Securing a Web Service
For the majority of cases, securing Web services using the Web Services Enhancements for .NET (WSE) is done by declaratively stating the security requirements for incoming and outgoing SOAP messages in an XML file. These requirements, collectively known as a policy, are defined either by (a) using the WSE Settings 3.0 Tool tool and its Policy tab from within Visual Studio 2005 or (b) manually adding a <policy> Element (Policy) to the XML file. Whether the tool is used or not, each <policy> element has a name attribute that uniquely names the policy. Once the policy is declared in the XML file, which is known as a policy file, the policy is applied to a Web service method by applying a PolicyAttribute attribute with a policy name to the class that is implementing the Web service method.
Alternatively, the policy for a Web service can be specified in code when the deployment environment is known ahead of time and is not likely to change. Typically, it is more flexible to allow an administrator to define the policy for an application when it is deployed using a policy file, but WSE does allow you to specify the policy in code. To specify the policy in code, a PolicyAttribute attribute is still applied to the class that is implementing the Web service method, but a type is provided instead of a policy name. That type must derive from Policy, and in its constructor the security requirements are specified. For more details, see How to: Secure a Web Service Without Using a Policy File.
The following sections describe how to create a policy file in more detail when you are not using the WSE Settings 3.0 Tool tool or you are modifying the contents of the policy file that is generated by the tool.
In This Section
| Topic | Description |
|---|---|
Describes what a policy file is and its basic XML structure. |
|
Describes how a policy assertion is used to describe the requirements for a SOAP message exchange. |
|
Describes the extensibility points in the policy framework. |
|
Details the turnkey security assertions that ship with WSE. |
Reference
Related Sections
- Custom Policy Assertions
Describes what a custom policy assertion is. A custom policy assertion is used when turnkey security assertions do not meet an application's requirements.
- How to: Secure a Web Service Using a Policy File
Details how to use a turnkey security assertion to secure a Web service.
- Patterns & Practices: Web Service Security Patterns
The Web Service Security Patterns guidance helps you make the most appropriate security decisions in the context of your requirements.