<Claims> Element
Specifies requirements that are specific to a security token type.
<policyDocument> Element
<policies> Element
<Policy> Element (WSE for Microsoft .NET) (1)
<Confidentiality> Element
<KeyInfo> Element (WSE for Microsoft .NET) (1)
<SecurityToken> Element
<policyDocument> Element
<policies> Element
<Policy> Element (WSE for Microsoft .NET) (1)
<Integrity> Element
<TokenInfo> Element
<SecurityToken> Element
<Claims>
<BaseToken>
<wse:ImpersonationLevel>identification|impersonation</wse:ImpersonationLevel>
<IssuerToken>
<Parent>
<Role value="Tellers"
wse:xmlns="https://microsoft.com/wse/2002/12/policy"/>
<ServiceName>Principal name of the target Web service.</ServiceName>
<SubjectName >SecurityTokenSubjectName</SubjectName>
<UsePassword Type="wsse:PasswordDigest"
wsp:Usage="wsp:Required"/>
<X509Extension>
</Claims>
Attributes and Elements
Attributes
None
Child Elements
Element | Description |
---|---|
Optional element. Specifies the security token that signs or must have signed security token requests for a SecurityContextToken security token. |
|
Specifies how a recipient of a KerberosToken2 security token can use the identity associated with the security token. |
|
Optional element. Specifies the security token that a SOAP message sender must use to encrypt its entropy value when requesting a security token. |
|
Optional element. Specifies the security token that a DerivedKeyToken was derived from. |
|
Optional element. Specifies the role a security token is required to be a member of. |
|
Optional element. Specifies the target Web service's principal name for Kerberos security tokens. The names are compared in a case-insensitive manner. |
|
Optional element. Specifies the subject name of an X509SecurityToken, a UsernameToken, or a KerberosToken. For Kerberos tokens only, the names are compared in a case-insensitive manner. |
|
Optional element. Specifies the requirements for how a password for a UsernameToken is passed in a SOAP message. |
|
Optional element. Specifies a claim about an X.509 certificate property. |
Parent Elements
Element | Description |
---|---|
Specifies security token requirements. |
Remarks
Use the <Claims> element to implement role-based authorization based on policy. For more details about authorization, see Authorizing Access to a Web Service.
Example
The following code example defines a policy assertion named signed-body-username
that requires the digital signing of the <Body> element, timestamp header, and all addressing headers by a UsernameToken and requires that the user be a member of the Tellers
role. SOAP messages sent to the http://www.cohowinery.com/usernamesigning.asmx
endpoint must adhere to the policy assertion
Note
This code example is designed to demonstrate WSE features and is not intended for production use.
<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="https://schemas.microsoft.com/wse/2003/06/Policy">
<mappings>
<endpoint uri="http://www.cohowinery.com/usernamesigning.asmx">
<defaultOperation>
<request policy="#signed-body-username" />
<response policy="" />
<fault policy="" />
</defaultOperation>
</endpoint>
</mappings>
<policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wse="https://schemas.microsoft.com/wse/2003/06/Policy"
xmlns:wsa="https://schemas.xmlsoap.org/ws/2004/03/addressing"
xmlns:wssp="https://schemas.xmlsoap.org/ws/2002/12/secext"
xmlns:wsp="https://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wssc="https://schemas.xmlsoap.org/ws/2004/04/sc"
xmlns:rp="https://schemas.xmlsoap.org/rp">
<!--This policy ensures that the message is digitally signed with
a UsernameToken.-->
<wsp:Policy wsu:Id="signed-body-username">
<wssp:Integrity wsp:Usage="wsp:Required">
<wssp:TokenInfo>
<wssp:SecurityToken>
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken</wssp:TokenType>
<wssp:Claims>
<wse:Role value="Tellers" xmlns:wse="https://schemas.microsoft.com/wse/2003/06/Policy" />
</wssp:Claims>
</wssp:SecurityToken>
</wssp:TokenInfo>
<wssp:MessageParts xmlns:rp="https://schemas.xmlsoap.org/rp" Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wse:Timestamp() wse:Addressing()</wssp:MessageParts>
</wssp:Integrity>
</wsp:Policy>
</policies>
</policyDocument>