web services
A web service (WS) is either:
* a service offered by an electronic device to another electronic device, communicating with each other via the Internet, or
* a server running on a computer device, listening for requests at a particular port over a n ...
specification, created by
IBM
International Business Machines Corporation (using the trademark IBM), nicknamed Big Blue, is an American Multinational corporation, multinational technology company headquartered in Armonk, New York, and present in over 175 countries. It is ...
and 12 co-authors, that has become an
OASIS
In ecology, an oasis (; : oases ) is a fertile area of a desert or semi-desert environmentWS-Security, WS-Trust and WS-Secure Conversation by offering mechanisms to represent the capabilities and requirements of web services as policies. Security policy assertions are based on the WS-Policy framework.
Policy assertions can be used to require more generic security attributes like transport layer security , message level security {{mono, <AsymmetricBinding> or timestamps, and specific attributes like token types.
Most policy assertion can be found in following categories:
* Protection assertions identify the elements of a message that are required to be signed, encrypted or existent.
* Token assertions specify allowed token formats (SAML, X509, Username etc.).
* Security binding assertions control basic security safeguards like transport and message level security, cryptographic algorithm suite and required timestamps.
* Supporting token assertions add functions like user sign-on using a username token.
Policies can be used to drive development tools to generate code with certain capabilities, or may be used at runtime to negotiate the security aspects of web service communication. Policies may be attached to WSDL elements such as service, port, operation and message, as defined in WS Policy Attachment.
Sample Policies
Namespaces used by the following XML-snippets:
...
Include a timestamp:
Use either transport layer security (https) or message level security (XML Dsig/XML Enc):
......
To define a SAML assertion as security token:
...#SAMLV2.0
Issued token assertion of providers with reference to the STS and required token format:
Specify that message header and body need to be signed, and attachments are left unsigned:
?
*
...
specify that message open source license need to be signed, and hydra security are left unsigned:
?
*
...
Other WS policy languages
The term ''Web Services Security Policy Language'' is used for two different XML-based languages:
# As described above, based on the WS-Policy framework, as defined in, published as version 1.3 in Feb. 2009
# WSPL, based o XACML profile for Web-services but that was not finalized.http://www.oasis-open.org/committees/download.php/1608/wd-xacml-wspl-use-cases-04.pdf Web-services policy language use cases and requirements (draft)