One of the biggest benefits for Web Services is the interoperability in a large distributed computing environment. The interoperability of Web Services is achieved by using Web Services policy to control the message format. Instead of using different applications, same application can be used along with different Web Services policy configurations to communicate with other parties over the network.
The Web Services policy is expressed in an XML format. Web Service Policy provides a flexible and extensible grammar for expressing the capabilities, requirements, and general characteristics of entities in an XML Web Service-based system. Web Service Policy defines a policy to be a collection of policy alternatives, where each policy alternative is a collection of policy assertions.
Web Service Policy assertions will define the configuration for various WS standards, include the following:                WS Security        WS Security Policy        WS Reliable Messaging        WS Addressing        WS Secure Conversation        WS Trust        SAML (Security Assertion Markup Language)        MTOM (Message Transmission Optimization Mechanism)        Other WS-* standards        
Each standard has many options that can be configured for the communication between a Web Services Requester and a Web Services Provider. The different options in defining the Web Services policy results in multiple Web Services policy alternatives at runtime are available for each Services Requestor and Service Provider pair, whereas only one policy alternative can be selected and used.
As shown in FIG. 1, Web Service messages 101, such as SOAP messages 102, flow between Web Service initiator (Service requester) 104 and Web Service recipient (Service Provider) 103. Web Service Policy 105 defines the requirements for achieving reliability and Security. The policy also defines how to generate the Web Services messages 101 for request and response, including which elements 205 should be included in the SOAP header 202, which action should be taken for the SOAP body 203 and which attachments 204 should be included in the SOAP envelop 201, as shown in FIG. 2.
The service requester 104 will generate a SOAP message 102, based on the Web Service Policy 105. The service requester 104 will then send the SOAP message 102 to the Web Services provider 103. The message receiver 103 will, in turn, base on the policy to validate the incoming SOAP message 102 that in fact is in compliance with the policy 105. The receiver 103 also takes proper actions to process the incoming SOAP message 102 based on the Web Service Policy 105.
The service receiver 103 will also generate a response message, based on the Web Service Policy 105. The receiver 103 will then send the SOAP message 102 back to the requester 104. Upon receiving the response, the requester 104 will validate the incoming response message and perform proper actions, based on the Web Service Policy 105.
For each Web Services request and response, the Web Service standards allow multiple policy alternatives 106. The combination of different Web Service standards and different aspects of the Web Services configurations will create even more policy alternatives.
As shown in FIG. 3, in a large distributed environment, there are many-to-many relationship between the service provider 104 and service requester 103. Each service has multiple ports, and each port will have different policy attach to it. Each requester and provider pair may have multiple policy alternatives available at runtime. This makes the selection of policy alternative even more complicated.
Web Service Security Policy
Web Services security requirements include securing Web Services for authentication, confidentiality, integrity and non-repudiation. For SOAP messages flow between Web Service initiator and recipient, Web Services Security Policy defines how to meet these security requirements.
There are many ways to define a security policy. Among them, OASIS WS-SX TC is an open standard body that defines the Web Services Security Policy standard (WSSP). WSSP defines the policy assertion syntax on how to generate the secure Web Services massages for request and response.
A service requester 104 will generate a SOAP message 102 based on a Web Service security policy 105, and send the message to a Web Services provider 103. The message receiver 103 will then validate the incoming SOAP message 102 against the security policy 105 to determine whether it is in fact in compliance with the security policy 105. The receiver 103 will also generate a response SOAP message 102 based on the security policy 105 and send the response SOAP message 102 back to the requester 104. Upon receiving the response SOAP message 102, the requester 103 will validate the incoming response message based on the security policy 105.