<policy> Element (Policy)

  • Article

Specifies one or more SOAP message requirements.

<policies> Element

<policy name="unique policy name">
  <anonymousForCertificateSecurity />
  <mutualCertificate10Security />
  <kerberosSecurity />
  <mutualCertificate11Security />
  <requireActionHeader />
  <requireSoapHeader name namespace actor />
  <usernameForCertificateSecurity />
  <usernameOverTransportSecurity />
</policy>

Attributes and Elements

Attributes

Attribute Description

name

Required attribute. Identifies the policy uniquely within the policy file.

Child Elements

Element Description

<anonymousForCertificateSecurity> Element

Represents a turnkey security assertion that uses an X509SecurityToken security token to protect SOAP messages. The client is not authenticated. WS-Security 1.1 is required for this assertion.

<mutualCertificate10Security> Element

Represents a turnkey security assertion that uses X509SecurityToken security tokens to authenticate the client and protect SOAP messages. WS-Security 1.0 and 1.1 can be used with this assertion.

<kerberosSecurity> Element

Represents a turnkey security assertion that uses a KerberosToken security token to authenticate the client and protect SOAP messages.

<mutualCertificate11Security> Element

Represents a turnkey security assertion that uses X509SecurityToken security tokens to authenticate the client and protect SOAP messages. WS-Security 1.1 is required for this assertion.

<requireActionHeader> Element

Represents a security assertion that requires the presence of the Action header for the ultimate recipient of the SOAP message.

<requireSoapHeader> Element

Represents a security assertion that requires the presence of the specified SOAP header in the SOAP message.

<usernameForCertificateSecurity> Element

Represents a turnkey security assertion that uses a X509SecurityToken security token to protect SOAP messages. The client is authenticated using a UsernameToken security token. WS-Security 1.1 is required for this assertion.

<usernameOverTransportSecurity> Element

Represents a turnkey security assertion that authenticates the client using a UsernameToken security token. The SOAP message is not encrypted or digitally signed, so a secure transport should be used with this assertion. WS-Security 1.1 or 1.0 can be used with this assertion.

Parent Elements

Element Description

<policies> Element

Contains the policies for the policy file.

Remarks

The <policies> Element element can have zero or more policy elements, each of which defines a policy. Each policy element can have one or more child elements. These child elements can be one of the turnkey security assertions (<anonymousForCertificateSecurity> Element, <kerberosSecurity> Element, <mutualCertificate11Security> Element, <usernameOverTransportSecurity> Element, <usernameForCertificateSecurity> Element, <mutualCertificate10Security> Element) or an element defined by a custom policy assertion. For more details about using the turnkey security assertions, see Turnkey Security Assertions. For more details about custom policy assertions, see Custom Policy Assertions.

Example

The following code example demonstrates how to secure a SOAP message exchange using an X509SecurityToken security token for protection and a UsernameToken security token for client authentication. The code example defines a policy named ClientPolicy that specifies that a X509SecurityToken security token is used to digitally sign the SOAP message, and to encrypt the <body> element of the SOAP message. The keys used to generate the digital signature and encrypt the <body> element are not the same keys, but rather are derived from the same key. In the following code example, the user name and password must be added in code.

<policies>
  <extensions>
    <extension name="usernameForCertificateSecurity" type="Microsoft.Web.Services3.Design.UsernameForCertificateAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="x509" type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="requireActionHeader"
               type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </extensions>
  <policy name="ClientPolicy">
    <usernameForCertificateSecurity 
      establishSecurityContext="false" 
      renewExpiredSecurityContext="true" 
      signatureConfirmation="false" 
      protectionOrder="SignBeforeEncrypting" 
      deriveKeys="true" >
      <serviceToken>
        <x509
          storeLocation="CurrentUser"
          storeName="AddressBook"
          findValue="CN=WSE2QuickStartServer"
          findType="FindBySubjectDistinguishedName" />
      </serviceToken>
      <protection>
        <request
          signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
          encryptBody="true" />
        <response 
          signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
          encryptBody="true" />
        <fault
          signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
          encryptBody="false" />
      </protection>
    </usernameForCertificateSecurity>
    <requireActionHeader />
  </policy>
</policies>

See Also

Reference

<policies> Element
<anonymousForCertificateSecurity> Element
<kerberosSecurity> Element
<mutualCertificate11Security> Element
<usernameOverTransportSecurity> Element
<usernameForCertificateSecurity> Element
<mutualCertificate10Security> Element

Concepts

Policy File Schema