Introduction
- WS-Policy
- Policies of entities in a Web services-based
system
- Service requirements and capabilities
- Specifications
- Latest working drafts (Candidate Recommendation) - 2007 Mar 30
- Core: WS-Policy Framework and Attachment
- WS-Policy Namespace and XML Schema
- WS-Policy Primer and Guidelines
- Originally from IBM, Microsoft and many others
- In W3C since April 2006 - W3C WS-Policy WG
- Last Call in November 2006
- Candidate Recommendation in February 2007
WS-Policy Model
- Policy - a collection of alternatives
- Unordered
- Preferences, selecting an alternative, out
of scope
<wsp:Policy>
<wsap:AddressingRequired />
<mtom:OptimizedMimeSerialization />
wsp:Optional="true" />
<wsp:ExactlyOne>
<sp:TransportBinding>…</sp:TransportBinding>
<sp:AsymmetricBinding>…</sp:AsymmetricBinding>
</wsp:ExactlyOne>
</wsp:Policy>
WS-Policy Model
- Policy alternative - a collection of assertions
- Unordered
- Aggregating related assertions out of scope
<wsp:Policy>
<wsap:AddressingRequired />
<mtom:OptimizedMimeSerialization />
wsp:Optional="true"/>
<wsp:ExactlyOne>
<sp:TransportBinding>…</sp:TransportBinding>
<sp:AsymmetricBinding>…</sp:AsymmetricBinding>
</wsp:ExactlyOne>
</wsp:Policy>
WS-Policy Model
- Policy assertion
- An individual requirement, capability or
other property of a behaviour
- Defined outside the framework
(domain-specific)
- Examples:
- WS-Addressing
- WS-Security Policy
- WS-Reliable Messaging Policy
- WS-Atomic Transaction
- WS-Business Activity Framework
<wsp:Policy>
<wsap:AddressingRequired />
<mtom:OptimizedMimeSerialization />>
wsp:Optional="true" />
<wsp:ExactlyOne>
<sp:TransportBinding> ... </sp:TransportBinding>
<sp:AsymmetricBinding> ... </sp:AsymmetricBinding>
</wsp:ExactlyOne>
</wsp:Policy>
Definitions
- Policy expression
- An XML representation of a policy
- Policy attachment
- A mechanism for associating policy with one
or more policy scopes
- Policy scope
- A collection of policy subjects
- Policy subject
- An entity with which a policy can be
associated
- Examples: endpoint, message, resource,
interaction
- Policy assertion type
- A class of policy assertions, implies a
schema and assertion-specific semantics
- Policy vocabulary
- All policy assertion types used in a policy
- Alternatives without some types explicitly
prohibit those types
WS-Policy Expression (Normal form)
Direct representation of the data model
<wsp:Policy>
<wsp:ExactlyOne>
(<wsp:All>
(<Assertion...> ... </Assertion>)*
(</wsp:All>)*
</wsp:ExactlyOne>
</wsp:Policy>
Example:
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All>
<wsap:AddressingRequired />
<mtom:OptimizedMimeSerialization />
<sp:TransportBinding> ... </sp:TransportBinding>
</wsp:All>
<wsp:All>
<wsap:AddressingRequired />
<mtom:OptimizedMimeSerialization />
<sp:AsymmetricBinding> ... </sp:AsymmetricBinding>
</wsp:All>
<wsp:All>
<wsap:AddressingRequired />
<sp:TransportBinding> ... </sp:TransportBinding>
</wsp:All>
<wsp:All>
<wsap:AddressingRequired />
<sp:AsymmetricBinding> ... </sp:AsymmetricBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
WS-Policy Data Model
WS-Policy Expression (Compact form)
XML representation for readability and ease of policy creation
- Optional assertions
- Nesting of and and or
- Policy inclusion...
<wsp:Policy>
<ex:RequireDerivedKeys wsp:Optional="true" />
<wsp:ExactlyOne>
<ex:WssUserNameToken10 />
<ex:WssUserNameToken11 />
</wsp:ExactlyOne>
<wsp:PolicyReference URI="Protection.wsp" />
</wsp:Policy>
Policy intersection
- Checking if two policies have compatible alternatives
- Assertion compatibility
- Involves domain-specific processing
- Alternative compatibility
- Two alternatives are compatible iff every
assertion in one is compatible to an assertion in the other
- Intersection of compatible alternatives
contains all assertions
- Policy compatibility
- Two policies are compatible iff at least one
alternative of one is compatible with an alternative of the other
- Intersection is a set of pair-wise
alternative intersections
- Ignorable assertions
- Indicates assertion that may be ignored for policy intersection
<wsp:Policy>
...
<ex:Logging wsp:Ignorable="true" />
...
</wsp:Policy>
Policy attachment
- Attaching policies to WS entities
- In WSDL, UDDI, WS-Addressing
EndpointReferences
- Effective policy
- A merge of applicable policies –
putting all in wsp:All
- Effective attachment - in place
- Attribute wsp:PolicyURIs=" … "
- Element <wsp:PolicyReference URI="
… " />
- External attachment
<wsp:PolicyAttachment>
<wsp:AppliesTo>
<x:DomainExpression/>+
</wsp:AppliesTo>
(<wsp:Policy> ... </wsp:Policy>
<wsp:PolicyReference> ... </wsp:PolicyReference>)+
<wsse:Security> ... </wsse:Security>?
</wsp:PolicyAttachment>
Policy attachment to WSDL
- Service policy
- Endpoint policy
- Operation policy
- Message Policy
WS-Policy @ Adobe
- Adobe Policy Server
- Apply rights management policies directly at
the document level
- Control
- Who can open the document?
- What can they do with the document?
- Dynamic manage access
- Set expiration dates
- Instantaneously revoke documents
- Accountability
- What has been done to the document?
- Know when documents have been opened,
printed, modified, etc.
- Leverage existing group and authentication information
- Offline, Online Modes
- WS-Policy conformance
Summary
- Important features of WS-Policy
- Two-level model – alternatives and
assertions
- Merging policies explicitly defined
- Intersection of policies explicitly defined
- But not compatibility and meaning
– that’s domain-specific
- Standardisation began June 2006
- Transitioned to CR in Feb 2007
- Should be Recommendation by summer 2007
- All major industrial players involved
- Next f2f meeting: 23-25 May 2007, Ottawa,
ON, Canada
Resources
- WS-Policy
- Specifications
- Core: WS-Policy Framework and Attachment
- WS-Policy Namespace and XML Schema
- WS-Policy Primer and Guidelines