Home

WSSecurityPolicy

WSSecurityPolicy, commonly referred to as WS-SecurityPolicy, is an OASIS standard that defines a policy language for expressing the security requirements of SOAP-based web services. It provides a set of XML policy assertions that describe the security guarantees a message must satisfy, including token types, signing and encryption requirements, timestamps, and other constraints. The policy language is built on WS-Policy, enabling statements to be organized into alternatives to express different acceptable security configurations.

Key concepts include assertions that specify authentication tokens (such as UsernameToken, X509Token, and SAMLToken), token protection

In practice, WSSecurityPolicy is used to implement security in a declarative way within web service toolchains.

See also WS-Security, WS-Policy, and OASIS WS-SecurityPolicy.

options,
algorithm
suites,
and
constraints
on
which
message
parts
must
be
signed
or
encrypted.
The
specifications
also
cover
timing
requirements
and
various
binding
preferences
that
influence
how
security
is
applied
to
messages.
Policies
are
expressed
as
XML
documents
and
can
be
attached
to
WSDL
or
directly
incorporated
into
service
metadata.
Frameworks
and
platforms
such
as
Apache
WSS4J,
Metro,
Axis2,
and
Microsoft
WCF
consume
WS-SecurityPolicy
assertions
to
enforce
or
negotiate
security
during
message
processing.
The
standard
aims
to
promote
interoperability
by
providing
a
common
vocabulary
for
describing
security
capabilities
and
requirements
across
service
boundaries.