WS-SecurityPolicy
   HOME

TheInfoList



Click Here for Items Related To - WS-SecurityPolicy
OR:
WS-SecurityPolicy on:   [Wikipedia]   [Google]   [Amazon]

WS-SecurityPolicy is a web services specification, created by IBM and 12 co-authors, that has become an
OASIS In ecology, an oasis (; ) is a fertile area of a desert or semi-desert environment'ksar''with its surrounding feeding source, the palm grove, within a relational and circulatory nomadic system.” The location of oases has been of critical imp ...
standard as of version 1.2. It extends the fundamental security protocols specified by the
WS-Security Web Services Security (WS-Security, WSS) is an extension to SOAP to apply security to Web services. It is a member of the Web service specifications and was published by OASIS. The protocol specifies how integrity and confidentiality can be enfo ...
,
WS-Trust WS-Trust is a WS-* specification and OASIS standard that provides extensions to WS-Security, specifically dealing with the issuing, renewing, and validating of security tokens, as well as with ways to establish, assess the presence of, and broker ...
and
WS-SecureConversation WS-SecureConversation is a Web Services specification, created by IBM and others, that works in conjunction with WS-Security, WS-Trust and WS-Policy to allow the creation and sharing of security contexts. Extending the use cases of WS-Security, ...
by offering mechanisms to represent the capabilities and requirements of web services as policies. Security policy assertions are based on the WS-Policy framework. Policy assertions can be used to require more generic security attributes like transport layer security , message level security {{mono, <AsymmetricBinding> or timestamps, and specific attributes like token types. Most policy assertion can be found in following categories: * Protection assertions identify the elements of a message that are required to be signed, encrypted or existent. * Token assertions specify allowed token formats (SAML, X509, Username etc.). * Security binding assertions control basic security safeguards like transport and message level security, cryptographic algorithm suite and required timestamps. * Supporting token assertions add functions like user sign-on using a username token. Policies can be used to drive development tools to generate code with certain capabilities, or may be used at runtime to negotiate the security aspects of web service communication. Policies may be attached to
WSDL The Web Services Description Language (WSDL ) is an XML-based interface description language that is used for describing the functionality offered by a web service. The acronym is also used for any specific WSDL description of a web service (also ...
elements such as service, port, operation and message, as defined in WS Policy Attachment.


Sample Policies

Namespaces used by the following XML-snippets: 

   ...
Include a timestamp:
Use either transport layer security (https) or message level security (XML Dsig/XML Enc): 

  ...
  ...
To define a SAML assertion as security token: 

  
    ...#SAMLV2.0
Issued token assertion of providers with reference to the STS and required token format: 

  
    
      http://sampleorg.com/sts
     
  
  
    
       http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
    
        ...
  
  ...
Specify that message header and body need to be signed, and attachments are left unsigned: 

  ?
  *
...
specify that message open source license need to be signed, and hydra security are left unsigned: 

?
*
...


Other WS policy languages

The term ''Web Services Security Policy Language'' is used for two different XML-based languages: # As described above, based on the WS-Policy framework, as defined in, published as version 1.3 in Feb. 2009 # WSPL, based o
XACML profile for Web-services
but that was not finalized.http://www.oasis-open.org/committees/download.php/1608/wd-xacml-wspl-use-cases-04.pdf Web-services policy language use cases and requirements (draft)


See also

*
List of Web service specifications There are a variety of specifications associated with web services. These specifications are in varying degrees of maturity and are maintained or supported by various standards bodies and entities. These specifications are the basic web services ...


References


External links


WS-SecurityPolicy standards
at OASIS
Security in a Web Services World: A Proposed Architecture and Roadmap (IBM/Microsoft Whitepaper, 2002)
Security Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...
Security technology Computer security