Export (0) Print
Expand All

<Claims> Element

Specifies requirements that are specific to a security token type.

<policyDocument> Element
  <policies> Element
    <Policy> Element (WSE for Microsoft .NET) (1)
      <Confidentiality> Element
        <KeyInfo> Element (WSE for Microsoft .NET) (1)
          <SecurityToken> Element
            <policyDocument> Element
              <policies> Element
                <Policy> Element (WSE for Microsoft .NET) (1)
                  <Integrity> Element
                    <TokenInfo> Element
                      <SecurityToken> Element

<Claims>
  <BaseToken>
  <wse:ImpersonationLevel>identification|impersonation</wse:ImpersonationLevel>
  <IssuerToken>
  <Parent>
  <Role value="Tellers" 
            wse:xmlns="http://microsoft.com/wse/2002/12/policy"/>
  <ServiceName>Principal name of the target Web service.</ServiceName>
  <SubjectName >SecurityTokenSubjectName</SubjectName>
  <UsePassword Type="wsse:PasswordDigest"
               wsp:Usage="wsp:Required"/>
  <X509Extension>
</Claims>

Attributes

None

Child Elements

Element Description

<BaseToken> Element

Optional element. Specifies the security token that signs or must have signed security token requests for a SecurityContextToken security token.

<ImpersonationLevel> Element

Specifies how a recipient of a KerberosToken2 security token can use the identity associated with the security token.

<IssuerToken> Element

Optional element. Specifies the security token that a SOAP message sender must use to encrypt its entropy value when requesting a security token.

<Parent> Element

Optional element. Specifies the security token that a DerivedKeyToken was derived from.

<Role> Element

Optional element. Specifies the role a security token is required to be a member of.

<ServiceName> Element

Optional element. Specifies the target Web service's principal name for Kerberos security tokens. The names are compared in a case-insensitive manner.

<SubjectName> Element

Optional element. Specifies the subject name of an X509SecurityToken, a UsernameToken, or a KerberosToken. For Kerberos tokens only, the names are compared in a case-insensitive manner.

<UsePassword> Element

Optional element. Specifies the requirements for how a password for a UsernameToken is passed in a SOAP message.

<X509Extension> Element

Optional element. Specifies a claim about an X.509 certificate property.

Parent Elements

Element Description

<SecurityToken> Element

Specifies security token requirements.

Use the <Claims> element to implement role-based authorization based on policy. For more details about authorization, see Authorizing Access to a Web Service.

The following code example defines a policy assertion named signed-body-username that requires the digital signing of the <Body> element, timestamp header, and all addressing headers by a UsernameToken and requires that the user be a member of the Tellers role. SOAP messages sent to the http://www.cohowinery.com/usernamesigning.asmx endpoint must adhere to the policy assertion

Note:
This code example is designed to demonstrate WSE features and is not intended for production use.

<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
  <mappings>
    <endpoint uri="http://www.cohowinery.com/usernamesigning.asmx">
      <defaultOperation>
        <request policy="#signed-body-username" />
        <response policy="" />
        <fault policy="" />
      </defaultOperation>
    </endpoint>
  </mappings>
  <policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
            xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"
            xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"
            xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"
            xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
            xmlns:wssc="http://schemas.xmlsoap.org/ws/2004/04/sc"
            xmlns:rp="http://schemas.xmlsoap.org/rp">
    <!--This policy ensures that the message is digitally signed with
        a UsernameToken.-->
    <wsp:Policy wsu:Id="signed-body-username">
      <wssp:Integrity wsp:Usage="wsp:Required">
        <wssp:TokenInfo>
          <wssp:SecurityToken>
            <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken</wssp:TokenType>
            <wssp:Claims>
              <wse:Role value="Tellers" xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy" />
            </wssp:Claims>
          </wssp:SecurityToken>
        </wssp:TokenInfo>
        <wssp:MessageParts xmlns:rp="http://schemas.xmlsoap.org/rp" Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wse:Timestamp() wse:Addressing()</wssp:MessageParts>
      </wssp:Integrity>
    </wsp:Policy>
  </policies>
</policyDocument>
Show:
© 2015 Microsoft