1 of 58

WS-*

Web Services��Jakub Klímek

This work is licensed under a Creative Commons Attribution 4.0 International License.

2 of 58

SOAP reminder

2

<?xml version="1.0" encoding="utf-8" ?>�<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">� <soap:Header>� <RequesterCredentials xmlns="urn:ebay:api:PayPalAPI">� <Credentials xmlns="urn:ebay:apis:eBLBaseComponents">� <Username>paypal_1206382697_biz_api1.paypal.com</Username>� <Password>5CX9UDFSF2ZK7UYW</Password>� <Signature>AFcWxV3C7fdsdfsSFDS2342l31ApeELK3f4pOMPrCWOWerIYKvXni9</Signature>� </Credentials>� </RequesterCredentials>� </soap:Header>

<soap:Body>� <DoDirectPaymentReq xmlns="urn:ebay:api:PayPalAPI">� <DoDirectPaymentRequest>� <Version xmlns="urn:ebay:apis:eBLBaseComponents">57.0</Version>� <DoDirectPaymentRequestDetails xmlns="urn:ebay:apis:eBLBaseComponents">� <PaymentAction>Sale</PaymentAction>� <PaymentDetails>� <OrderTotal currencyID="USD">212.07</OrderTotal>� <ItemTotal currencyID="USD">198.39</ItemTotal>

3 of 58

WSDL 1.1 reminder

3

<?xml version="1.0" encoding="utf-8" ?>

� <types> ... </types>

� <message> ... </message>

� <portType> ... </portType>

� <binding> ... </binding>

� <service> ... </service>

</definitions>

4 of 58

WS: This semester...

4

Subpart of Technical Contract	W3C (+OASIS)	REST	Open Data Protocol	Google Data Protocol	Semantic Web Services	Linked Data Services
Message Format	XML	XML, JSON	AtomPub, JSON	AtomPub, JSON	XML, RDF	SPARQL, RDF
Message Transfer	SOAP, HTTP	HTTP	HTTP	HTTP	SOAP, HTTP	HTTP, SPARQL Graph Store Protocol, SPARQL Protocol
Message Type Definition	XSD	XSD, JSON Schema	CSDL		RDF Schema, OWL	RDF Schema, OWL
Interface Definition	WSDL	WADL, GraphQL			SAWSDL, WSML	SPARQL Service Description
Other technical documents	WS-*					SPARQL Query Results

5 of 58

WS-Addressing

5

6 of 58

WS-Addressing

W3C Recommendation

2006
Microsoft, IBM, SAP, Sun Microsystems, BEA
xmlns:wsa="http://www.w3.org/2005/08/addressing"

Transport-neutral mechanisms to address Web services and messages

SOAP over HTTP, SOAP over SMTP, …

2 constructs

Endpoint references (EPRs)
Message Addressing Properties

6

7 of 58

WS-Addressing - message example

7

<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope"� xmlns:wsa="http://www.w3.org/2005/08/addressing">� <S:Header>� <wsa:MessageID>� http://example.com/6B29FC40-CA47-1067-B31D-00DD010662DA� </wsa:MessageID>� <wsa:ReplyTo>� <wsa:Address>http://example.com/business/client1</wsa:Address>� </wsa:ReplyTo>� <wsa:To>http://example.com/fabrikam/Purchasing</wsa:To>� <wsa:Action>http://example.com/fabrikam/SubmitPO</wsa:Action>� </S:Header>�� <S:Body>

...

</S:Body>�</S:Envelope>

Expected semantics

endpoint reference (EPR)

Ultimate receiver

8 of 58

WS-Addressing - Message Addressing Properties

wsa:To

IRI, intended (ultimate) receiver of the message

wsa:From, wsa:ReplyTo, wsa:FaultTo

EPR

wsa:Action

Required, Expected semantics
preferably IRI of Input, Output or Fault message in WSDL interface

wsa:MessageID

IRI uniquely identifying the message

wsa:RelatesTo, @wsa:RelationshipType

Related message ID
Default type is wsa:reply

wsa:ReferenceParameters

copied from the EPR wsa:ReferenceParameters

8

9 of 58

WS-Addressing example 2

9

<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope"� xmlns:wsa="http://www.w3.org/2005/08/addressing">� <S:Header>� <wsa:MessageID>http://example.com/someuniquestring</wsa:MessageID>� <wsa:ReplyTo>� <wsa:Address>http://example.com/business/client1</wsa:Address>� </wsa:ReplyTo>� <wsa:To>mailto:fabrikam@example.com</wsa:To>� <wsa:Action>http://example.com/fabrikam/mail/Delete</wsa:Action>� </S:Header>�� <S:Body>� <f:Delete xmlns:f="http://example.com/fabrikam">� <maxCount>42</maxCount>� </f:Delete>� </S:Body>�</S:Envelope>

10 of 58

WS-Addressing - Endpoint Reference (EPR)

Endpoint References usage scenarios

Dynamic generation and customization of service endpoint descriptions

WSDL description is static!

Referencing service instances created as result of interactions

i.e. created at runtime

Flexible exchange of endpoint information

in tightly coupled environments

10

11 of 58

WS-Addressing - Endpoint Reference

wsa:Address

Absolute IRI - address of the endpoint
wsa:anonymous

For endpoints which cannot be located with a meaningful IRI

wsa:none

Messages to EPRs with this address must not be sent
Typically for reply or fault endpoint => no reply/fault

wsa:ReferenceParameters

opaque to users, copied to messages as-is

wsa:Metadata

behavior, policies, capabilities

11

12 of 58

WS-Addressing SOAP 1.2 Binding

12

<wsa:EndpointReference� xmlns:wsa="http://www.w3.org/2005/08/addressing"� xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"� xmlns:fabrikam="http://example.com/fabrikam">�� <wsa:Address>� http://example.com/fabrikam/acct� </wsa:Address>�� <wsa:Metadata� xmlns:wsdli="http://www.w3.org/ns/wsdl-instance"� wsdli:wsdlLocation="http://example.com/fabrikam� http://example.com/fabrikam/fabrikam.wsdl">�� <wsam:InterfaceName>� fabrikam:Inventory� </wsam:InterfaceName>� </wsa:Metadata>�� <wsa:ReferenceParameters>� <fabrikam:CustomerKey>� 123456789� </fabrikam:CustomerKey>� <fabrikam:ShoppingCart>� ABCDEFG� </fabrikam:ShoppingCart>� </wsa:ReferenceParameters>��</wsa:EndpointReference>

<S:Envelope � xmlns:S="http://www.w3.org/2003/05/soap-envelope"� xmlns:wsa="http://www.w3.org/2005/08/addressing"� xmlns:fabrikam="http://example.com/fabrikam">�� <S:Header>� …� <wsa:To>� http://example.com/fabrikam/acct� </wsa:To>� <wsa:Action>...</wsa:Action>� <fabrikam:CustomerKey� wsa:IsReferenceParameter="true">� 123456789� </fabrikam:CustomerKey>� <fabrikam:ShoppingCart� wsa:IsReferenceParameter="true">� ABCDEFG� </fabrikam:ShoppingCart>� …� </S:Header>��</S:Envelope>

Link to WSDL

Identifies the WS-Addressing reference parameter

13 of 58

WS-Addressing EPR in WSDL

13

<wsa:EndpointReference� xmlns:wsa="http://www.w3.org/2005/08/addressing">�� <wsa:Address>� http://yoursite.com/MyService� </wsa:Address>�� </wsa:EndpointReference>

</service>

14 of 58

WS-Addressing Action in WSDL

14

<description targetNamespace="http://greath.example.com/2004/schemas/resSvc" ...>� ...

</operation>

</interface>

…�</description>

15 of 58

WS-Security

15

16 of 58

WS-Security - Why?

Authentication

Who is the caller?
How does he prove his identity?

Confidentiality

Making sure no one can read the message in transit

Integrity

Detecting / Preventing changes to the message in transit

SSL (HTTPS)?

Provides: Point to point security
We need: End to end security

e.g. when passing through Intermediaries

16

17 of 58

WS-Security

Set of OASIS Standard Specifications (2006)

17

18 of 58

WS-Security - SOAP Security Header - Example

18

<SOAP:Envelope xmlns:SOAP="...">� <SOAP:Header>�� <wsse:Security SOAP:role="..." SOAP:mustUnderstand="...">� <wsse:UsernameToken>� …� </wsse:UsernameToken>� …� </wsse:Security>�� </SOAP:Header>�� <SOAP:Body Id="MsgBody">� � </SOAP:Body>��</SOAP:Envelope>

There may be multiple Security headers, e.g. targeting different roles

19 of 58

WS-Security - Security tokens

e.g. for authentication

Username/Password
Binary

Kerberos tickets
X.509 certificates
Custom

19

20 of 58

WS-Security - Security tokens: Username/Password

20

<wsse:UsernameToken>

<wsse:Username>MyName</wsse:Username>

<wsse:Password Type="PasswordText">MyPass</wsse:Password>

</wsse:UsernameToken>

Visible password!�Usable only when SSL is enough.

21 of 58

WS-Security - Security tokens: Username/Password

21

<wsse:UsernameToken>

<wsse:Username>MyName</wsse:Username>

<wsse:Password Type="PasswordDigest">� fm6SuM0RpIIhBQFgmESjdim/yj0=� </wsse:Password>

</wsse:UsernameToken>

SHA-1. Password no longer visible, but the hash is enough to fake the sender.

22 of 58

WS-Security - Security tokens: Username/Password

22

<wsse:UsernameToken>

<wsse:Username>MyName</wsse:Username>

<wsse:Password Type="PasswordDigest">� fm6SuM0RpIIhBQFgmESjdim/yj0=� </wsse:Password>

<wsse:Nonce>Pj+EzE2y5ckMDx5ovEvzWw==</wsse:Nonce>

<wsse:Created>2004-05-11T12:05:16Z</wsse:Created>

</wsse:UsernameToken>

Unique

Attacker could still copy the whole token�=> Unique Nonce, keeping of Nonce history

Password_Digest = Base64(SHA-1(Nonce + Created + Password))

23 of 58

WS-Security - Security tokens: Binary token

23

<wsse:BinarySecurityToken� xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"

ValueType="...#X509v3"

EncodingType="...#Base64Binary"

wsu:Id="X509Token">

MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i...

</wsse:BinarySecurityToken>

Used in <wsse:SecurityTokenReference>

Base64 encoding: each character represents 6 bits of data

24 of 58

WS-Security - Security Token Reference

Direct Reference (URI)

<wsse:SecurityTokenReference � wsu:Id="...">�� <wsse:Reference � URI="..."� ValueType="..."/>��</wsse:SecurityTokenReference>

Key Identifier

<wsse:SecurityTokenReference>� � <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbPrintSHA1" >� LKiQ/CmFrJDJqCLFcjlhIsmZ/+0=� </wsse:KeyIdentifier>��</wsse:SecurityTokenReference>

24

Can be anywhere on the Web, not only in the message

Both sides have a pre-shared key identified by this

25 of 58

WS-Security - Signature

XML Signature

W3C Recommendation 2013

Uses also

Exclusive XML Canonicalization

W3C Recommendation 2002

Deals with Integrity

i.e. ensures the message was not tempered with

25

Why do we need to canonicalize XML anyway?

Problem: There are different ways of how to textually represent the same XML document (with the same meaning from XML point of view)

especially in presence of XML namespaces

Those different ways of representation would produce different hashes - different digital signatures - even if the meaning of the XML file is actually the same
This can be caused, for example, by

changing the XML namespace prefix name

which does not change the meaning - the meaning is defined by the namespace URI

defining namespaces in different order

they are defined by XML attributes, which are not ordered

or on different levels of nesting

as in the slide

defining additional, unused namespaces

XML Canonicalization is a transformation, which should produce the same XML document representation from its various possibilities
Exclusive XML Canonicalization extends XML Canonicalization with handling of namespaces

26 of 58

Detour: Exclusive XML Canonicalization: Problem

26

<n1:elem1 xmlns:n1="http://b.example">� content�</n1:elem1>

Original subdocument

Enveloped (e.g. SOAP)

Extracted (e.g. XPath) and�Applied Canonical XML��Meaning unchanged, but it generates a different signature

<n1:elem1 xmlns:n0="http://a.example"� xmlns:n1="http://b.example">� content�</n1:elem1>

<n0:pdu xmlns:n0="http://a.example">� <n1:elem1 xmlns:n1="http://b.example">� content� </n1:elem1>�</n0:pdu>

Why do we need to canonicalize XML anyway?

Problem: There are different ways of how to textually represent the same XML document (with the same meaning from XML point of view)

especially in presence of XML namespaces

Those different ways of representation would produce different hashes - different digital signatures - even if the meaning of the XML file is actually the same
This can be caused, for example, by

changing the XML namespace prefix name

which does not change the meaning - the meaning is defined by the namespace URI

defining namespaces in different order

they are defined by XML attributes, which are not ordered

or on different levels of nesting

as in the slide

defining additional, unused namespaces

XML Canonicalization is a transformation, which should produce the same XML document representation from its various possibilities
Exclusive XML Canonicalization extends XML Canonicalization with handling of namespaces

27 of 58

Detour: Exclusive XML Canonicalization

Extends Canonical XML with namespace handling
Canonical XML

W3C Recommendation 2008
a method for determining whether two documents are identical

attribute ordering
whitespaces (\n \t spaces)
DTD declarations
UTF-8 encoding (
 => 
)
...

27

28 of 58

WS-Security - Signature

28

<?xml version="1.0" encoding="utf-8"?>�<S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="..." xmlns:ds="...">� <S11:Header>� <wsse:Security>� <wsse:BinarySecurityToken ValueType="...#X509v3" � EncodingType="...#Base64Binary" � wsu:Id="X509Token">� MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i…� </wsse:BinarySecurityToken>� <ds:Signature>� …� </ds:Signature>� </wsse:Security>� </S11:Header>� <S11:Body wsu:Id="myBody">� <tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads">� QQQ� </tru:StockSymbol>� </S11:Body>�</S11:Envelope>

29 of 58

WS-Security - Signature

29

<ds:Signature>� <ds:SignedInfo>� <ds:CanonicalizationMethod � Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>� <ds:SignatureMethod� Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>� <ds:Reference URI="#myBody">� <ds:Transforms>� <ds:Transform � Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>� </ds:Transforms>� <ds:DigestMethod� Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>� <ds:DigestValue>EULddytSo1...</ds:DigestValue>� </ds:Reference>� </ds:SignedInfo>� <ds:SignatureValue>� BL8jdfToEb1l/vXcMZNNjPOV…� </ds:SignatureValue>� <ds:KeyInfo>� <wsse:SecurityTokenReference>� <wsse:Reference URI="#X509Token"/>� </wsse:SecurityTokenReference>� </ds:KeyInfo>� </ds:Signature>

<S11:Body wsu:Id="myBody">� <tru:StockSymbol � xmlns:tru="http://www.fabrikam123.com/">� QQQ� </tru:StockSymbol>� </S11:Body>

3. Exclusive XML Canonicalization used on ds:SignedInfo

4. RSA with SHA1 used for signing ds:SignedInfo with key located by ds:KeyInfo

1. Exclusive XML Canonicalization used on #myBody

2. SHA-1 hash used on canonicalized #myBody

We (sender) want to sign the SOAP Body

so that the receiver can make sure that it was not tempered with

We start with ds:Reference, which points to the XML element we want to sign (#myBody)
First, we need to canonicalize it. The method is specified in ds:Transforms (there can be multiple transforms applied to #myBody).
Second, we want to create a hash (or digest) of the canonicalized element. We specify the hash function in ds:DigestMethod. The result is in ds:DigestValue.
Now, the reference is complete. But we need to make sure that noone changes the reference (and hash) itself.

we need to sign this reference, and the specification of the methods used to sign it

Therefore, we are now signing the whole ds:SignedInfo element
It is an XML element, so again, it needs to be canonicalized, and signed using SHA1 hash and RSA encryption, for which the key is referenced in ds:KeyInfo.
The resulting signature is in ds:SignatureValue.
Now, the recipient, using his RSA key (asymmetric encryption) can verify, that ds:SignedInfo was not tempered with, compute the hash in ds:DigestValue and know that #myBody was not tempered with.

30 of 58

WS-Security in the wild: EET

Electronic Registration of Sales

Using SOAP, WSDL, WS-Security for signatures
Technical specification mostly in Czech, but the main documentation also in English
Sample message:

http://www.etrzby.cz/assets/cs/prilohy/CZ1212121218.valid.v3.1.xml

30

31 of 58

31

<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"� xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" � soap:mustUnderstand="1">

<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" � ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"� wsu:Id="X509-AB79979F3364F5119A14761286403811">MIIEm…4w==

</wsse:BinarySecurityToken>

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-AB79979F3364F5119A14761286404065">

<ds:SignedInfo>

<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">

<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>

</ds:CanonicalizationMethod>

<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>

<ds:Reference URI="#id-AB79979F3364F5119A14761286403964">

<ds:Transforms>

<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">

<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>

</ds:Transform>

</ds:Transforms>

<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>

<ds:DigestValue>TWpSLQpOXSUe8k6Q8lAd7DyMhWkTIcbHNifrPnWDG/M=</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>SX8rt…w==</ds:SignatureValue>

<ds:KeyInfo Id="KI-AB79979F3364F5119A14761286403862">

<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"� xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"� wsu:Id="STR-AB79979F3364F5119A14761286403893">

<wsse:Reference URI="#X509-AB79979F3364F5119A14761286403811"� ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>

</wsse:SecurityTokenReference>

</ds:KeyInfo>

</ds:Signature>

</wsse:Security>

</SOAP-ENV:Header>� <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-AB79979F3364F5119A14761286403964">

32 of 58

WS-Security - Encryption - pre-shared key

32

<S11:Envelope xmlns:S11="..." � xmlns:wsse="..." � xmlns:wsu="..." � xmlns:ds="..." � xmlns:xenc="...">� <S11:Header>� <wsse:Security>� <xenc:ReferenceList>� <xenc:DataReference URI="#bodyID"/>� </xenc:ReferenceList>� </wsse:Security>� </S11:Header>� <S11:Body>� <xenc:EncryptedData Id="bodyID">� <ds:KeyInfo>� <ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName>� </ds:KeyInfo>� <xenc:CipherData>� <xenc:CipherValue>...</xenc:CipherValue>� </xenc:CipherData>� </xenc:EncryptedData>� </S11:Body>�</S11:Envelope>

Shared symmetric key ID

Data encrypted using shared key

Deals with Confidentiality

33 of 58

WS-Security - Encryption - encrypted key

33

<S11:Envelope xmlns:S11="..."� xmlns:wsse="..."� xmlns:wsu="..."� xmlns:ds="..."� xmlns:xenc="...">�<S11:Header>�<wsse:Security>� <xenc:EncryptedKey>� <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>� <ds:KeyInfo>� <wsse:SecurityTokenReference>� <wsse:KeyIdentifier EncodingType="...#Base64Binary" ValueType="...#X509v3">� MIGfMa0GCSq…� </wsse:KeyIdentifier>� </wsse:SecurityTokenReference>� </ds:KeyInfo>� <xenc:CipherData>� <xenc:CipherValue>� d2FpbmdvbGRfE0lm4byV0…� </xenc:CipherValue>� </xenc:CipherData>� <xenc:ReferenceList>� <xenc:DataReference URI="#bodyID"/>� </xenc:ReferenceList>� </xenc:EncryptedKey>�</wsse:Security>�</S11:Header>

Encrypted shared key

Receiver’s public key ID

<S11:Body>�<xenc:EncryptedData Id="bodyID">� <xenc:CipherData>� <xenc:CipherValue>...</xenc:CipherValue>� </xenc:CipherData>�</xenc:EncryptedData>�</S11:Body>�</S11:Envelope>

Data encrypted using shared key

34 of 58

WS-Security - Encryption - Encrypted header

same mechanism as with body parts
<wsse11:EncryptedHeader> SOAP Header block

34

<S11:Envelope>� <S11:Header>� <wsse11:EncryptedHeader>� <xenc:EncryptedData Id="headerID">� <xenc:CipherData>� <xenc:CipherValue>...</xenc:CipherValue>� </xenc:CipherData>� </xenc:EncryptedData>� </wsse11:EncryptedHeader>� </S11:Header>�</S11:Envelope>

35 of 58

WS-Security - Timestamps

To indicate freshness of the message
Recommended to be signed

<wsu:Timestamp wsu:Id="...">

<wsu:Created ValueType="...">...</wsu:Created>

<wsu:Expires ValueType="...">...</wsu:Expires>

...

</wsu:Timestamp>

35

36 of 58

WS-Policy

36

37 of 58

WS-Policy

Web Services Policy 1.5 - Framework

W3C Recommendation 2007

Standard way of specification of

Requirements
Capabilities
General characteristics

37

38 of 58

WS-Policy - terminology

Policy subject

endpoint, message, resource, interaction
policy can be associated with it

Policy scope

collection of policy subjects to which policy applies

Policy attachment

mechanism for associating policy to scopes

Policy expression

representation of Policy in XML

38

39 of 58

WS-Policy - concepts

39

Policy

Policy�alternative

Policy�assertion

40 of 58

WS-Policy - example (WS-SecurityPolicy)

40

<wsp:Policy� xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"� xmlns:wsp="http://www.w3.org/ns/ws-policy">�� <wsp:ExactlyOne>�� <wsp:All>� <sp:SignedParts>� <sp:Body/>� </sp:SignedParts>� </wsp:All>�� <wsp:All>� <sp:EncryptedParts>� <sp:Body/>� </sp:EncryptedParts>� </wsp:All>�� </wsp:ExactlyOne>��</wsp:Policy>

Policy alternative

Policy operator

Policy assertion

41 of 58

WS-Policy - compact form - optional assertions

Assertion having wsp:Optional attribute

is equivalent to:

41

<wsp:Policy� xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"� xmlns:wsp="http://www.w3.org/ns/ws-policy">� <sp:IncludeTimestamp wsp:Optional="true" />�</wsp:Policy>

<wsp:Policy� xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"� xmlns:wsp="http://www.w3.org/ns/ws-policy" >� <wsp:ExactlyOne>� <wsp:All>� <sp:IncludeTimestamp />� </wsp:All>� <wsp:All />� </wsp:ExactlyOne>�</wsp:Policy>

42 of 58

Subject supports WS-Addressing

42

<wsp:Policy>

<wsam:Addressing wsp:Optional="true">

<wsp:Policy/>

</wsam:Addressing>

</wsp:Policy>

If policy assertion allows nesting, but no nested policy is required, empty <wsp:Policy/> element is mandatory

43 of 58

WS-Policy - compact form - nested policies

43

<wsp:Policy� xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"� xmlns:wsp="http://www.w3.org/ns/ws-policy" >� <sp:TransportBinding>� <wsp:Policy>� <sp:AlgorithmSuite>� <wsp:Policy>� <wsp:ExactlyOne>� <sp:Basic256Rsa15 />� <sp:TripleDesRsa15 />� </wsp:ExactlyOne>� </wsp:Policy>� </sp:AlgorithmSuite>� <sp:TransportToken>� <wsp:Policy>� <sp:HttpsToken>� <wsp:Policy/>� </sp:HttpsToken>� </wsp:Policy>� </sp:TransportToken>� � </wsp:Policy>� </sp:TransportBinding>�</wsp:Policy>

2 Policy alternatives but Normal form only allows 1�=>�the whole sp:TransportBinding would have to be duplicated. This is a shortcut.

44 of 58

WS-Policy - compact form - equivalence

<wsp:All>� � �</wsp:All>

<wsp:ExactlyOne>� <wsp:All>� � � </wsp:All>�</wsp:ExactlyOne>

44

45 of 58

WS-Policy - compact form - commutativity

<wsp:All> �  �  �</wsp:All>

<wsp:All> �  �  �</wsp:All>

45

46 of 58

WS-Policy - compact form - associativity

<wsp:All>� � <wsp:All>� � </wsp:All>�</wsp:All>

<wsp:All>� � �</wsp:All>

46

47 of 58

WS-Policy - compact form - idempotency

<wsp:All>� <wsp:All>� � � </wsp:All>�</wsp:All>

<wsp:All>� � �</wsp:All>

47

48 of 58

WS-Policy - compact form - distributiveness

<wsp:All>� <wsp:ExactlyOne>� � � </wsp:ExactlyOne>�</wsp:All>

<wsp:ExactlyOne>� <wsp:All>� � </wsp:All>� <wsp:All>� � </wsp:All>�</wsp:ExactlyOne>

48

49 of 58

WS-Policy - identification

Identification of policy using Absolute IRI

Identification of policy using IRI-reference

49

<wsp:Policy� Name="http://www.example.com/policies/P1"� xmlns:wsp="http://www.w3.org/ns/ws-policy" >� �</wsp:Policy>

<wsp:Policy� wsu:Id="P1"� xmlns:wsp="http://www.w3.org/ns/ws-policy"�xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" >� �</wsp:Policy>

50 of 58

WS-Policy - Policy reference and inclusion

50

<wsp:Policy� xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"� xmlns:wsp="http://www.w3.org/ns/ws-policy"� xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"� wsu:Id="Protection" >� <sp:EncryptSignature wsp:Optional="true" />� <sp:ProtectTokens wsp:Optional="true" />�</wsp:Policy>�

<wsp:Policy� xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"� xmlns:wsp="http://www.w3.org/ns/ws-policy" >� <wsp:PolicyReference URI="#Protection" />� <sp:OnlySignEntireHeadersAndBody />�</wsp:Policy>�

<wsp:Policy� xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"� xmlns:wsp="http://www.w3.org/ns/ws-policy" >� <sp:IncludeTimestamp />� <wsp:PolicyReference URI="#Protection" />� <sp:OnlySignEntireHeadersAndBody />�</wsp:Policy>

Reference

wsu:Id

51 of 58

WS-Policy - Attachment

Web Services Policy 1.5 - Attachment

W3C Recommendation 2007

Description of how to attach policies to

WSDL 1.1
WSDL 2.0
UDDI

… and how to compute effective policies

51

52 of 58

WS-Policy - XML attachment�attribute wsp:PolicyURIs

52

Reference to a list of policies identified by URIs

Resulting merged policy identified by the 2 Policy URIs

53 of 58

WS-Policy - XML attachment - reference

53

54 of 58

WS-Policy - External attachment

54

<wsp:PolicyAttachment>� <wsp:AppliesTo>� <wsa:EndpointReference>� <wsa:Address>http://www.example.com/acct</wsa:Address>� </wsa:EndpointReference>� </wsp:AppliesTo>� <wsp:PolicyReference� URI="http://www.example.com/policies#RmPolicy" />�</wsp:PolicyAttachment>

WS-Addressing EPR

55 of 58

WS-Policy - WSDL 2.0 attachment example

55

<wsdl20:description>�…� <wsp:Policy wsu:Id="common">� <mtom:OptimizedMimeSerialization wsp:Optional="true"/>� <wsam:Addressing>…</wsam:Addressing>� </wsp:Policy>�� <wsp:Policy wsu:Id="secure">� <wsp:ExactlyOne>� <sp:TransportBinding>…</sp:TransportBinding>� <sp:AsymmetricBinding>…</sp:AsymmetricBinding >� </wsp:ExactlyOne>� </wsp:Policy>�� <wsdl20:binding name="SecureBinding" interface="tns:RealTimeDataInterface" >� <wsp:PolicyReference URI="#secure" />� <wsdl20:operation name="GetRealQuote" >…</wsdl20:operation>� …� </wsdl20:binding>�� <wsdl20:service name="RealTimeDataService" interface="tns:RealTimeDataInterface" >� <wsdl20:endpoint name="RealTimeDataPort" binding="tns:SecureBinding">� <wsp:PolicyReference URI="#common" />� …� </wsdl20:endpoint>� </wsdl20:service>� …�</wsdl20:description>

Policy definition

Policy reference on binding

Policy reference on endpoint

56 of 58

WS-Policy - WSDL 2.0 attachment example - endpoint effective policy

56

<wsp:Policy>� <wsp:All>� <wsp:Policy>� <mtom:OptimizedMimeSerialization wsp:Optional="true"/>� <wsam:Addressing>…</wsam:Addressing>� </wsp:Policy>� <wsp:Policy>� <wsp:ExactlyOne>� <sp:TransportBinding>…</sp:TransportBinding>� <sp:AsymmetricBinding>…</sp:AsymmetricBinding >� </wsp:ExactlyOne>� </wsp:Policy>� </wsp:All>�</wsp:Policy>

Policy from endpoint

Policy from binding

57 of 58

WS-Policy�WSDL 2.0 Effective Policy

Merging of policies

service
endpoint
operation
message

e.g. Endpoint effective policy is merge of

Endpoint policies
Binding policies
Interface policies

57

58 of 58

More WS-*

WS-Discovery

discovery protocol to locate WS on local network

WS-MetadataExchange

e.g. for exchanging PolicyAttachments

WS-ReliableMessaging

reliable delivery in presence of failures

WS-SecureConversation

security contexts for multiple SOAP message exchanges

WS-SecurityPolicy

WS-Policy assertions applicable to WS-Security

WS-Trust

Requesting and issuing security tokens for WS-Security

58