WS-SecurityPolicy

Last updated September 13, 2023

WS-Security Policy is a web services specification, created by IBM and 12 co-authors, that has become an OASIS standard as of version 1.2. It extends the fundamental security protocols specified by the WS-Security, WS-Trust and WS-Secure Conversation by offering mechanisms to represent the capabilities and requirements of web services as policies. Security policy assertions are based on the WS-Policy framework.

Protection assertions identify the elements of a message that are required to be signed, encrypted or existent.
Token assertions specify allowed token formats (SAML, X509, Username etc.).
Security binding assertions control basic security safeguards like transport and message level security, cryptographic algorithm suite and required timestamps.
Supporting token assertions add functions like user sign-on using a username token.

Policies can be used to drive development tools to generate code with certain capabilities, or may be used at runtime to negotiate the security aspects of web service communication. Policies may be attached to WSDL elements such as service, port, operation and message, as defined in WS Policy Attachment.^[1]

Sample Policies

Namespaces used by the following XML-snippets:

<p:Policy     xmlns:p="http://www.w3.org/ns/ws-policy"    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802">    ... </p:Policy>

Include a timestamp:

<sp:IncludeTimestamp />

Use either transport layer security (https) or message level security (XML Dsig/XML Enc):

<ExactlyOne>   <sp:TransportBinding>...</sp:TransportBinding>   <sp:AsymmetricBinding>...</sp:AsymmetricBinding > </ExactlyOne>

To define a SAML assertion as security token:

<sp:IssuedToken>   <sp:RequestSecurityTokenTemplate>     <wst:TokenType>...#SAMLV2.0</wst:TokenType>   </sp:RequestSecurityTokenTemplate> </sp:IssuedToken>

Issued token assertion of providers with reference to the STS and required token format:

<sp:IssuedToken>   <sp:Issuer>     <wsa:EndpointReference>       <wsa:Address>http://sampleorg.com/sts</wsa:Address>      </wsa:EndpointReference>   </sp:Issuer>   <sp:RequestSecurityTokenTemplate>     <wst:TokenType>        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID     </wst:TokenType>         ...   </sp:RequestSecurityTokenTemplate>   ... </sp:IssuedToken>

Specify that message header and body need to be signed, and attachments are left unsigned:

<sp:SignedParts xmlns:sp="..." ... >   <sp:Body />?   <sp:Header Name="Dx:NCName"? Namespace="Xd:anyURI" ... />* ... </sp:SignedParts>

specify that message open source license need to be signed, and hydra security are left unsigned:

<sp:signedparts http:np="..."...> <sp:Hydrasecurity />? <sp:Opensourcelicense Name="Hs:NCName"? Namespace="Sh:anyURI" .../>* ... </sp:SignedParts>

Other WS policy languages

The term Web Services Security Policy Language is used for two different XML-based languages:

As described above, based on the WS-Policy framework, as defined in,^[2] published as version 1.3 in Feb. 2009
WSPL, based on XACML profile for Web-services, but that was not finalized.^[3]

Related Research Articles

<span class="mw-page-title-main">SOAP</span> Messaging protocol for web services

SOAP is a messaging protocol specification for exchanging structured information in the implementation of web services in computer networks. It uses XML Information Set for its message format, and relies on application layer protocols, most often Hypertext Transfer Protocol (HTTP), although some legacy systems communicate over Simple Mail Transfer Protocol (SMTP), for message negotiation and transmission.

The Organization for the Advancement of Structured Information Standards is a nonprofit consortium that works on the development, convergence, and adoption of open standards for cybersecurity, blockchain, Internet of things (IoT), emergency management, cloud computing, legal data exchange, energy, content technologies, and other areas.

Web Services Security is an extension to SOAP to apply security to Web services. It is a member of the Web service specifications and was published by OASIS.

XML Signature defines an XML syntax for digital signatures and is defined in the W3C recommendation XML Signature Syntax and Processing. Functionally, it has much in common with PKCS #7 but is more extensible and geared towards signing XML documents. It is used by various Web technologies such as SOAP, SAML, and others.

Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. SAML is also:

Web Services Addressing (WS-Addressing) is a specification of transport-neutral mechanism that allows web services to communicate addressing information. It essentially consists of two parts: a structure for communicating a reference to a Web service endpoint, and a set of message addressing properties which associate addressing information with a particular message.

The eXtensible Access Control Markup Language (XACML) is an XML-based standard markup language for specifying access control policies. The standard, published by OASIS, defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies.

Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between security domains. SAML is a product of the OASIS (organization) Security Services Technical Committee.

Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization identities between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal between a SAML authority, named an Identity Provider, and a SAML consumer, named a Service Provider. SAML 2.0 enables web-based, cross-domain single sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user. SAML 2.0 was ratified as an OASIS Standard in March 2005, replacing SAML 1.1. The critical aspects of SAML 2.0 are covered in detail in the official documents SAMLCore, SAMLBind, SAMLProf, and SAMLMeta.

PERMIS is a sophisticated policy-based authorization system that implements an enhanced version of the U.S. National Institute of Standards and Technology (NIST) standard Role-Based Access Control (RBAC) model. PERMIS supports the distributed assignment of both roles and attributes to users by multiple distributed attribute authorities, unlike the NIST model which assumes the centralised assignment of roles to users. PERMIS provides a cryptographically secure privilege management infrastructure (PMI) using public key encryption technologies and X.509 Attribute certificates to maintain users' attributes. PERMIS does not provide any authentication mechanism, but leaves it up to the application to determine what to use. PERMIS's strength comes from its ability to be integrated into virtually any application and any authentication scheme like Shibboleth (Internet2), Kerberos, username/passwords, Grid proxy certificates and Public Key Infrastructure (PKI).

Web Services Enhancements (WSE) is an obsolete add-on to the Microsoft .NET Framework, which includes a set of classes that implement additional WS-* web service specifications chiefly in areas such as security, reliable messaging, and sending attachments. Web services are business logic components which provide functionality via the Internet using standard protocols such as HTTP. Web services communicate via either SOAP or REST messages. WSE provides extensions to the SOAP protocol and allows the definition of custom security, reliable messaging, policy, etc. Developers can add these capabilities at design time using code or at deployment time through the use of a policy file.

The Microsoft Open Specification Promise is a promise by Microsoft, published in September 2006, to not assert its patents, in certain conditions, against implementations of a certain list of specifications.

<span class="mw-page-title-main">Web Services Description Language</span> XML-based interface description language

The Web Services Description Language is an XML-based interface description language that is used for describing the functionality offered by a web service. The acronym is also used for any specific WSDL description of a web service, which provides a machine-readable description of how the service can be called, what parameters it expects, and what data structures it returns. Therefore, its purpose is roughly similar to that of a type signature in a programming language.

Security token service (STS) is a cross-platform open standard core component of the OASIS group's WS-Trust web services single sign-on infrastructure framework specification.^cf. Within that claims-based identity framework, a secure token service is responsible for issuing, validating, renewing and cancelling security tokens. The tokens issued by security token services can then be used to identify the holder of the token to services that adhere to the WS-Trust standard. Security token service provides the same functionality as OpenID, but unlike OpenID is not patent encumbered. Together with the rest of the WS-Trust standard, the security token service specification was initially developed by employees of IBM, Microsoft, Nortel and VeriSign.

An Extensible Resource Identifier is a scheme and resolution protocol for abstract identifiers compatible with Uniform Resource Identifiers and Internationalized Resource Identifiers, developed by the XRI Technical Committee at OASIS. The goal of XRI was a standard syntax and discovery format for abstract, structured identifiers that are domain-, location-, application-, and transport-independent, so they can be shared across any number of domains, directories, and interaction protocols.

WS-Security is a flexible and feature-rich extension to SOAP to apply security to web services. It is a member of the WS-* family of web service specifications and was published by OASIS. Closely related to WS-Security is WS-Trust, also a WS-* specification and OASIS standard that provides extensions to WS-Security.

gSOAP is a C and C++ software development toolkit for SOAP/XML web services and generic XML data bindings. Given a set of C/C++ type declarations, the compiler-based gSOAP tools generate serialization routines in source code for efficient XML serialization of the specified C and C++ data structures. Serialization takes zero-copy overhead.

The Abbreviated Language for Authorization (ALFA) is a domain-specific language used in the formulation of access-control policies.

The SAML metadata standard belongs to the family of XML-based standards known as the Security Assertion Markup Language (SAML) published by OASIS in 2005. A SAML metadata document describes a SAML deployment such as a SAML identity provider or a SAML service provider. Deployments share metadata to establish a baseline of trust and interoperability.

References

↑ http://www.w3.org/TR/ws-policy-attach/ WS-Policy - Attachment
↑ http://www.oasis-open.org/specs/index.php#ws-secpol WS-SecurityPolicy
↑ http://www.oasis-open.org/committees/download.php/1608/wd-xacml-wspl-use-cases-04.pdf Web-services policy language use cases and requirements (draft)

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] ttp://www.w3.org/TR/ws-policy-attach/ WS-Policy - Attachment

[2] ttp://www.oasis-open.org/specs/index.php#ws-secpol WS-SecurityPolicy

[3] ttp://www.oasis-open.org/committees/download.php/1608/wd-xacml-wspl-use-cases-04.pdf Web-services policy language use cases and requirements (draft)

[1]

[2]

[3]