WS-Policy is used for configuring WS-Security, WS-Reliable Messaging, caching, and throttling. The WS-Policy Attachment specification defines a set of policy subjects that can be used to attach or apply security policies. You can apply WS-Policy to your services at different levels such as service, service operation, service operation message, binding, binding operation, binding operation message, etc.
To apply a security policy, when viewing the service details in the management console, click Policies, and then apply policies at the service or binding level. The rest of this page describes how to define policies in more detail.
Defining Policies At Service Level
The WSO2 Carbon has the ability to apply policies at the service hierarchy. You can apply policies at three different policy subjects in the service hierarchy. They are:
Service Level:
- Service Operation Level
- Service Message Level
Service Level
A security policy defined at the service level is applicable to both in and out messages generated by all the operations of the selected service.
Service Operation Level
A security policy defined at the service operation level is applicable to both in and out messages generated by a specific operation of the selected service.
Service Operation Message Level
A service policy defined at the service operation message level is applicable to either in or out messages generated by a specific operation of the selected service.
In Message should be selected if you want the security policy to be applicable only for the incoming messages of the ESB relating to the selected service.
Out Message should be selected if you want the security policy to be applicable only for the outgoing messages of the ESB relating to the selected service.
Defining Policies At Bindings
The WSO2 Carbon has the ability to apply policies at the binding hierarchy. You can apply policies at three different policy subjects in the binding hierarchy. They are:
- Binding level
- Binding operation level
- Binding message level
Binding Level
A security policy defined at the binding level is applicable to both in and out messages generated by all the operations connected to the selected binding.
Binding Operation Level
A security policy defined at the binding operation level is applicable to both in and out messages generated by a specific operation connected to the selected binding.
Binding Operation Message Level
A security policy defined at the binding operation message level is applicable to either in or out messages generated by a specific operation connected to the selected binding.
In Message should be selected if you want the security policy to be applicable only for the incoming messages of the ESB relating to the selected binding.
Out Message should be selected if you want the security policy to be applicable only for the outgoing messages of the ESB relating to the selected binding.
Defining Policies at Bindings
The WSO2 Carbon has the ability to apply policies at the binding hierarchy. You can apply policies at three different policy subjects in the binding hierarchy. They are:
- Binding level
- Binding operation level
- Binding message level
A policy to SOAP 1.1 and SOAP 1.2 bindings at Binding level can defined in the services.xml
by adding the following code (see also The WS-Policy Editor):
<wsp:PolicyAttachment xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsp:AppliesTo> <policy-subject identifier="binding:soap11" /> <policy-subject identifier="binding:soap12" /> </wsp:AppliesTo> <wsp:Policy wsu:Id="binding_level_policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> </wsp:Policy> </wsp:PolicyAttachment>
For the Binding Operation level the <wsp:AppliesTo
> element is used to define the scope of the policy.
The XML snippet is as follows:
<wsp:PolicyAttachment xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsp:AppliesTo> <policy-subject identifier="binding:soap11/operation:Echo" /> <policy-subject identifier="binding:soap12/operation:Echo" /> </wsp:AppliesTo> <wsp:Policy wsu:Id="binding_level_policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> </wsp:Policy> </wsp:PolicyAttachment>
The configuration is similar for the Binding Message level for the out message. The identifier attribute of the <policy-subject/
> element in <wsp:AppliesTo
> changes to binding:soap11/operation:echo/out
.
The XML snippet is as follows:
<wsp:PolicyAttachment xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsp:AppliesTo> <policy-subject identifier="binding:soap11/operation:secureEcho/in" /> <policy-subject identifier="binding:soap12/operation:secureEcho/in" /> </wsp:AppliesTo> <wsp:Policy wsu:Id="binding_level_policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> </wsp:Policy> </wsp:PolicyAttachment>
Note
Policy Selection
When you click Policies in the management console, the following will be displayed.
- To apply a security policy at service level, click Edit Policy in the Service StockQuoteProxy row under Service Hierarchy.
- To apply a security policy at the service operation level, select the required operation in the first Operation row under Service Hierarchy. Then click Edit Policy in the same row.
- To apply a security policy at the service operation message level, select the required operation in the second Operation row under Service Hierarchy. Select In Message or Out Message depending on whether the policy should be applicable to incoming messages or outgoing messages. Then click Edit Policy in the same row.
- To apply a security policy at binding level, click Edit Policy in the Binding echoSoap11Binding row or the Binding echoSoap12Binding row (depending on your requirement) underBinding Hierarchy.
- To apply a security policy at binding operation level, select the required operation in the first Operation row under Binding echoSoap11Binding or Binding echoSoap12Binding. Then click Edit Policy in the same row.
- To apply a security policy at binding operation message level, select the required operation in the second Operation row under Binding echoSoap11Binding or Binding echoSoap12Binding. Select In Message or Out Message depending on whether the policy should be applicable to incoming messages or outgoing messages. Then click Edit Policy in the same row.
The WS-Policy Editor
The WS-Policy Editor allows to edit WS-Policy documents using either a graphical editor or a plain text editor. Given a Service or a Module, it will generate a graphical tree view (the "Policy" tree) representing the document along with the plain text (Raw Policy) representation. The default view presented is the source view or the raw policy.
The WS-Policy Editor also contains "Design View," which provides a graphical representation of the WS-Policy in question.
Using the Policy Editor
- Right-click on any node in the "Policy" tree - A shortcut menu appears. You can add new elements and delete existing ones. The plain text representation will be kept in sync with the changes done using the "Policy" tree, and vise versa.
- Selecting an element in the "Policy" tree - Allows to edit the attributes of that policy element. Similarly, when adding an element, you will be prompted to add data to the attributes relevant to that particular element.
- Save Policy - Once you have finished editing your policy document, click "Save Policy."
- Go Back - Click "Go Back" to go back to the previous page.