WebServicePolicyExpressionAlternatives
Web Service Policy Expression Alternatives
Web Services Policy (WS-Policy) is a general purpose framework for expressing requirements, capabilities, and general characteristics of a Web service, such as security or reliability requirements. We will demonstrate how a variety of current schema and query languages can express these policies and how these languages can clarify and extend policy description.
Table of Contents
Abstract
The demand for automated or assisted Web service discovery and invocation prompted the development of the Web Services Policy framework (WS-Policy), a general purpose framework for expressing requirements, capabilities, and general characteristics for invoking a particular Web service, such as security or reliability requirements. The WS-Policy language is limited to AND, XOR, and functions named by QNames. Simple boolean logic allows one to discover equivalent policies and to test whether a particular connection conforms to a given policy.
While any language with AND, OR and named functions subsumes WS-Policy's expressivity, the most interesting are those that are, intuitive, sound, and extensible. A variety of current schema (W3C XML Schema and OWL) and query languages (XQuery and SPARQL) meet these requirements to varying degrees. This paper will demonstrate and contrast expressions of Web service policies in these languages.
SPARQL and XQuery are query languages for two data different models. The current definition of WS-Policy does not presume any particular expression of service or library capabilities into any data model. All that's required is that some mechanism be able to recognize a policy and verify compliance of the available software modules. For example, this could be hard coded into an agent. Query languages like SPARQL and XQuery are designed to intuitively expression boolean logic. Using, for instance, SPARQL to express policies implies a mapping of agent capabilities into an RDF graph. Likewise, expressing agent capabilities in XML allows one to query them with XQuery.
We will describe the ways in which these languages all exceed this simple AND, OR, named function expressivity and discuss the applicability of this extra expressivity to describing Web service policies, or Web services in general. Importing this expertise from other domains informs us about potential policy expressivity. We will identify additional use cases met by adopting this additional expressivity.
Expressions
|
|
colspan="2" | WS-Policy
|
colspan="2" | RDF
|
colspan="2" | XML Schema
|
colspan="2" | XML Query
| ||
| X
|
colspan="2" | <X />
|
colspan="2" | rdf:type rdfp:Policy ;
|
colspan="2" | <xs:element ref='X'/>
|
colspan="2" | X
| ||
colspan="2" |
|
colspan="2" | rdfp:[[PolicyName]] X .
|
|||||
| XOR
|
colspan="2" | <wsp:[[ExactlyOne]]>
|
colspan="2" | A rdf:type rdfp:[[PolicyAlt]] ;
|
colspan="2" | <xs:choice>
|
colspan="2" | X
| ||
|
|
colspan="2" | <X />
|
colspan="2" | rdfp:hasAlternative X ;
|
colspan="2" | <xs:element ref='X'/>
|
colspan="2" | union
| ||
|
|
colspan="2" | <Y />
|
colspan="2" | rdfp:hasAlternative Y .
|
colspan="2" | <xs:element ref='Y'/>
|
colspan="2" | Y
| ||
|
|
colspan="2" | </wsp:[[ExactlyOne]]>
|
colspan="2" |
|
colspan="2" | </xs:choice>
|
colspan="2" | ?limit?
| ||
| AND
|
colspan="2" | <wsp:All>
|
colspan="2" | A rdf:type rdfp:[[PolicySet]] ;
|
colspan="2" | <xs:all>
|
colspan="2" | X
| ||
|
|
colspan="2" | <X />
|
colspan="2" | rdf:requires ( X
|
colspan="2" | <xs:element ref='X'/>
|
colspan="2" | and
| ||
|
|
colspan="2" | <Y />
|
colspan="2" | Y ) .
|
colspan="2" | <xs:element ref='Y'/>
|
colspan="2" | Y
| ||
|
|
colspan="2" | </wsp:All>
|
colspan="2" |
|
colspan="2" | </xs:all>
|
colspan="2" |
| ||
Expressed in RDF
RDF expresses a conjunction of assertions. A set of policies (say, those policies that are acceptable to a service) can be expressed as a set of graphs that represent each policy. Represented in N3:
my:service1 rdfp:requires (
[ rdf:type rdfp:Policy ;
wsp:policyName wsap:UsingAddressing ]
[ rdf:type rdfp:Policy ;
wsp:policyName sp:TransportBinding ]
) .
Options in a policy can be expressed disjunctive normal form, just as they can be in XML. Searching for a policy with certain characteristics can be done with SPARQL (an RDF query language).
Expressing policies with dependent functions requires a little bit of mechanics to make sure that the policy
<wsp:Policy Name='mypolicy1'>
<sp:httpsToken>
<wsp:Policy>
<sp:RequireClientCertificate />
<sp:HttpDigestAuthentication />
</wsp:Policy>
</my:policy1>
</wsp:Policy>
is never confused with
<wsp:Policy Name='mypolicy2'> <sp:httpsToken /> </wsp:Policy>
, which appears to have unrelated semantics.
<mypolicy1> rdf:type rdfp:PolicySet ;
rdfp:requires (
[ rdf:type rdfp:PolicySet ;
rdfp:policyName sp:httpsToken ;
rdfp:requires (
[ rdf:type rdfp:Policy ;
rdfp:policyName sp:RequireClientCertificate ]
[ rdf:type rdfp:Policy ;
rdfp:policyName sp:HttpDigestAuthentication ] )
] ) .
The objective being that a subset of the information is not confusable with an expression of the other (simpler policy)
<mypolicy2> rdf:type rdfp:PolicySet ;
rdfp:requires (
[ rdf:type rdfp:Policy ;
rdfp:policyName sp:httpsToken
] ) .
Thus, in the RDF world, rdfp:requires and wsp:[[PolicySet]] are disjoint, and a neither should be considered distinguished without discovering its type.
The following represents the example in 1.5.3:
@prefix rdfp: <http://esw.w3.org/topic/WebServicePolicyExpressionAlternatives/rdfp#> .
@prefix mtom: <http://example.org/ws/2004/09/policy/optimizedmimeserialization> .
@prefix wsap: <http://www.w3.org/2006/05/addressing/wsdl> .
@prefix sp: <http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512> .
<http://example.org/service3> rdfp:hasAlternative
[ rdfp:requires ( _:addr _:set1 )
] .
<http://example.org/service3> rdfp:hasAlternative
[ rdfp:requires ( _:ser _:addr _:set1 )
] .
_:ser rdfp:policyName mtom:OptimizedMimeSerialization .
_:addr rdfp:policyName wsap:UsingAddressing .
_:set1 rdfp:hasAlternative
[ rdfp:requires (
[ rdfp:policyName sp:TransportBinding ;
rdfp:requires ( [ rdfp:policyName sp:TransportToken ;
rdfp:requires ( [ rdfp:policyName sp:httpsToken ;
rdfp:requires ( [ rdfp:policyName sp:HttpDigestAuthentication ] ) ] ) ]
[ rdfp:policyName sp:AlgorithmSuite ;
rdfp:requires ( [ rdfp:policyName sp:Basic256Rsa15 ] ) ]
) ] )
] .
_:set1 rdfp:hasAlternative
[ rdfp:requires (
[ rdfp:PolicyName sp:AsymmetricBinding ] )
] .
Expressed in XML Schema
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:soap11="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
targetNamespace="http://example.org/pictureMover"
elementFormDefault="qualified"
schemaLocation="http://www.w3.org/2005/08/addressing http://www.w3.org/2005/08/addressing/ws-addr.xsd">
<!-- test for a SOAP 1.2 envelope with the MTOM flag set
-->
<xs:element ref="soap12:Envelop">
<xs:complexType>
<xs:sequence>
<xs:element name="soap12:Headers" minOccurs='0' maxOccurs='1'>
<xs:complexType>
<xs:sequence>
<xs:element ref='wsa:To '/>
<xs:element ref='wsa:Action />
<xs:element ref='wsa:MessageId' minOccurs='0'/>
<xs:element ref='wsa:From' minOccurs='0'/>
<xs:element ref='wsa:ReplyTo' minOccurs='0'/>
<xs:element ref='wsa:FaultTo' minOccurs='0'/>
<xs:any processContents="lax" minOccurs='0' maxOccurs='1' />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:element>
<xs:element name="soap12:Body" minOccurs='0' maxOccurs='1'>
<xs:complexType>
<xs:sequence minOccurs='0' maxOccurs="unbounded">
<xs:any processContents="lax"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
<!-- The MTOM flag is set by the pipeline. -->
<xs:attribute name="transportedBy" xsi:type="xsd:anyURI" fixed='http://...MTOM' use="optional"/>
<xs:attribute name="authenticatedBy" xsi:type="xsd:anyURI" fixed='http://...Digest' use="required"/>
<xs:attribute name="wssep:Dig" xsi:type="xsd:anyURI" fixed='http://www.w3.org/2000/09/xmldsig#sha1' use="required"/>
<xs:attribute name="wssep:Enc" xsi:type="xsd:anyURI" fixed='http://www.w3.org/2001/04/xmlenc#aes256-cbc' use="required"/>
<xs:attribute name="wssep:AsymKW" xsi:type="xsd:anyURI" fixed='http://www.w3.org/2001/04/xmlenc#rsa-1_5' use="required"/>
<xs:attribute name="wssep:EncKD" xsi:type="xsd:anyURI" fixed='http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sh\a1' use="required"/>
<xs:attribute name="wssep:SigKD" xsi:type="xsd:anyURI" fixed='http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sh\a1' use="required"/>
<xs:attribute name="wssep:SKL" xsi:type="xsd:decimal" fixed='256' use="required" />
</xs:element>
<!-- Do the same thing for SOAP 1.1 -->
<xs:element ref="soap11:Envelop">
<xs:complexType>
...@@@ exercise for the reader
</xs:complexType>
</xs:element>
Example of SOAP Envelope
<soap:Envelope
xmlns:soap='http://www.w3.org/2003/05/soap-envelope'
xmlns:xmlmime='http://www.w3.org/2004/11/xmlmime'
inout="in"
transportedBy="http://...MTOM"
authenticatedBy="http://...Digest"
wssep:Dig='http://www.w3.org/2000/09/xmldsig#sha1'
wssep:Enc='http://www.w3.org/2001/04/xmlenc#aes256-cbc'
wssep:AsymKW='http://www.w3.org/2001/04/xmlenc#rsa-1_5'
wssep:EncKD='http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha1'
wssep:SigKD='http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha1'
wssep:SKL='256'>
<soap:Body>
<m:data xmlns:m='http://example.org/stuff'>
<m:photo
xmlmime:contentType='image/png'
xsi:type="xsd:base64Binary">AB2255E...F76576</m:photo>
<m:sig
xmlmime:contentType='application/pkcs7-signature'
xsi:type="xsd:base64Binary">2413CBAD3...487EC</m:sig>
</m:data>
</soap:Body>
</soap:Envelope>
Known Web Services Policy Assertions
Web Services Reliable Messaging Policy Assertion (WS-RM Policy)
Use cases
Most of the examples included in this section were taken from Web Services Policy 1.5 - Primer.
Secure Message with Addressing
<soap:Envelope>
<soap:Header>
<wss:Security soap:mustUnderstand="1" >
<wsu:Timestamp u:Id="_0">
<wsu:Created>2006-01-19T02:49:53.914Z</u:Created>
<wsu:Expires>2006-01-19T02:54:53.914Z</u:Expires>
</wsu:Timestamp>
</wss:Security>
<wsa:To>http://real.contoso.com/quote</wsa:To>
<wsa:Action>http://real.contoso.com/GetRealQuote</wsa:Action>
</soap:Header>
<soap:Body>...</soap:Body>
</soap:Envelope>
corresponds to the following policy:
<Policy> <wsap:UsingAddressing /> <sp:TransportBinding>...</sp:TransportBinding> </Policy>
MTOM
MIME-Version: 1.0
Content-Type: Multipart/Related;boundary=MIME_boundary;
type="application/xop+xml";
start="<mymessage.xml@example.org>";
startinfo="application/soap+xml; action=\"ProcessData\""
Content-Description: A SOAP message with my pic and sig in it
--MIME_boundary
Content-Type: application/xop+xml;
charset=UTF-8;
type="application/soap+xml; action=\"ProcessData\""
Content-Transfer-Encoding: 8bit
Content-ID: <mymessage.xml@example.org>
<soap:Envelope
xmlns:soap='http://www.w3.org/2003/05/soap-envelope'
xmlns:xmlmime='http://www.w3.org/2004/11/xmlmime'>
<soap:Body>
<m:data xmlns:m='http://example.org/stuff'>
<m:photo
xmlmime:contentType='image/png'><xop:Include
xmlns:xop='http://www.w3.org/2004/08/xop/include'
href='cid:http://example.org/me.png'/></m:photo>
<m:sig
xmlmime:contentType='application/pkcs7-signature'><xop:Include
xmlns:xop='http://www.w3.org/2004/08/xop/include'
href='cid:http://example.org/my.hsh'/></m:sig>
</m:data>
</soap:Body>
</soap:Envelope>
--MIME_boundary
Content-Type: image/png
Content-Transfer-Encoding: binary
Content-ID: <http://example.org/me.png>
// binary octets for png
--MIME_boundary
Content-Type: application/pkcs7-signature
Content-Transfer-Encoding: binary
Content-ID: <http://example.org/my.hsh>
// binary octets for signature
--MIME_boundary--
corresponds to the following policy:
<Policy> <mtom:OptimizedMimeSerialization /> </Policy>
WS-Policy 1.5 Complex Example
<Policy Name="http://www.example.com/foo">
<PolicyReference URI="http://www.example.com/bar"/>
<mtom:OptimizedMimeSerialization wsp:Optional="true"/>
<wsap:UsingAddressing />
<ExactlyOne>
<sp:TransportBinding>
<Policy>
<sp:TransportToken>
<Policy>
<sp:HttpsToken>
<Policy>
<sp:HttpDigestAuthentication />
</Policy>
</sp:HttpsToken>
</Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<Policy>
<sp:Basic256Rsa15/>
</Policy>
</sp:AlgorithmSuite>
</Policy>
</sp:TransportBinding>
<sp:AsymmetricBinding>…</sp:AsymmetricBinding>
</ExactlyOne>
</Policy>
! plh: provide a normalized version of this example
External Attachment
<wsp:PolicyAttachment … >
<wsp:AppliesTo>
<x:wsdlRef ref="http://example.org/TicketAgent.wsdl20#wsdl.interfaceOperation(TicketAgent/reserveFlight)" />
</wsp:AppliesTo>
<wsp:Policy>…</wsp:Policy>
</wsp:PolicyAttachment>
References
Expressing WS Policies Using OWL., Bijan Parsia, Vladimir Kolovski, James Hendler, Authors.