<Policy> Element (WSE for Microsoft .NET) (1)

Specifies a SOAP message requirement.

<policyDocument> Element
  <policies> Element

<wsp:Policy wsu:Id="UniquePolicyIdentifier"
            xmlns:wsp="https://schemas.xmlsoap.org/ws/2002/12/policy"
            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
            xmlns="https://schemas.xmlsoap.org/ws/2002/12/secext"
  <Integrity wsp:Usage="wsp:Required" />
  <Confidentiality wsp:Usage="wsp:Required">
  <MessageAge wsp:Usage="required" Age="600" />
<wsp:Policy>

Attributes and Elements

Attributes

Attribute	Description
wsu:Id	Required attribute. Identifies the policy assertion uniquely within the policy file.

Child Elements

Element	Description
<Integrity> Element	Optional element. Specifies the digital signature requirements for a SOAP message.
<Confidentiality> Element	Optional element. Specifies the encryption requirements for a SOAP message.
<MessageAge> Element	Optional element. Specifies the maximum expiration period for a SOAP message.

Parent Elements

Element	Description
<policies> Element	Contains the policy assertions for the policy file.

Remarks

The <policies> Element element can have zero or more <Policy> elements, each of which defines a policy assertion. After you define a policy assertion, you can map it to a specific endpoint, using the <endpoint> Element element. Within the <endpoint> Element element, a reference is made to the Id attribute of a <Policy> element. Therefore, each <Policy> element must have an Id attribute unique to the policy file.

Example

The following code example defines four policy assertions: encrypted-body-x509, encrypted-body-x509-specific, signed-body-x509, and signed-body-x509-or-Kerberos. Both the encrypted-body-x509 and encrypted-body-x509-specific policy assertions specify that the <Body> element must be encrypted by using an X509SecurityToken; the encrypted-body-x509-specific specifies a specific X.509 certificate that must be used. The signed-body-x509 and signed-body-x509-or-Kerberos policy assertions require the <Body> element, timestamp header, and all addressing headers to be signed; the former specifies that it must be done with an X509SecurityToken and the latter specifies that it can be done with an X509SecurityToken or a KerberosToken.

Note

This code example is designed to demonstrate WSE features and is not intended for production use.

<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="https://schemas.microsoft.com/wse/2003/06/Policy">
  <mappings>
    <endpoint uri="https://localhost/X509AuthenticationCS/Service1.asmx">
      <operation requestAction="http://tempuri.org/AddNumbers" policy="#encrypted-body-x509-specific" />
      <defaultOperation>
        <request policy="#signed-body-x509-or-Kerberos" />
        <response policy="" />
        <fault policy="" />
      </defaultOperation>
    </endpoint>
    <endpoint uri="https://localhost/X509AuthenticationCSXX/Service1.asmx">
      <defaultOperation>
        <request policy="#signed-body-x509" />
        <response policy="" />
        <fault policy="" />
      </defaultOperation>
    </endpoint>
    <defaultEndpoint>
      <defaultOperation>
        <request policy="#signed-body-x509" />
        <response policy="" />
        <fault policy="" />
      </defaultOperation>
    </defaultEndpoint>
  </mappings>
  <policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
            xmlns:wse="https://schemas.microsoft.com/wse/2003/06/Policy"
            xmlns:wsa="https://schemas.xmlsoap.org/ws/2004/03/addressing"
            xmlns:wssp="https://schemas.xmlsoap.org/ws/2002/12/secext"
            xmlns:wsp="https://schemas.xmlsoap.org/ws/2002/12/policy"
            xmlns:wssc="https://schemas.xmlsoap.org/ws/2004/04/sc"
            xmlns:rp="https://schemas.xmlsoap.org/rp">
    <!--This policy requires that the body be encrypted using an X509
        security token.-->
    <wsp:Policy wsu:Id="encrypted-body-x509">
      <wssp:Confidentiality wsp:Usage="wsp:Required">
        <wssp:KeyInfo>
          <wssp:SecurityToken>
            <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</wssp:TokenType>
          </wssp:SecurityToken>
        </wssp:KeyInfo>
        <wssp:MessageParts Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part" xmlns:rp="https://schemas.xmlsoap.org/rp">wsp:Body()</wssp:MessageParts>
      </wssp:Confidentiality>
    </wsp:Policy>
    <!--This policy requires that the body be encrypted using a specific
        x509 security token.-->
    <wsp:Policy wsu:Id="encrypted-body-x509-specific">
      <wssp:Confidentiality wsp:Usage="wsp:Required">
        <wssp:KeyInfo>
          <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ZPGrPnuqATeSgVjLYcmiY/GSWWY=</wsse:KeyIdentifier>
          </wsse:SecurityTokenReference>
        </wssp:KeyInfo>
        <wssp:MessageParts Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part" xmlns:rp="https://schemas.xmlsoap.org/rp">wsp:Body()</wssp:MessageParts>
      </wssp:Confidentiality>
    </wsp:Policy>
    <!--This policy requires that the body be signed by an X509 security
        token.-->
    <wsp:Policy wsu:Id="signed-body-x509">
      <wssp:Integrity wsp:Usage="wsp:Required">
        <wssp:TokenInfo>
          <wssp:SecurityToken>
            <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</wssp:TokenType>
          </wssp:SecurityToken>
        </wssp:TokenInfo>
        <wssp:MessageParts Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part" xmlns:rp="https://schemas.xmlsoap.org/rp">wsp:Body() wse:Timestamp() wse:Addressing()</wssp:MessageParts>
      </wssp:Integrity>
    </wsp:Policy>
    <!--This policy requires that the body be signed either by an X509 or
        a Kerberos security token.-->
    <wsp:Policy wsu:Id="signed-body-x509-or-Kerberos">
      <wssp:Integrity wsp:Usage="wsp:Observed">
        <wssp:TokenInfo>
          <wsp:OneOrMore>
            <wssp:SecurityToken>
              <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</wssp:TokenType>
            </wssp:SecurityToken>
            <wssp:SecurityToken>
              <wssp:TokenType>https://schemas.xmlsoap.org/ws/2003/12/kerberos/Kerberosv5ST</wssp:TokenType>
            </wssp:SecurityToken>
          </wsp:OneOrMore>
        </wssp:TokenInfo>
        <wssp:MessageParts Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part" xmlns:rp="https://schemas.xmlsoap.org/rp">wsp:Body() wse:Timestamp() wse:Addressing()</wssp:MessageParts>
      </wssp:Integrity>
    </wsp:Policy>
  </policies>
</policyDocument>

See Also

Reference

<policies> Element
<Integrity> Element
<Confidentiality> Element
<MessageAge> Element

Concepts

Policy File Schema

Other Resources

Configuring a Web Service's Policy