This documentation is archived and is not being maintained.

Securing a Web Service

For the majority of cases, securing Web services using the Web Services Enhancements for .NET (WSE) is done by declaratively stating the security requirements for incoming and outgoing SOAP messages in an XML file. These requirements, collectively known as a policy, are defined either by (a) using the WSE Settings 3.0 Tool tool and its Policy tab from within Visual Studio 2005 or (b) manually adding a <policy> Element (Policy) to the XML file. Whether the tool is used or not, each <policy> element has a name attribute that uniquely names the policy. Once the policy is declared in the XML file, which is known as a policy file, the policy is applied to a Web service method by applying a PolicyAttribute attribute with a policy name to the class that is implementing the Web service method.

Alternatively, the policy for a Web service can be specified in code when the deployment environment is known ahead of time and is not likely to change. Typically, it is more flexible to allow an administrator to define the policy for an application when it is deployed using a policy file, but WSE does allow you to specify the policy in code. To specify the policy in code, a PolicyAttribute attribute is still applied to the class that is implementing the Web service method, but a type is provided instead of a policy name. That type must derive from Policy, and in its constructor the security requirements are specified. For more details, see How to: Secure a Web Service Without Using a Policy File.

The following sections describe how to create a policy file in more detail when you are not using the WSE Settings 3.0 Tool tool or you are modifying the contents of the policy file that is generated by the tool.

In This Section

Topic Description

Policy Files

Describes what a policy file is and its basic XML structure.

Policy Assertions

Describes how a policy assertion is used to describe the requirements for a SOAP message exchange.

Policy Extensions

Describes the extensibility points in the policy framework.

Turnkey Security Assertions

Details the turnkey security assertions that ship with WSE.


Related Sections

Custom Policy Assertions

Describes what a custom policy assertion is. A custom policy assertion is used when turnkey security assertions do not meet an application's requirements.
How to: Secure a Web Service Using a Policy File

Details how to use a turnkey security assertion to secure a Web service.
Patterns & Practices: Web Service Security Patterns

The Web Service Security Patterns guidance helps you make the most appropriate security decisions in the context of your requirements.