Companies worldwide are actively deploying service-oriented architecture (SOA) infrastructures using web services, both in intranet and extranet environments. While web services offer many advantages over traditional alternatives (e.g., distributed objects or custom software), deploying large networks of interconnected web services can still present several challenges, particularly with respect to security and management.
Some existing SOA middleware solutions have addressed these challenges via the implementation of a policy-based security/management model. For example, Oracle Corporation's Oracle Web Services Manager (OWSM) enables companies to centrally define and store declarative policy documents (referred to herein as web service policies or policies) that describe security and/or management-related behaviors for web service clients and services in an SOA infrastructure. Each policy can be attached to one or more web service client/service endpoints (referred to herein as policy subjects) hosted by one or more SOA applications. The attached policies can then be enforced at the client/service endpoints through configurable agents. With this model, security/management logic does not need to be hardcoded into an SOA application. Rather, such logic can be externalized in the form of a declarative web service policy, which can then be attached to an endpoint/application as needed by modifying metadata (referred to herein as policy attachment metadata) associated with the endpoint/application.
In certain implementations, policies can be attached to specific client/service endpoints via “local” policy attachment metadata, and/or to all endpoints that fall within a predefined scope (e.g., domain, server, application, etc.) of an SOA deployment via “global” policy attachment metadata. The latter approach can be useful in large deployments, since it enables a policy to be attached to a multitude of policy subjects in an efficient and consistent manner. Additional information regarding global policy attachments can be found in U.S. patent application Ser. No. 13/118,947, filed May 31, 2011, and entitled “ATTACHING WEB SERVICE POLICIES TO A GROUP OF POLICY SUBJECTS,” which is incorporated herein by reference in its entirety for all purposes.
One shortcoming with existing policy-based SOA solutions is that there is no way to conditionally attach policies to a particular policy subject at runtime. Instead, all valid policies that are associated with the policy subject via local or global policy attachment metadata will be considered attached (and thus will be enforced) at subject runtime, regardless of the context in which the policy subject is invoked/executed. This can be limiting in several scenarios.
By way of example, consider a situation where an application server is hosting a web service that is accessible by a first set of clients residing on an internal, secure network and a second set of clients residing on an external, insecure network. Access via the external network is through a firewall. Since physical access to the internal network is highly restricted, it may be desirable for the web service to enforce a less secure security policy (e.g., authentication and authorization required, but no message protection required) for requests originating from the internal clients. This will reduce the load on the server and increase performance. At the same time, it may be desirable for the web service to enforce a more secure security policy (e.g., authentication, authorization, and message protection required) for requests originating from the external clients. Unfortunately, this type of per-request, conditional processing cannot be achieved with existing SOA solutions. At best, a system administrator could manually modify the policy attachment metadata for the web service to attach one policy or the other in anticipation of receiving requests from internal or external clients. However, this manual approach is cumbersome and would not be feasible in scenarios where a large number of internal and external clients are accessing the service at substantially the same time.