Sample Policy File
The following figure shows the contents of a sample WS-Security policy file for a web service consumer. The example outlines the incoming and outgoing message blocks of the policy file, and highlights several sections of code to illustrate policy file set-up and the XML code specifying security components.
The policy ID attribute highlighted in line 1 is
required for every policy you use.
The policy specifies use of a WS-Security Username token. This means that a token containing the user name and password for the web service is included in the SOAP header of an outbound message to identify the requesting service.
The policy specifies the use of a digital signature.
The settings for the
<Signature> component in the outbound message section indicate that the certificate to use for authentication is specified by a path location contained in the message header (
TokenReferenceType = “Direct”, and IncludeCertPath=”True”).
The settings for the inbound message section indicate that a digital signature is required on the body of incoming messages, that messages signed by an expired certificate will not be accepted by this web service, and that signatures will be validated to make sure that they were signed by a trusted authority or CA.
The policy also includes a security timestamp component indicating that message expiration will be enforced on incoming messages, and specifying that the expiration time of outgoing message expiration is 300 ms. After 300 ms, messages sent from this consumer can be invalidated by the recipient.
