards...

 standard as of version 1.2. It extends the fundamental security protocols specified by the WS-Security

WS-Security

WS-Security is a flexible and feature-rich extension to SOAP to apply security to web services. It is a member of the WS-* family of web service specifications and was published by OASIS....

, WS-Trust

WS-Trust

WS-Trust is a WS-* specification and OASIS standard that provides extensions to WS-Security, specifically dealing with the issuing, renewing, and validating of security tokens, as well as with ways to establish, assess the presence of, and broker trust relationships between participants in a secure...

 and WS-SecureConversation

WS-SecureConversation

WS-SecureConversation is a Web Services specification, created by IBM and others, that works in conjunction with WS-Security, WS-Trust and WS-Policy to allow the creation and sharing of security contexts...

 by offering mechanisms to represent the capabilities and requirements of web services as policies. Security policy assertions are based on the WS-Policy framework

WS-Policy

WS-Policy is a specification that allows web services to use XML to advertise their policies and for web service consumers to specify their policy requirements.WS-Policy is a W3C recommendation as of September 2007....

.

Policy assertions can be used to require more generic security attributes like transport layer security , message level security or timestamps, and specific attributes like token types.

Most policy assertion can be found in following categories:

• Protection assertions identify the elements of a message that are required to be signed, encrypted or existent.
• Token assertions specify allowed token formats (SAML, X509, Username etc.).
• Security binding assertions control basic security safeguards like transport and message level security, cryptographic algorithm suite and required timestamps.
• Supporting token assertions add functions like user sign-on using a username token.

Policies can be used to drive development tools to generate code with certain capabilities, or may be used at runtime to negotiate the security aspects of web service communication. Policies may be attached to WSDL elements such as service, port, operation and message, as defined in WS Policy Attachment.

Sample Policies

Namespaces used by the following XML-snippets:

   xmlns:p="http://www.w3.org/ns/ws-policy">

   xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802">

   ...

Include a timestamp:

Use either transport layer security (https) or message level security (XML Dsig/XML Enc):

  ...

  ...

To define a SAML assertion as security token:

  

    ...#SAMLV2.0

  

Issued token assertion of providers with reference to the STS and required token format:

  

    

      http://sampleorg.com/sts

     

  

  

    

       http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID

    

        ...

  

  ...

Specify that message header and body need to be signed, and attachments are left unsigned:

  ?

  *

...

Other WS policy languages

The term Web Services Security Policy Language is used for two different XML-based languages:

1. As described above, based on the WS-Policy framework, as defined in , published as version 1.3 in Feb. 2009
2. WSPL, based on XACML profile for Web-services, but that was not finalized.

External links

Security in a Web Services World: A Proposed Architecture and Roadmap (IBM/Microsoft Whitepaper, 2002)