Policy sets are assertions about how services are defined. They are used to simplify the
quality of service configuration for web services.
About this task
Policy sets combine configuration settings, including those for transport and message level
configuration, such as WS-Addressing, WS-ReliableMessaging, and WS-Security. There are two main
types of policy sets; application policy sets and system policy sets. Application policy sets are
used for business-related assertions. These assertions are related to the business operations that
are defined in the Web Services Description Language (WSDL) file. System policy sets, on the other
hand, are used for non-business-related system messages. These messages are not related to the
business operations that are defined in the WSDL, but instead refer to messages that are defined in
other specifications which apply qualities of service (QoS). Such QoS are the request security token
(RST) messages that are defined in WS-Trust, or create sequence messages that are defined in
WS-Reliable Messaging metadata exchange messages of the WS-MetadataExchange.
Note: You can use policy
sets only with Java™ API for XML-Based Web Services (JAX-WS) applications. You cannot use policy
sets with Java™ API for XML-based RPC (JAX-RPC) applications.
Policies are defined based on a
quality of service. Policy definition is typically based on WS-Policy standard language, for
example, the WS-Security policy is based on the current WS-SecurityPolicy from the Organization for
the Advancement of Structured Information Standards (OASIS) standards.
Policy sets do not
include environment or platform-specific information, such as keys for signing, keystore
information, or persistent store information. This type of information is defined in the binding. A
policy set attachment defines how a policy set is attached to service resources and bindings. The
attachment definition is outside the policy set definition and is defined as meta-data associated
with application data.
To secure JAX-WS web services with message-level security using policy
sets, follow these steps: