+

Search Tips   |   Advanced Search

Secure Web services using policy sets


Policy sets are assertions about how services are defined. They are used to simplify the quality of service configuration for Web services.

Policy sets combine settings, including those for transport and message level configuration, such as WS-Addressing, WS-ReliableMessaging, and WS-Security. There are two main types of policy sets; application policy sets and system policy sets. Application policy sets are used for business-related assertions. These assertions are related to the business operations defined in the Web Services Description Language (WSDL) file. System policy sets, on the other hand, are used for non-business-related system messages. These messages are not related to the business operations defined in the WSDL, but instead refer to messages defined in other specifications which apply qualities of service (QoS). Such QoS are the request security token (RST) messages defined in WS-Trust, or create sequence messages defined in WS-Reliable Messaging metadata exchange messages of the WS-MetadataExchange.

You can use policy sets only with JAX-WS applications. We cannot use policy sets with JAX-RPC applications.

Policies are defined based on a quality of service. Policy definition is typically based on WS-Policy standard language, for example, the WS-Security policy is based on the current WS-SecurityPolicy from the Organization for the Advancement of Structured Information Standards (OASIS) standards.

Policy sets do not include environment or platform-specific information, such as keys for signing, keystore information, or persistent store information. This type of information is defined in the binding. A policy set attachment defines how a policy set is attached to service resources and bindings. The attachment definition is outside the policy set definition and is defined as meta-data associated with application data.

To secure JAX-WS Web services with message-level security using policy sets, follow these steps:

 

  1. Select, create, or copy and modify a policy set to specify the message-level protection required. The policy specifies what protection will be applied, for example, what message parts to sign or encrypt and the token types and algorithms to use.

    • Select one of the Web services policy sets.

    • Create, copy, modify, import, export or delete a policy set.

      See, read about managing policy sets using the admin console

  2. Attach the policy set to the application.

  3. Create or select the policy set bindings to be used.

    The bindings are then attached to the application along with the policy set. The bindings used can either be general bindings that can be shared among applications or application specific bindings.

    See, read about defining and managing policy set bindings.

  4. If WS-SecureConversation is being used, specify the trust service system policy sets and bindings on the application server.


Example: Set the message-level WS-Security policy set and bindings

 

Related concepts


JAX-WS
Web services policy sets

 

Related tasks


Secure requests to the trust service using system policy sets
Manage policy sets
Attach a policy set to a service artifact
Set policy set bindings
Secure JAX-WS Web services using message-level security