Why WS-Policy Alternatives?

• Exploring expressivity of WS-Policy
• Implementing WS-Policy with other (current) languages
• Studying some limitations of those other languages
• Does WS-Policy make sense?

Web Services Policy 101

Web Services Policy

… general purpose model and corresponding syntax to describe the policies of entities in a Web services-based system

Used in:

• WSDL 1.1/2.0: service, endpoint, binding, operation, input, output, fault.
• UDDI 2.0/3.0: businessEntity, businessService, tModel, bindingTemplate, etc.
• External attachments: using URIs

Possible Uses of WS-Policy

• Requirements
  • if you want to use CheckClearingService, you'd better…
• Capabitilities
  • my librairies can…
• Logging
  • bank X used CheckClearingService…

WS-Policy Expression 101

Example:

<Policy>
  <wsap:AddressingRequired />
  <mtom:OptimizedMimeSerialization />
</Policy>

WS-Policy Assertion

… represents an individual requirement, capability, or other property of a behavior.

<wsap:AddressingRequired />

Nested Policy Expression

<Policy>
  <sp:TransportBinding>
      <Policy>
        <sp:TransportToken>
          <Policy>
            <sp:HttpsToken>
              <Policy>
                 <sp:HttpDigestAuthentication />                  
              </Policy>
            </sp:HttpsToken>
          </Policy>
        </sp:TransportToken>
        <sp:AlgorithmSuite>
          <Policy>
            <sp:Basic256Rsa15/>
          </Policy>
        </sp:AlgorithmSuite>
      </Policy>
  </sp:TransportBinding>
</Policy>

WS-Policy Assertion (second try)

… represents an individual requirement, capability, or other property of a behavior.

<sp:HttpDigestAuthentication />

… could be context dependent.

WS-Policy Alternatives

Example:

<wsp:Policy>
  <wsap:AddressingRequired />
  <mtom:OptimizedMimeSerialization
          wsp:Optional="true"/>
  <wsp:ExactlyOne>
    <sp:TransportBinding>…</sp:TransportBinding>
    <sp:AsymmetricBinding>…</sp:AsymmetricBinding>
  </wsp:ExactlyOne>
</wsp:Policy>

Normal form

<Policy>
 <ExactlyOne>
    <All>
      <wsap:AddressingRequired />
      <mtom:OptimizedMimeSerialization />
      <sp:TransportBinding>…</sp:TransportBinding>
    </All>
    <All>
      <wsap:AddressingRequired />
      <mtom:OptimizedMimeSerialization />
      <sp:AsymmetricBinding>…</sp:AsymmetricBinding>
    </All>
    <All>
      <wsap:AddressingRequired />
      <sp:TransportBinding>…</sp:TransportBinding>
    </All>
    <All>
      <wsap:AddressingRequired />
      <sp:AsymmetricBinding>…</sp:AsymmetricBinding>
    </All>
  </ExactlyOne>
</Policy>

Nested Policy Expression

<Policy>
  <sp:TransportBinding>
    <Policy>
      <sp:TransportToken>
        <Policy>
          <sp:HttpsToken>
            <Policy>
              <ExactlyOne>
                <sp:HttpDigestAuthentication />   
                <sp:HttpBasicAuthentication />               
              <ExactlyOne>
            </Policy>
          </sp:HttpsToken>
        </Policy>
      </sp:TransportToken>
    </Policy>
  </sp:TransportBinding>
</Policy>

Normal Nested Policy Expression

<Policy>
 <ExactlyOne>
   <All>
     <sp:TransportBinding>
       <Policy>
         <sp:TransportToken>
           <Policy>
             <sp:HttpsToken>
               <Policy>
                 <sp:HttpDigestAuthentication />   
               </Policy>
             </sp:HttpsToken>
           </Policy>
         </sp:TransportToken>
       </Policy>
     </sp:TransportBinding>
   </All>
   <All>
     <sp:TransportBinding>
       <Policy>
         <sp:TransportToken>
           <Policy>
             <sp:HttpsToken>
               <Policy>
                 <sp:HttpBasicAuthentication />   
               </Policy>
             </sp:HttpsToken>
           </Policy>
         </sp:TransportToken>
       </Policy>
     </sp:TransportBinding>
   </All>
 </ExactlyOne>
</Policy>

WS-Policy as Regexps

WS-Policy Written in XML

<wsp:Policy>
  <wsap:AddressingRequired />
  <mtom:OptimizedMimeSerialization
          wsp:Optional="true"/>
  <wsp:ExactlyOne>
    <sp:TransportBinding>…</sp:TransportBinding>
    <sp:AsymmetricBinding>…</sp:AsymmetricBinding>
  </wsp:ExactlyOne>
</wsp:Policy>

A Name is Just a Name

<wsp:Policy>
  <A />
  <B wsp:Optional="true"/>
  <wsp:ExactlyOne>
    <C/>
    <D/>
  </wsp:ExactlyOne>
</wsp:Policy>

WS-Policy Written in Regexps

A B? ( C | D )

mtom:OptimizedMimeSerialization
wsap:AddressingRequired?
( sp:TransportBinding | 
  sp:AsymmetricBinding )

"Canonicalized" Regexp

( A B C ) | ( A B D ) | ( B C ) | ( B D )

( AddressingRequired AsymmetricBinding ) |
( AddressingRequired TransportBinding ) |
( AddressingRequired AsymmetricBinding OptimizedMimeSerialization ) |
( AddressingRequired TransportBinding OptimizedMimeSerialization )

String match of

( AddressingRequired TransportBinding )

looks for policy intersections.

Hard to "Canonicalize"

<sp:SignedParts>
  <sp:Body />
</sp:SignedParts>

SignedParts and Body become one opaque identifier.

Secret knowledge allows me to know that really means:

<sp:SignedParts>
  <Policy>
    <sp:Body/>
  </Policy>
</sp:SignedParts>

or

<SignedParts-Body/>

Nested Policies

From the surface syntax,

<wsap:AddressingRequired/>

≠

<wsap:AddressingRequired>
  <Policy>
    <wsap:AnonymousResponses/>
  </Policy>
</wsap:AddressingRequired>

New Regexp Convention

A<B>

wsap:AddressingRequired<wsap:AnonymousResponses>

What Were We Doing Again?

• Requirements
• Capabitilities
• Logging

Requirement: X and Y

… do X and Y.

<wsp:Policy>
  <X/>
  <Y/>
</wsp:Policy>

Requirement: X xor Y

… do X or Y, but not both.

<wsp:Policy>
  <wsp:ExactlyOne>
    <X/>
    <Y/>
  </wsp:ExactlyOne>
</wsp:Policy>

Requirement: X and maybe Y

… do X and maybe Y.

<wsp:Policy>
  <X/>
  <Y wsp:Optional="true"/>
</wsp:Policy>

Requirement: X and maybe Y

<wsp:Policy>
  <wsp:ExactlyOne>
    <wsp:All>
      <X/>
    </wsp:All>
    <wsp:All>
      <X/>
      <Y/>
    </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>

Requirement: X iff Y

… do X if and only if you do Y.

<wsp:Policy wsp:Optional="true">
  <X/>
  <Y/>
</wsp:Policy>

Requirement: X iff Y

<wsp:Policy>
  <wsp:ExactlyOne>
    <wsp:All></wsp:All>
    <wsp:All>
      <X/>
      <Y/>
    </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>

What Else Can We Express?

• Requirements
• Capabilities
• Logging

Capability: X iff Y

… do X and Y (together).

<wsp:Policy>
  <All wsp:Optional="true">
    <X/>
    <Y/>
  </All>
</wsp:Policy>

(Of course, you need to use the expanded form.)

Capability: X iff Y matches what?

Some requirements that match the capability X iff Y:

<wsp:Policy>
  <X/>
  <Y/>
</wsp:Policy>

<wsp:Policy>
</wsp:Policy>

<wsp:Policy>
  <X/>
  <Y wsp:Optional="true"/>
</wsp:Policy>

What Tools Solve This Problem?

Off-the-shelf query tools:

• XPath requirements testing WS-Policy (XML) capabilities.
• SPARQL requirements testing RDF capability expressions.

XQuery

for $pol in fn:doc("libs.xml")/Policy/All/
where $pol/wsap:AddressingRequired
      and $pol/mtom:OptimizedMimeSerialization
      and count($pol/*[not(wsap:AddressingRequired)
                       and not(mtom:OptimizedMimeSerialization)]) = 0
return $pol

returns a node if libs.xml expresses that capability.

SPARQL

ASK { ?pol rdfp:requires (
    [ rdfp:policyName mtom:OptimizedMimeSerialization ]
    [ rdfp:policyName wsap:AddressingRequired ] ) }

Wait, What Data Did That Query?

The RDF (Turtle) representation looks very much like this query.

_:somePolicy rdfp:requires (
    [ rdfp:policyName mtom:OptimizedMimeSerialization ]
    [ rdfp:policyName wsap:AddressingRequired ] ) }

Using XML Schema

Using XML Schema

1. to represent policy assertions
2. to check Infoset artifacts

<Policy>
  <wsap:AddressingRequired />
</Policy>

XML Schema for Addressing

<xs:element name="soap12:Headers">
  <xs:complexType>
    <xs:all>
      <xs:element ref='wsa:To'/>
      <xs:element ref='wsa:Action'/>
      <xs:element ref='wsa:MessageId' minOccurs='0'/>
      <xs:element ref='wsa:From' minOccurs='0'/>
      <xs:element ref='wsa:ReplyTo' minOccurs='0'/>
      <xs:element ref='wsa:FaultTo' minOccurs='0'/>
    </xs:all>
  </xs:complexType>
</xs:element>

XML Schema for Addressing extended

<xs:element name="soap12:Headers">
  <xs:complexType>
    <xs:all>
      <xs:element ref='wsa:To'/>
      <xs:element ref='wsa:Action'/>
      <xs:element ref='wsa:MessageId' minOccurs='1'/>
      <xs:element ref='wsa:From' minOccurs='1'/>
      <xs:element ref='wsa:ReplyTo' minOccurs='0'/>
    </xs:all>
  </xs:complexType>
</xs:element>

Addressing assertion extended

<wsp:Policy>
  <wsap:AddressingRequired>
    <Policy>
      <myns:MessageIdRequired/>
      <myns:FromRequired/>
      <myns:FaultToProhibited/>
    </Policy>
  </wsap:AddressingRequired>
</wsp:Policy>

More complex wire expressions

<Policy>
  <wsap:AddressingRequired />
  <mtom:OptimizedMimeSerialization />
</Policy>

MTOM Envelope

MIME-Version: 1.0
Content-Type: Multipart/Related;boundary=MIME_boundary;
    type="application/xop+xml";
    start="<mymessage.xml@example.org>";
    startinfo="application/soap+xml"

--MIME_boundary
Content-Type: application/xop+xml; type="application/soap+xml"
Content-Transfer-Encoding: 8bit
Content-ID: <mymessage.xml@example.org>

<soap:Envelope
    xmlns:soap='http://www.w3.org/2003/05/soap-envelope'
    xmlns:xmlmime='http://www.w3.org/2004/11/xmlmime'>
  <soap:Body>
    <soap:Headers>
      <wsa:To>http://www.example.org/</wsa:To>
      <wsa:Action>http://www.example.org/ProcessData</wsa:Action>
    </soap:Headers>
    <m:data xmlns:m='http://example.org/stuff'>
      <m:photo 
  xmlmime:contentType='image/png'><xop:Include 
    xmlns:xop='http://www.w3.org/2004/08/xop/include' 
    href='cid:http://example.org/me.png'/></m:photo>
    </m:data>
  </soap:Body>
</soap:Envelope>

--MIME_boundary
Content-Type: image/png
Content-Transfer-Encoding: binary
Content-ID: <http://example.org/me.png>

// binary octets for png

--MIME_boundary--

Message Envelope

<message optimizedMimeSerialization='true'>
  <httpHeaders>
    <method>POST</method>
    <contentType>application/soap+xml</contentType>
  </httpHeaders>
  <soap:Envelope
    xmlns:soap='http://www.w3.org/2003/05/soap-envelope'
    xmlns:xmlmime='http://www.w3.org/2004/11/xmlmime'>
    <soap:Body>
      <soap:Headers>
        <wsa:To>http://www.example.org/</wsa:To>
        <wsa:Action>http://www.example.org/ProcessData</wsa:Action>
      </soap:Headers>
      <m:data xmlns:m='http://example.org/stuff'>
        <m:photo 
    xmlmime:contentType='image/png'>6834BA74FE…</m:photo>
      </m:data>
    </soap:Body>
  </soap:Envelope>
</message>

XML Schema for Addressing+MTOM

<xs:element name="message">
  <xs:complexType>
   <xs:all>
    <xs:element ref="httpHeaders" />
    <xs:element ref="soap12:Envelop">
      <xs:complexType>
	<xs:sequence>
	  <xs:element name="soap12:Headers">
	    <xs:complexType>
	      <xs:all>
		<xs:element ref='wsa:To'/>
		<xs:element ref='wsa:Action'/>
		<xs:element ref='wsa:MessageId' minOccurs='0'/>
		<xs:element ref='wsa:From' minOccurs='0'/>
		<xs:element ref='wsa:ReplyTo' minOccurs='0'/>
		<xs:element ref='wsa:FaultTo' minOccurs='0'/>
	      </xs:all>
	    </xs:complexType>
	  </xs:element>
	  <xs:element ref="soap12:Body" />
	</xs:sequence>
      </xs:complexType>
    </xs:element>
   </xs:all>
  </xs:complexType>
  <xs:attribute name="optimizedMimeSerialization"
      xsi:type="xsd:boolean" fixed='true'/>
</xs:element>

Another example

<Policy>
  <wsap:AddressingRequired />
  <sp:SignedParts wsp:Optional="true">
    <sp:Body />
  </sp:SignedParts> 
</Policy>

Using XML Schema

<xs:complexType>
  <xs:all>
    <xs:element ref='wsa:To'/>
    <xs:element ref='wsa:Action'/>
    …
    <xs:element name='wsse:Security' minOccurs='0'/>
      <xs:element ref='ds:Signature'>
        …
      </xs:element>
    </xs:element>
  </xs:all>
</xs:complexType>

Another Example (2)

<Policy>
  <ExactlyOne>
    <All>
      <wsap:AddressingRequired />
      <sp:SignedParts>
        <sp:Body />
      </sp:SignedParts>
    </All>
    <All>
      <wsap:AddressingRequired />
    </All>
  </ExactlyOne> 
</Policy>

Welcome to UPA Hell!

<xs:complexType>
  <xs:choice>
    <xs:all>
      <xs:element ref='wsa:To'/>
      <xs:element ref='wsa:Action'/>
      …
      <xs:element name='wsse:Security'/>
        <xs:element ref='ds:Signature'>
          …
        </xs:element>
      </xs:element>
    </xs:all>
    <xs:all>
      <xs:element ref='wsa:To'/>
      <xs:element ref='wsa:Action'/>
      …
    </xs:all>
  <xs:choice>
</xs:complexType>

So, using XML Schema

Pros

• Direct reuse of Schema processors
• Finer control over the messages
• No need to invent a new assertion for known SOAP Headers

Cons

• Everything you test must be an infoset artifact but not restricted to the SOAP Envelope (can't express logging)
• May necessitate some transformations to avoid UPA Hell

And what about capabilities vs requirements?

So, Does WS-Policy make sense?

• Yes, as a set of assertions (language is consistent)
• Reduced expressivity makes equivalence and intersection easier (possible?)

Minor proposal: add support for wsp:Optional on Policy/All and ExactlyOne

Stronger proposal: don't allow arbitrary elements in a policy assertion!

Questions?

Slides at:
http://www.w3.org/2006/Talks/1205-ws-policy-alts/