Policy Assertions

  • Article

A policy assertion defines a set of requirements for a SOAP message exchange between a client and a Web service. For example, a policy assertion might specify the security token types that are used to digitally sign or encrypt SOAP messages between the client and Web service. To specify the security requirements, add one or more turnkey or custom security assertions to the policy assertion. Like the policy assertion, the turnkey and custom security assertions are declared using XML elements. For example, the following policy assertion named ServicePolicy uses the <kerberosSecurity> Element turnkey security assertion. The child elements and attributes of the <keberosSecurity> element are user-configurable options for this turnkey security option.

<policy name="ServicePolicy">
  <kerberosSecurity establishSecurityContext="false" 
    signatureConfirmation="false" 
    protectionOrder="SignBeforeEncrypting" 
    deriveKeys="false">
    <token>
      <kerberos targetPrincipal="host/contoso4"
        impersonationLevel="Identification" />
    </token>
    <protection>
      <request signatureOptions="IncludeAddressing, IncludeTimestamp,  IncludeSoapBody"
        encryptBody="false" />
      <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
        encryptBody="false" />
      <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
        encryptBody="false" />
    </protection>
  </kerberosSecurity>
</policy>

Alternatively, the policy for a Web service can be specified in code when the deployment environment is known ahead of time and is not likely to change. Typically, it is more flexible to allow an administrator to define the policy for an application when it is deployed using a policy file, but WSE does allow you to specify the policy in code. To specify the policy in code, a PolicyAttribute attribute is still applied to the class that is implementing the Web service method, but a type is provided instead of a policy name. That type must derive from Policy, and in its constructor one or more instances of policy assertions created. The policy assertions are classes that derive from PolicyAssertion. For more details, see How to: Secure a Web Service Without Using a Policy File.

For more information on the turnkey security assertions that are shipped by WSE, see Turnkey Security Assertions. Custom security assertions are security assertions that a developer creates when a turnkey security assertion does not meet their exact security needs. For more details about custom security assertions, see Custom Policy Assertions.

See Also

Reference

<policy> Element (Policy)
<extension> Element

Concepts

Turnkey Security Assertions
Policy Extensions

Other Resources

Custom Policy Assertions