The web technical community groups, W3C and OASIS, have created standards to service the requirement to define the policy applicable to Web services.
policy alternatives.
policy assertions.
policy assertion.
(01) <wsp:Policy
xmlns:sp=http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
xmlns:wsp=http://www.w3.org/ns/ws-policy
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="SecureMessages"> <!-- policy expression -->
(02) <wsp:ExactlyOne>
(03) <wsp:All> <!-- policy alternative #1 -->
(04) <sp:SignedParts>; <!-- policy assertion -->
(05) <sp:Body> <!-- policy assertion parameter -->
(06) </sp:SignedParts>
(07) </wsp:All>
(08) <wsp:All> <!-- policy alternative #2 -->
(09) <sp:EncryptedParts> <!-- policy assertion -->
(10) <sp:Body/> <!-- policy assertion parameter -->
(11) </sp:EncryptedParts>
(12) </wsp:All>
(13) </wsp:ExactlyOne>
(14) </wsp:Policy>
Lines (03-07) represent one policy alternative for signing a message body.
Lines (08-12) represent a second policy alternative for encrypting a message body.
Lines (02-13) show the ExactlyOne policy operator. Policy operators group policy assertions into policy alternatives. A valid interpretation of the policy above would be that an invocation of a Web service will either sign or encrypt the message body, but not both.
<wsp:PolicyAttachment>
<wsp:AppliesTo>
</wsp:AppliesTo>
<wsp:Policy>
</wsp:Policy>
</wsp:PolicyAttachment>
WSRR exposes REST interfaces to acquire the appropriate policy attachments in an SLA model. Information on the Consumer-Provider pair to which the policy applies is passed to the ESB in WS-PolicyAttachment format. The syntax is defined in the WS-PolicyAttachment: Message Content Filters specification.
The policy can be specified for a provider service only, for a specific consumer-provider pair, or for Anonymous consumers. Anonymous consumers provide a way of defining a default policy that only applies to consumers for which no other policies apply.
In Figure 3, the domain-specific policy subject to which the policy applies (the provider) is contained in the <wsp:AppliesTo> section followed by the consumer-context filter to which the policy applies (consumer). Then, in the <wsp:Policy> section, the policy or policies are declared or referenced.