Web Services Policy 1.5 - Attachmenthttp://www.w3.org/TR/2006/WD-ws-policy-attach-20060927W3C Working Draft27September2006http://www.w3.org/TR/2006/WD-ws-policy-attach-20060927PDFPostScriptXMLplain texthttp://www.w3.org/TR/2006/WD-ws-policy-attach-20060731http://www.w3.org/TR/ws-policy-attachAsir S VedamuthuMicrosoft CorporationDavid OrchardBEA Systems, Inc.Maryann HondoIBM CorporationToufic BoubezLayer 7 TechnologiesPrasad YendluriwebMethods, Inc.
This specification, Web Services Policy 1.5 - Attachment, defines two
general-purpose mechanisms for associating policies, as
defined in Web Services Policy 1.5 - Framework, with the subjects to which they
apply. This specification also defines how these
general-purpose mechanisms may be used to associate policies
with WSDL and UDDI descriptions.
This section describes the status of this document at the
time of its publication. Other documents may supersede this
document. A list of current W3C publications and the latest revision
of this technical report can be found in the W3C technical reports index at
http://www.w3.org/TR/.
This is an updated Public Working Draft of the Web Services Policy 1.5 - Attachment specification for review
by W3C members and other interested parties. It has been produced by
the Web Services
Policy Working Group, which is part of the W3C Web Services
Activity. A list of changes in this version of the document and a diff-marked version against the previous version of this document are available.
Discussion of this document takes place on the public public-ws-policy@w3.org
mailing list (public
archive) and within Bugzilla.
Comments on this specification should be made following the Description for Issues of the Working Group.
This document was produced by a group operating under the
5
February 2004 W3C Patent Policy. W3C maintains a public
list of any patent disclosures made in connection with the
deliverables of the group; that page also includes instructions
for disclosing a patent. An individual who has actual knowledge
of a patent which the individual believes contains Essential
Claim(s) must disclose the information in accordance with
section
6 of the W3C Patent Policy.
Publication as a Working Draft does not imply endorsement by the W3C
Membership. This is a draft document and may be updated, replaced or
obsoleted by other documents at any time. It is inappropriate to
cite this document as other than work in progress.
English
Last Modified: $Date: 2006/09/26 13:16:10 $
Introduction
The Web Services Policy 1.5 - Framework []
specification defines an abstract model and an XML-based
language for expressing policies of entities in a Web services-based system.
This specification, Web Services Policy 1.5 - Attachment,
defines two general-purpose mechanisms for associating
policies with the subjects to which they apply; the policies
may be defined as part of existing metadata about the subject
or the policies may be defined independently and associated
through an external binding to the subject.
To enable Web Services Policy to be used with existing Web
service technologies, this specification describes the use of
these general-purpose mechanisms with WSDL [] definitions and UDDI [, ,
]. WSDL [] is
deferred.
Notations and Terminology
This section specifies the notations, namespaces, and
terminology used in this specification.
Notational Conventions
This specification uses the following syntax within normative outlines:
The syntax appears as an XML instance, but values in italics indicate data types instead of literal values.
Characters are appended to elements and attributes to indicate cardinality:
"?" (0 or 1)
"*" (0 or more)
"+" (1 or more)
The character "|" is used to indicate a choice between alternatives.
The characters "(" and ")" are used to indicate that contained items are to be treated as a group with respect to cardinality or choice.
This document relies on the XML Information Set []. Information items properties are
indicated by the style infoset property.
XML namespace prefixes (see ) are used to indicate the namespace of the element or attribute being defined.
The ellipses characters "…" are used to
indicate a point of extensibility that allows other
Element or Attribute Information Items.
Elements and Attributes defined by this specification are referred to in the text of this document using
XPath 1.0 [XPATH 1.0] expressions. Extensibility points are referred to using an extended version of this
syntax:
An element extensibility point is referred to using {any} in place of the element name. This
indicates that any element name can be used, from any namespace other than the http://www.w3.org/2006/07/ws-policy
namespace.
An attribute extensibility point is referred to using @{any} in place of the attribute name. This
indicates that any attribute name can be used, from any namespace.
namespace.
Normative text within this specification takes precedence over
normative outlines, which in turn take precedence over the XML Schema
[] descriptions.
XML Namespaces
This specification uses a number of namespace prefixes throughout; they are
listed in . Note that the choice of any namespace
prefix is arbitrary and not semantically significant (see []).
Prefixes and Namespaces used in this specification
All information items defined by this specification
are identified by the XML namespace URI [] http://www.w3.org/2006/07/ws-policy. A normative XML
Schema [, ] document can be obtained by
dereferencing the XML namespace URI.
In this document reference is made to the wsu:Id
attribute in a utility schema (http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd). The
wsu:Id attribute was added to the utility schema
with the intent that other specifications requiring such an
Id could reference it (as is done here).
It is the intent of the W3C Web Services Policy Working Group that
the Web Services Policy 1.5 - Framework and Web Services Policy 1.5 - Attachment XML namespace URI will not change
arbitrarily with each subsequent revision of the corresponding
XML Schema documents but rather change only when a subsequent revision,
published as a WD, CR or PR draft results in non-backwardly compatible
changes from a previously published WD, CR or PR draft of the specification.
Under this policy, the following are examples of backwards compatible
changes that would not result in assignment of a new XML namespace URI:
Addition of new global element, attribute, complexType
and simpleType definitions.
Addition of new elements or attributes in locations
covered by a previously specified wildcard.
Modifications to the pattern facet of a type definition for which the
value-space of the previous definition remains valid or for
which the value-space of the preponderance of
instance would remain valid.
Modifications to the cardinality of elements for which the
value-space of possible instance documents conformant to
the previous revision of the schema would still be valid
with regards to the revised cardinality rule.
Terminology
The keywords "MUST", "MUST
NOT", "REQUIRED",
"SHALL", "SHALL
NOT", "SHOULD",
"SHOULD NOT",
"RECOMMENDED",
"MAY", and
"OPTIONAL" in this document are to be
interpreted as described in RFC 2119 [].
We introduce the following terms that are used throughout this document:
the
effective policy, for a given policy subject, is the
combination of relevant policies. The relevant policies are those
attached to policy scopes that
contain the policy subject.
The
element policy is the policy attached to the policy subjects associated with
the element information item that contains it.
a merge
consists of serializing each policy as a
policy expression, replacing their
wsp:Policy element with a
wsp:All element, and placing each as
children of a wrapper wsp:Policy
element.
A policy is a
collection of policy
alternatives.
A
policy alternative is a collection of policy assertions.
A
policy assertion represents an individual requirement,
capability, or other property of a behavior.
A
policy attachment is a mechanism for associating policy with one or more policy scopes.
A
policy expression is an XML Infoset representation of a
policy, either in a normal form or in
an equivalent compact form.
A policy
scope is a collection of policy
subjects to which a policy may apply.
A policy
subject is an entity (e.g., an endpoint, message, resource,
interaction) with which a policy can
be associated.
Example
This specification defines several mechanisms for
associating policies (Web Services Policy 1.5 - Framework, []) with various XML Web service entities. For
brevity, we define two sample policy expressions that the
remainder of this document references.
The example in indicates a policy for reliable messaging []. The example in
is a policy for securing messages using X509 certificates
[].
The document containing both of these policy expressions is
assumed to be located at
http://www.example.com/policies. Per Section
3.2
Policy Identification of Web Services Policy 1.5 - Framework [], the URIs used for these policy expressions
in the remainder of this document are
http://www.example.com/policies#RmPolicy and
http://www.example.com/policies#X509EndpointPolicy,
for the examples in and , respectively.
Policy Attachment
This section defines two general-purpose mechanisms for
associating policies with one or
more policy
subjects. The first allows XML-based descriptions of
resources (represented as XML elements) to associate policy as
part of their intrinsic definition. The second allows policies
to be associated with arbitrary policy subjects independently
from their definition.
In addition it defines the processing rules for scenarios
where multiple policies are attached to a policy subject.
Effective Policy
Policies will often be
associated with a particular policy subject using multiple
policy
attachments. For example, there may be attachments
at different points in a WSDL description that apply to a
subject, and other attachments may be made by UDDI and other
mechanisms.
When multiple attachments are made, the
effective policy, for a given policy subject, is the
combination of relevant policies. The relevant policies are those
attached to policy scopes that
contain the policy subject.
This combination can be achieved by: a merge
consists of serializing each policy as a
policy expression, replacing their
wsp:Policy element with a
wsp:All element, and placing each as
children of a wrapper wsp:Policy
element. The resulting policy expression is considered to
represent the combined policy of all of the attachments to
that subject.
Such calculated policy expressions have no meaningful IRI of their own.
Policy Attachment Mechanisms
This section defines two general-purpose mechanisms for
associating policies [] with one or
more policy
subjects. The first allows XML-based descriptions of
resources to associate policy
as part of their intrinsic definition. The second allows
policies to be associated with arbitrary policy subjects
independently from their definition.
XML Element Attachment
It is often desirable to associate policies with the XML
elements describing a subject; this allows description formats
such as WSDL to be easily used with the Web Services Policy
Framework (see Section for the specific details
of WSDL attachment).
The precise
semantics of how element policy is to be processed once
discovered is domain-specific; however, implementations are
likely to follow the precedent specified in the section below
on WSDL [] and Policy.
This specification defines a global attribute that allows
policy expressions to be attached to an arbitrary XML
element. The following is the schema definition for the
wsp:PolicyURIs attribute:
The namespace URI [] for this attribute is http://www.w3.org/2006/07/ws-policy.
The wsp:PolicyURIs attribute contains a white
space-separated list of one or more IRIs []. When this attribute is used,
each of the values identifies a policy expression as defined by
[]. If more than one IRI is specified, the
individual referenced policies need to be merged together
to form a single element policy expression.
The resultant policy is
then associated with the element information item's element policy
property. The
element policy is the policy attached to the policy subjects associated with
the element information item that contains it.
Note that the policy scope of the attachment is specific to the
policy attachment Mechanism using it; accordingly, any policy
attachment mechanism using this attribute MUST
define the policy scope of the attachment.
An example of element policy through the use of this global
attribute is given below using the sample policies stated in Section
.
If the policies referenced by the following XML element
Note that this element policy has no meaningful IRI.
The presence of the wsp:PolicyURIs attribute does not
prohibit implementations from using additional mechanisms for
associating policy expressions with XML-based constructs.
Alternatively, rather than using the global attribute, XML elements
may use the wsp:Policy or wsp:PolicyReference elements directly as
children, in order to support element policy, and the semantics for
this are the same as for the use of the global attribute. For example,
an alternative way of attaching the policies in the above example,
using child elements, would be as follows:
This mechanism allows policies to be associated with a policy
subject independent of that subject's definition and/or representation
through the use of a wsp:PolicyAttachment
gelement.
This element has three components: the policy scope of the
attachment, the policy expressions being bound, and optional security
information. The policy scope of the attachment is defined using one
or more extensible domain expressions that identify policy subjects,
typically using IRIs.
Domain expressions identify the domain of the association. That is,
the set of policy subjects that will be considered for inclusion in
the scope using an extensible domain expression model. Domain
expressions identify policy subjects to be included within the policy
scope. Domain expressions yield an unordered set of policy subjects
for consideration.
For the purposes of attaching policy to a policy subject through
this mechanism, any policy expression contained inside of the
wsp:AppliesTo element MUST NOT be
considered in scope. For example, an Endpoint Reference may be used as
a domain expression, and it may contain policy expressions within it,
but this policy expressions are not considered in scope with respect
to the wsp:PolicyAttachment element using it.
The following is the pseudo-schema for the wsp:PolicyAttachment element:
The following describes the attributes and elements listed in the pseudo-schema outlined above:
This describes an external policy attachment.
This required element's children describe the policy scope.
These child elements MUST specify and/or
refine the domain expression(s) that define the policy scope. They
MUST NOT contradict the semantics of their root
element; if an element is not recognized, it SHOULD
be ignored. Domain expressions are XML elements that describe policy
subjects within a policy scope. When more than one domain expression
is present, the policy scope contains the union of the policy subjects
identified by each expression.
This element is a policy expression representing a policy that
is attached to the policy subjects within the policy scope.
This element references a policy expression to be attached to
the policy subjects that are in the policy scope. Refer to Web Services Policy 1.5 - Framework []
for additional details.
This optional element allows security information such as
signatures to be included. The syntax of this element is described in
WS-Security [].
Additional attributes MAY be specified but
MUST NOT contradict the semantics of the owner
element; if an attribute is not recognized, it
SHOULD be ignored.
Other child elements for binding constructs
MAY be specified but MUST NOT
contradict the semantics of the parent element; if an element is not
recognized, it SHOULD be ignored.
Domain expressions are used to identify entities such as endpoints, messages
or resources with which a policy can be associated. For example, domain expressions may
be used to refer to WSDL 1.1 definitions, WSDL 2.0 components, endpoint references, etc.
The following example illustrates the use of this mechanism with an
EndpointReference domain expression for a deployed endpoint as defined
in Web Services Addressing []:
In this example, the policy expression at
http://www.example.com/policies#RmPolicy applies to all
interactions with the endpoint at
http://www.example.com/acct.
Attaching Policies Using WSDL 1.1
The RECOMMENDED means of associating a policy
with a policy subject that has a WSDL 1.1 []
description is to attach a reference to the policy within the WSDL
component corresponding to the target policy subject.
WSDL 1.1 disallows the use of extensibility elements on certain
elements and the use of extensibility attributes on others. However,
the WS-I Basic Profile 1.1 [] overrules this
restriction and allows element extensibility everywhere. Therefore,
the policy reference SHOULD be attached using
wsp:PolicyReference as child element unless it is
absolutely necessary to maintain the original WSDL 1.1 restriction, in
which case the @wsp:PolicyURIs attribute MAY be used
for the following WSDL elements:
wsdl11:portType
wsdl11:portType/wsdl11:operation/wsdl11:input
wsdl11:portType/wsdl11:operation/wsdl11:output
wsdl11:portType/wsdl11:operation/wsdl11:fault
If it is necessary to include the actual policy expressions within
the WSDL description itself, it is RECOMMENDED that
their wsp:Policy elements be included as children of
the wsdl11:definition element, and referenced using
the mechanisms just described. Alternatively, the policy expressionsMAY be made available through some other means,
such as WS-MetadataExchange [].
To ensure that consumers of policy-annotated WSDL elements are
capable of processing such policy attachments, attachments using
wsp:PolicyReferenceSHOULD be
marked as a mandatory extension (e.g., with a
@wsdl11:required="true" attribute).
The rest of this section defines how to interpret the policy
attachments when they appear within a WSDL description.
Calculating Effective Policy in WSDL 1.1
Policy attachments in WSDL 1.1 can be used to associate policies
with four different types of policy subject, identified as the service
policy subject, the endpoint policy subject, the operation policy
subject, and the message policy subject. These subjects should be
considered as nested, due to the hierarchical nature of WSDL.
When attaching a policy to a WSDL element, a policy scope is
implied for that attachment. The policy scope only contains the policy
subject associated with that element and not those associated with the
children of that element. Therefore, it is
RECOMMENDED that each policy assertion contained
within a WSDL element's element policy should have the correct
semantic such that the subject for that assertion is that WSDL
element. For example, assertions that describe behaviours regarding
the manipulation of messages should only be contained within policies
attached to WSDL message elements.
Figure 1 represents how the effective policies, with regard to
WSDL, are calculated for each of these policy subjects. In the
diagram, the dashed boxes represent policy scopes implied by WSDL
elements. For a particular policy subject, the effective policyMUSTmerge the element policy of each
element with a policy scope that contains the policy subject.
For abstract WSDL definitions, the element policy is considered an
intrinsic part of the definition and applies to all uses of that
definition. In particular, it MUST be
merged into the effective policy of every implementation
of that abstract WSDL definition.
Policies that are attached to a deployed resource (e.g., services
or ports) are only considered in the effective policy of that deployed
resource itself.
(This graphic is also available in SVG format here.)
When attaching policies at different levels of the WSDL hierarchy, care must be taken.
A message exchange with an endpoint MAY be described by the
effective policies
in all four subject types simultaneously.
For example, in , for a particular input message to a deployed
endpoint, there are four policy subjects involved, each with their own
effective policy. There is an effective policy for the message, as
well as an effective policy for the parent operation of that message,
an effective policy for the deployed endpoint, and the effective
policy for the service as a whole. All four effective policies are
applicable in relation to that specific input message.
It is RECOMMENDED that, where specific policy
assertions associated with one policy subject are only compatible with
specific policy assertions on another policy subject in the same
hierarchical chain, the policies containing these assertions should be
attached within a single WSDL binding hierarchy.
For any given port, the policy
alternatives for each policy
subject type SHOULD be compatible with
each of the policy
alternatives at each of the policy subjects parent and child
policy subjects, such that
choices between policy
alternatives at each level are independent of each
other.
The rest of this section describes these policy subject types, and
how the effective policy for each policy subject is calculated.
Service Policy Subject
The following WSDL 1.1 element is considered as the service policy subject:
wsdl11:service
This element MAY have element policy as per
Section , and if present
MUST be merged into the effective policy of the
WSDL service policy subject.
A policy associated with a service policy subject applies to any
message exchange using any of the endpoints offered by that service.
Endpoint Policy Subject
The following WSDL 1.1 elements collectively describe an endpoint:
wsdl11:port
wsdl11:portType
wsdl11:binding
These elements MAY have element policy as per Section . The policy scope implied by each of these elements contains the endpoint policy subject representing the deployed endpoint.
Since the wsdl11:portType may be used by more than one
binding, it is RECOMMENDED that only policies
containing abstract (i.e., binding independent) assertions should be
attached to this type of element.
Policies associated with an endpoint
policy subject apply to any message exchange made using that endpoint.
The effective policy for a WSDL endpoint policy subject includes
the element policy of the wsdl11:port element that defines
the endpoint merged with the element policy of the
referenced wsdl11:binding element and the element policy of
the referenced wsdl11:portType element that defines the
interface of the endpoint.
Operation Policy Subject
The following WSDL 1.1 elements collectively describe an operation:
wsdl11:portType/wsdl11:operation
wsdl11:binding/wsdl11:operation
These elements MAY have element policy as per Section .
The policy scope implied by each of these elements contains the
operation policy subject representing the specific operation of the
endpoint policy subject.
Since the wsdl11:portType/wsdl11:operation may be used by
more than one binding, it is RECOMMENDED that only
policies containing abstract (i.e., binding independent) assertions
should be attached to this type of element.
Policies associated with an operation policy subject apply to
the message exchange described by that operation.
The effective policy for a WSDL operation policy subject is
calculated in relation to a specific port, and includes the element
policy of the wsdl11:portType/wsdl11:operation element that
defines the operation merged with that of the
corresponding wsdl11:binding/wsdl11:operation element.
Message Policy Subject
The following WSDL 1.1 elements are used to describe messages:
wsdl11:message
wsdl11:portType/wsdl11:operation/wsdl11:input
wsdl11:portType/wsdl11:operation/wsdl11:output
wsdl11:portType/wsdl11:operation/wsdl11:fault
wsdl11:binding/wsdl11:operation/wsdl11:input
wsdl11:binding/wsdl11:operation/wsdl11:output
wsdl11:binding/wsdl11:operation/wsdl11:fault
These elements MAY have element policy as per Section .
The policy scope implied by these elements contains the message
policy subject representing the specific input, output, or fault
message in relation to the operation policy subject.
Policies associated with a message policy subject apply to that
message (i.e. input, output or fault message).
The effective policy for a specific WSDL message (i.e., input,
output, or fault message) is calculated in relation to a specific
port, and includes the element policy of the wsdl11:message
element that defines the message's type merged with the
element policy of the wsdl11:binding and
wsdl11:portType message definitions that describe that
message.
For example, the effective policy of a specific input message for a
specific port would be the merge of the
wsdl11:message element defining the message type, the
wsdl11:portType/wsdl11:operation/wsdl11:input element, and
the corresponding
wsdl11:binding/wsdl11:operation/wsdl11:input element for that
message.
Since a wsdl11:message may be used by more than one
wsdl11:portType, it is RECOMMENDED that
only policies containing abstract (i.e., binding independent)
assertions should be attached to this type of element.
Since wsdl11:input, wsdl11:output, and
wsdl11:fault elements in a
wsdl11:portType/wsdl11:operation may be used by more than
one binding, it is RECOMMENDED that only policies
containing abstract (i.e., binding independent) assertions should be
attached to these types of elements.
Care should be taken when attaching policies to outbound messages
as the result may not be what is expected. For example, expressing a
choice on a service's outbound message without a mechanism for a
requester of that service to communicate its choice to the service
before the outbound message is sent may not result in the desired
behaviours. It is therefore RECOMMENDED that policy
alternatives on outbound messages SHOULD be avoided
without the use of some form of mutual policy exchange between the
parties involved.
Example
As an example of the combination of these policy subjects and
effective policy calculation, consider the WSDL type definition in
that references policies.
For endpoints bound to StockQuoteSoapBinding, the effective policy
of the endpoint is listed in (above). For
the GetLastTradePrice operation, an additional
message-level effective policy is in effect for the input message,
whose XML 1.0 representation is listed in .
This section defines a mechanism for associating policies with
policy subjects through the use of UDDI. It defines a minimum level of
support for associating policy expressions with entities in a UDDI
registry. The calculation of effective policy for UDDI entities is
described in Section . While the general
concept for associating policy expressions with UDDI entities, which
is specified in Sections and , is based on UDDI Version 2 [, ], the necessary
changes with respect to UDDI Version 3 [] are
explained in Section .
There are essentially two approaches for registering policies in
UDDI. One approach is to directly reference remotely accessible policy
expressions in UDDI entities, the other is to register policy
expressions as distinct tModels and then reference these tModels in
each UDDI entity that is using the policy expression. While the former
approach (see Section ) is expected to be used for
policy expressions that are mainly unique for a given Web service, the
latter approach (see Section ) is expected to be used
for more modular and reusable policy expressions.
Calculating Effective Policy and Element Policy in UDDI
When attaching a policy to a UDDI entity a policy scope is implied
for that attachment. The policy scope only contains the policy
subjects associated with that entity, and not those associated with
the children of that entity. This policy is the entity's element
policy.
Each policy assertion contained within a UDDI entity's element
policy should have the correct semantic such that the subject for that
assertion is that UDDI entity. For example, assertions that describe
behaviours regarding a service provider should only be contained
within policies attached to a businessEntity structure.
For UDDI tModels that represent Web service types, the element
policy is considered an intrinsic part of the tModel and applies to
all uses of that tModel. In particular, it MUST be
merged into the effective policy of every bindingTemplate
that references that tModel.
Policies that apply to deployed Web services (bindingTemplates) are
only considered in the effective policy of that deployed resource
itself.
Each of these entities MAY have an element
policy per Section . The remainder of
this section defines how that element policy is interpreted to
calculate the effective policy.
Service Provider Policy Subject
The following UDDI element is considered as the service provider policy subject:
uddi:businessEntity
This element MAY have element policy as per
Section , and if present
MUST be merged into the effective policy of the
UDDI businessEntity Subject.
Policy attached to the service provider policy subject applies to
behaviors or aspects of the service provider as a whole, irrespective
of interactions over any particular service. This includes — but
is not limited to — acting as a service consumer or a service
provider in general.
Service Policy Subject
The following UDDI element is considered as the service policy subject:
uddi:businessService
This element MAY have element policy as per Section , and if present MUST be
merged into the effective
policy of the UDDI businessService Subject.
Policy attached to the service policy subject applies to behaviors
or aspects of the service as a whole, irrespective of interactions
over any particular endpoint. This includes — but is not limited
to — acting as a consumer or a provider of the service.
Endpoint Policy Subject
The following UDDI elements collectively describe an endpoint:
uddi:bindingTemplate
uddi:tModel
These elements MAY have element policy as per
Section . The policy scope implied by
each of these elements contains the endpoint policy subject
representing the deployed endpoint.
An endpoint policy subject applies to behaviours associated with an
entire endpoint of the service, irrespective of any message exchange
made. This includes — but is not limited to — aspects of
communicating with or instantiating the endpoint.
The effective policy for a UDDI endpoint includes the element
policy of the uddi:bindingTemplate element that defines the
endpoint merged with the element policy of those
uddi:tModel elements that are referenced in contained
uddi:tModelInstanceInfo elements.
Referencing Remote Policy Expressions
UDDI tModels provide a generic mechanism for associating arbitrary
metadata with services and other entities in a UDDI registry. To
properly integrate Web Services Policy into the UDDI model, Web Services Policy 1.5 - Attachment
pre-defines one tModel that is used to associate a remotely accessible
policy with an entity in a UDDI registry.
This new tModel is called the remote policy reference category
system and is defined in Appendix .
UDDI registries MUST use the tModelKeyuuid:a27078e4-fd38-320a-806f-6749e84f8005 to uniquely identify this
tModel so that UDDI registry users can expect the same behavior across
different UDDI registries.
The tModel's valid values are those IRIs that identify external
policy expressions; that is, when referencing this category system in
a categoryBag, the corresponding keyValue of the keyedReference is the
IRI of the policy expression.
Using the remote policy reference category system, one can then
associate a policy expression with a businessEntity, a
businessService, and a tModel using the entity's categoryBag. For
example, associating the policy expression that is identified by the
IRI http://www.example.com/myservice/policy with a businessService is
done as follows:
<businessService serviceKey="…" >
<name>…</name>
<description>…</description>
<bindingTemplates>…</bindingTemplates>
<categoryBag>
<keyedReference
keyName="Policy Expression for example's Web services"
keyValue="http://www.example.com/myservice/policy"
tModelKey="uuid:a27078e4-fd38-320a-806f-6749e84f8005" />
</categoryBag>
</businessService>
The tModelKey of the keyedReferenceMUST match
the fixed tModelKey from the remote policy reference category
system. The keyValueMUST be the IRI that
identifies the policy expression.
A different approach has to be taken to associate a policy
expression with a bindingTemplate, since bindingTemplates do not
contain a categoryBag in UDDI Version 2. Therefore, the
bindingTemplate's tModelInstanceInfo and instanceParmsMUST be used as follows:
The tModelKey of the tModelInstanceInfoMUST
match the fixed tModelKey from the remote policy reference category
system as defined above. The instanceParmsMUST be
the IRI that identifies the policy expression.
Registering Reusable Policy Expressions
In addition to using the approach outlined in the section above,
publishers may register a specific policy expression in a UDDI
registry as a distinct tModel. To properly categorize tModels as
policy expressions, Web Services Policy 1.5 - Attachment pre-defines the Web Services Policy
Types category system as a tModel. This tModel is defined in Appendix
.
The following illustrates a tModel for the policy expression
identified by the IRI
http://www.example.com/myservice/policy.
<tModel tModelKey="uuid:04cfa…">
<name>…</name>
<description xml:lang="EN">
Policy Expression for example's Web services
</description>
<overviewDoc>
<description xml:lang="EN">Web Services Policy Expression</description>
<overviewURL>http://www.example.com/myservice/policy</overviewURL>
</overviewDoc>
<categoryBag>
<keyedReference
keyName="Reusable policy Expression"
keyValue="policy"
tModelKey="uuid:fa1d77dc-edf0-3a84-a99a-5972e434e993" />
<keyedReference
keyName="Policy Expression for example's Web services"
keyValue="http://www.example.com/myservice/policy"
tModelKey="uuid:a27078e4-fd38-320a-806f-6749e84f8005" />
</categoryBag>
</tModel>
The first keyedReference specifies that the tModel represents a
policy expression — rather than only being associated with one
— by using the Web Services Policy Types category system's built-in
category "policy", which is its single valid value. This is necessary
in order to enable UDDI inquiries for policy expressions in
general. The second keyedReference designates the policy expression
the tModel represents by using the approach from the section
above. This is necessary in order to enable UDDI inquiries for
particular policy expressions based on their IRI.
Note that the policy expression IRI is also specified in the
tModel's overview URL to indicate that it is a resolvable URL to
actually retrieve the policy expression.
Web Services Policy 1.5 - Attachment pre-defines another tModel that is used to
associate such a pre-registered, locally available policy expressions
with an entity in a UDDI registry
This new tModel is called the local policy reference category
system and is defined in Appendix .
UDDI registries MUST use the tModelKeyuuid:a27f7d45-ec90-31f7-a655-efe91433527c to uniquely identify this
tModel so that UDDI registry users can expect the same behavior across
different UDDI registries.
The local policy reference category system is based on
tModelKeys. The valid values of this category system are those
tModelKeys identifying tModels that
exist in the same UDDI registry
and are categorized as "policy" using the Web Services Policy Types category system.
That is, when referencing this category system in a category bag,
the corresponding keyValue of the keyedReference is the tModelKey of
the tModel that represents the policy expression.
Given the local policy reference category system, one can then
associate a policy expression tModel with a businessEntity, a
businessService, and a tModel using the entity's categoryBag. For
example, associating the policy expression tModel with the tModelKey"uuid:04cfa…" from above with a businessService is done as
follows:
<businessService serviceKey="…" >
<name>…</name>
<description>…</description>
<bindingTemplates>…</bindingTemplates>
<categoryBag>
<keyedReference
keyName="Policy Expression for example's Web services"
keyValue="uuid:04cfa…"
tModelKey="uuid:a27f7d45-ec90-31f7-a655-efe91433527c" />
</categoryBag>
</businessService>
The tModelKey of the keyedReferenceMUST match
the fixed tModelKey from the local policy reference category
system. The keyValue MUST be the tModelKey of the
policy expression that is registered with the UDDI registry.
A different approach has to be taken to associate a policy
expression with a bindingTemplate, since bindingTemplates do not
contain a categoryBag in UDDI Version 2. Therefore, the
bindingTemplate's tModelInstanceInfo and instanceParmsMUST be used as follows:
The tModelKey of the tModelInstanceInfoMUST match the fixed tModelKey from the
local policy reference category system. The instanceParmsMUST be the tModelKey of the policy
expression that is registered with the UDDI registry.
Registering Policies in UDDI Version 3
UDDI Version 3 [] provides a number of
enhancements in the areas of modeling and entity keying. Special
considerations for UDDI multi-version support are outlined in chapter
10 of []. The changes with respect to the
previous sections are as follows.
First, the tModelKeys of the pre-defined tModels are migrated to
domain-based keys. The migration is unique since the Version 2 keys
introduced in this specification are already programmatically derived
from the Version 3 keys given below.
The tModelKey for the remote policy reference tModel changes
from
"uuid:a27078e4-fd38-320a-806f-6749e84f8005" to
"uddi:schemas.xmlsoap.org:remotepolicyreference:2003_03".
The tModelKey for the Web Services Policy Types tModel changes from "uuid:fa1d77dc-edf0-3a84-a99a-5972e434e993" to "uddi:schemas.xmlsoap.org:policytypes:2003_03".
The tModelKey for the local policy reference tModel changes from "uuid:a27f7d45-ec90-31f7-a655-efe91433527c" to "uddi:schemas.xmlsoap.org:localpolicyreference:2003_03".
Second, rather than putting policy expression references in a
bindingTemplate's tModelInstanceInfo, they are added to the
bindingTemplate's categoryBag, analogous to the mechanism described
for other UDDI entities. For example, the example bindingTemplate from
section would be
changed as follows:
<bindingTemplate bindingKey="…" >
<accessPoint>…</accessPoint>
<tModelInstanceDetails>…</tModelInstanceDetails>
<categoryBag>
<keyedReference
keyName="Policy Expression for example's Web services"
keyValue="http://www.example.com/myservice/policy"
tModelKey="uddi:schemas.xmlsoap.org:remotepolicyreference:2003_03"
/>
</categoryBag>
</bindingTemplate>
Third, inquiries for reusable policy expression tModels and UDDI
entities that are associated with remote policy expression is enhanced
by the wildcard mechanism for keyValues in keyedReferences. For
example, searching for all policy expression tModels whose IRI starts
with http://www.example.com/, the following find_tModel API call can
be used:
Fourth, all UDDI entities may be digitally signed using XML digital
signatures []. Publishers who want to
digitally sign their policy expression tModels or policy expression
references in UDDI MUST use the Schema-centric
canonicalization algorithm [].
Security Considerations
It is RECOMMENDED that policy attachments be
signed to prevent tampering. This also provides a mechanism for
authenticating policy attachments by determining if the signer has the
right to "speak for" the scope of the policy attachment.
Policies SHOULD NOT be accepted unless they are
signed and have an associated security token to specify the signer has
the right to "speak for" the scope containing the policy.
Conformance
References
Normative References
Basic Profile Version 1.1, K. Ballinger,
et al, Editors. The Web Services-Interoperability
Organization, 24 August 2004. This version of the Basic
Profile Version 1.1 is
http://www.ws-i.org/Profiles/BasicProfile-1.1-2004-08-24.html. The
latest
version of the Basic Profile Version 1.1 is available at
http://www.ws-i.org/Profiles/BasicProfile-1.1.html
Key words for use in RFCs to Indicate Requirement
Levels, S. Bradner, Author. Internet Engineering
Task Force, June 1999. Available at
http://www.ietf.org/rfc/rfc2119.txt.
Internationalized Resource Identifiers (IRIs)
, M. Duerst and M. Suignard,
Authors. Internet Engineering Task Force,
January 2005. Available at
http://www.ietf.org/rfc/rfc3987.txt.
UDDI Version 2.04 API, T. Bellwood,
Editor. Organization for the Advancement of Structured
Information Standards, 19 July 2002. This version of UDDI
Version 2.0 API is
http://uddi.org/pubs/ProgrammersAPI-V2.04-Published-20020719.htm. The
latest
version of the UDDI 2.0 API is available at
http://uddi.org/pubs/ProgrammersAPI_v2.htm.
UDDI Version 2.03 Data Structure
Reference, C. von Riegen, Editor. Organization for
the Advancement of Structured Information Standards, 19 July
2002. This version of UDDI Version 2.0 Data Structures is
http://uddi.org/pubs/DataStructure-V2.03-Published-20020719.htm. The
latest
version of the UDDI 2.0 Data Structures is available at
http://uddi.org/pubs/DataStructure_v2.htm.
UDDI Version 3.0.1, L. Clément, et
al, Editors. Organization for the Advancement of Structured Information Standards, 14 October 2003. This version of the UDDI
Version 3.0 is
http://uddi.org/pubs/uddi-v3.0.1-20031014.htm. The latest version of the
UDDI 3.0 specification is available at
http://uddi.org/pubs/uddi_v3.htm.
Web Services Policy 1.5 - Framework, A. S. Vedamuthu, D. Orchard, M. Hondo, T. Boubez and P. Yendluri,
Editors. World Wide Web Consortium, 27, September
2006. This version of the specification of the
Web Services Policy 1.5 - Framework specification is
http://www.w3.org/TR/2006/WD-ws-policy-20060927. The latest version
of Web Services Policy 1.5 - Framework is available at
http://www.w3.org/TR/ws-policy.
Web Services Addressing 1.0 - Core,
M. Gudgin, M. Hadley, and T. Rogers, Editors. World Wide Web
Consortium, 9 May 2006. This version of the Web Services
Addressing 1.0 - Core Recommendation is
http://www.w3.org/TR/2006/REC-ws-addr-core-20060509/. The latest version of Web
Services Addressing 1.0 - Core is available at
http://www.w3.org/TR/ws-addr-core.
Web Services Description Language (WSDL)
1.1, E. Christensen, et al, Authors. World Wide Web
Consortium, March 2001. Available at
http://www.w3.org/TR/2001/NOTE-wsdl-20010315.
Web Services Description Language (WSDL) Version 2.0
Part 1: Core Language, R. Chinnici, J. J. Moreau,
A. Ryman, S. Weerawarana, Editors. World Wide Web Consortium,
27 March 2006. This version of the WSDL 2.0 specification is
http://www.w3.org/TR/2006/CR-wsdl20-20060327. The latest version of WSDL
2.0 is available at http://www.w3.org/TR/wsdl20.
Web Services Security: SOAP Message Security 1.0
(WS-Security 2004), A. Nadalin, C. Kaler,
P. Hallam-Baker, and R. Monzillo, Editors. Organization for the Advancement of Structured Information Standards, March
2004. Available at
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf.
XML Information Set (Second Edition),
J. Cowan and R. Tobin, Editors. World Wide Web Consortium, 24
October 2001, revised 4 February 2004. This version of the
XML Information Set Recommendation is
http://www.w3.org/TR/2004/REC-xml-infoset-20040204. The latest version of XML
Information Set is available at
http://www.w3.org/TR/xml-infoset.
Namespaces in XML 1.0, T. Bray, D. Hollander,
A. Layman, and R. Tobin, Editors. World Wide Web Consortium,
14 January 1999, revised 16 August 2006. This version of the
XML Information Set Recommendation is
http://www.w3.org/TR/2006/REC-xml-names-20060816/. The latest version of
Namespaces in XML is available at
http://www.w3.org/TR/REC-xml-names.
XML Schema Part 2: Datatypes Second
Edition, P. Byron and A. Malhotra, Editors. World
Wide Web Consortium, 2 May 2001, revised 28 October 2004. This
version of the XML Schema Part 2 Recommendation is
http://www.w3.org/TR/2004/REC-xmlschema-2-20041028. The latest version of XML
Schema Part 2 is available at
http://www.w3.org/TR/xmlschema-2.
XML Schema Part 1: Structures Second
Edition, H. Thompson, D. Beech, M. Maloney, and
N. Mendelsohn, Editors. World Wide Web Consortium, 2 May 2001,
revised 28 October 2004. This version of the XML Schema Part 1
Recommendation is
http://www.w3.org/TR/2004/REC-xmlschema-1-20041028. The latest version of XML
Schema Part 1 is available at
http://www.w3.org/TR/xmlschema-1.
Other References
Schema Centric XML Canonicalization Version
1.0, S. Aissi, A. Hately, and M. Hondo,
Editors. Organization for the Advancement of Structured
Information Standards, 23 May 2005. This version of the Schema
Centric XML Canonicalization Version 1.0 is
http://uddi.org/pubs/SchemaCentricCanonicalization-20050523.htm. The
latest
version of Schema Centric XML Canonicalization Version
1.0 is available at
http://uddi.org/pubs/SchemaCentricCanonicalization.htm.
Web Services Metadata Exchange
(WS-MetadataExchange), K. Ballinger, et al,
Authors. BEA Systems Inc., Computer Associates International,
Inc., International Business Machines Corporation, Microsoft
Corporation, Inc., SAP AG, Sun Microsystems, and webMethods,
September 2004. Available at
http://schemas.xmlsoap.org/ws/2004/09/mex/
Web Services Reliable Messaging Policy Assertion
(WS-RM Policy), D. David, A. Kamarkar, G. Pilz, and
Ü. Yalçinalp, Editors. Organization for the Advancement of Structured Information Standards, 24 April 2006. Available at
http://www.oasis-open.org/committees/download.php/17838/wsrmp-1.1-spec-wd-08.pdf
WS-SecurityPolicy v1.0, A. Nadalin,
M. Gudgin, A. Barbir, and H. Granqvist, Editors. Organization for the Advancement of Structured Information Standards, 8
December 2005. Available at
http://www.oasis-open.org/committees/download.php/15979/oasis-wssx-ws-securitypolicy-1.0.pdf.
WSDL 1.1 Binding for SOAP 1.2,
D. Angelov, et al, Authors. World Wide Web Consortium, 5 April
2006. Available at
http://www.w3.org/Submission/2006/SUBM-wsdl11soap12-20060405/.
XML-Signature Syntax and Processing,
D. Eastlake, J. Reagle, and D. Solo, Editors. The Internet
Society & World Wide Web Consortium, 12 February
2002. This version of the XML-Signature Syntax and Processing
Recommendation is
http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/. The latest version of
XML-Signature Syntax and Processing is available at
http://www.w3.org/TR/xmldsig-core/.
UDDI tModel Definitions
This section contains the UDDI tModel definitions for the canonical
tModels used in Section . The tModelKeys shown in the tModel
structure sections are valid UDDI Version 2 keys. When using UDDI
Version 3, the corresponding derived UDDI Version 2 keys must be
used.
Remote Policy Reference Category System
Design Goals
This tModel is used to attach a policy to a UDDI entity by referencing the policy's IRI.
Category system used for UDDI entities
to point to an external Web services policy attachment policy that
describes their characteristics. See Web Services Policy 1.5 - Attachment specification
for further details.
tModel Structure
<tModel tModelKey="uuid:a27078e4-fd38-320a-806f-6749e84f8005" >
<name>http://schemas.xmlsoap.org/ws/2003/03/remotepolicyreference</name>
<description xml:lang="EN">Category system used for UDDI entities to point to an external Web Services Policy Attachment policy expression that describes their characteristics. See Web Services Policy 1.5 - Attachment specification for further details.</description>
<categoryBag>
<keyedReference
keyName="uddi-org:types:categorization"
keyValue="categorization"
tModelKey="uuid:c1acf26d-9672-4404-9d70-39b756e62ab4" />
</categoryBag>
</tModel>
Web Services Policy Types Category System
Design Goals
This tModel is used to categorize tModels as representing policy
expressions. There is only one valid value, namely "policy", that
indicates this very fact. It is RECOMMENDED that tModels categorized as
representing policy expressions reference no more and no less than
this very policy expression using the remote policy reference category
system.
tModel Definition
Name:
http://schemas.xmlsoap.org/ws/2003/03/policytypes
Description:
Web services policy types category system used for UDDI tModels to
characterize them as Web services policy–based policy expressions.
UDDI Key (V3):
uddi:schemas.xmlsoap.org:policytypes:2003_03
UDDI V1,V2 format key:
uuid:fa1d77dc-edf0-3a84-a99a-5972e434e993
Categorization:
categorization
Checked:
No
tModel Structure<tModel tModelKey="uuid:fa1d77dc-edf0-3a84-a99a-5972e434e993" >
<name>http://schemas.xmlsoap.org/ws/2003/03/policytypes</name>
<description xml:lang="EN">Web Services Policy Types category system used for UDDI tModels to characterize them as Web Services Policy – based policy expressions.</description>
<categoryBag>
<keyedReference
keyName="uddi-org:types:categorization"
keyValue="categorization"
tModelKey="uuid:c1acf26d-9672-4404-9d70-39b756e62ab4" />
</categoryBag>
</tModel>
Local Policy Reference Category System
Design Goals
This tModel is used to attach a policy expression to a UDDI entity
by referencing the UDDI entity that represents this policy expression. The local policy
reference category system is based on tModelKeys. It is expected that
referenced tModels are registered with the same UDDI registry and are
categorized as representing policy
expressions using the Web services policy types category
system.
Category system used for UDDI entities to point to a Web services
policy policy expression
tModel that describes their characteristics. See Web Services Policy 1.5 - Attachment
specification for further details.
tModel Structure
<tModel tModelKey="uuid:a27f7d45-ec90-31f7-a655-efe91433527c" >
<name>http://schemas.xmlsoap.org/ws/2003/03/localpolicyreference</name>
<description xml:lang="en">Category system used for UDDI entities to point to a Web Services Policy policy expression tModel that describes their characteristics. See Web Services Policy 1.5 - Attachment specification for further details.</description>
<categoryBag>
<keyedReference
keyName="uddi-org:types:categorization"
keyValue="categorization"
tModelKey="uuid:c1acf26d-9672-4404-9d70-39b756e62aB4" />
<keyedReference
keyName="uddi-org:entityKeyValues"
keyValue="tModelKey"
tModelKey="uuid:916b87bf-0756-3919-8eae-97dfa325e5a4" />
</categoryBag>
</tModel>
Acknowledgements
This document is the work of the W3C Web Services Policy
Working Group.
Members of the Working Group are (at the time of writing, and by
alphabetical order):
Dimitar Angelov (SAP AG), Abbie Barbir (Nortel Networks), Charlton Barreto (Adobe Systems Inc.), Sergey Beryozkin (IONA Technologies, Inc.), Vladislav Bezrukov (SAP AG), Toufic Boubez (Layer 7 Technologies), Paul Cotton (Microsoft Corporation), Jeffrey Crump (Sonic Software), Glen Daniels (Sonic Software), Ruchith Fernando (WSO2), Christopher Ferris (IBM Corporation), William Henry (IONA Technologies, Inc.), Frederick Hirsch (Nokia), Maryann Hondo (IBM Corporation), Tom Jordahl (Adobe Systems Inc.), Philippe Le Hégaret (W3C/MIT), Jong Lee (BEA Systems, Inc.), Mark Little (JBoss Inc.), Ashok Malhotra (Oracle Corporation), Monica Martin (Sun Microsystems, Inc.), Jeff Mischkinsky (Oracle Corporation), Dale Moberg (Cyclone Commerce, Inc.), Anthony Nadalin (IBM Corporation), David Orchard (BEA Systems, Inc.), Bijan Parsia (University of Manchester), Fabian Ritzmann (Sun Microsystems, Inc.), Daniel Roth (Microsoft Corporation), Sanka Samaranayake (WSO2), Felix Sasaki (W3C/Keio), Skip Snow (Citigroup), Yakov Sverdlov (Computer Associates), Mark Temple-Raston (Citigroup), Asir Vedamuthu (Microsoft Corporation), Sanjiva Weerawarana (WSO2), Ümit Yalçinalp (SAP AG), Prasad Yendluri (webMethods, Inc.).
The people who have contributed to discussions
on public-ws-policy@w3.org are also gratefully
acknowledged.
Changes in this Version of the Document
A list of substantive changes since the Working Draft dated 31 July 2006
is below:
Added an empty conformance section.
Replaced URI with IRI.
Web Services Policy 1.5 - Attachment Change Log
Date
Author
Description
20060712
ASV
Updated the list of editors. Completed action items
20
from the Austin F2F.
20060712
DBO
Completed action item 12
20060718
DBO
Completed action items
Editors to remove extraneous namespace decl in the example at the end of section 3.4 18,
RFC2606 for domain names 09 (note: PLH had already done but it didn't show up in the change log)
editors to straighten up Note after example 3-1 11
20060719
TIB
Completed action item 22: Linked SVG graphic
20060721
ASV
Completed action items
23,
25 and
26
from the Austin F2F.
20060721
ASV
Completed action item
29
from the Austin F2F.
20060726
ASV
Incorporated the
XML
namespace URI versioning policy adopted by the WG.
20060808
DBO
Completed action items: 15
as early as possible in the doc, use the definition that are defined in the doc.
Issue 3545,
use of {any} and {@any} in xpath-like expressions not defined in Notational Conventions section
20060808
ASV
Implemented the
resolution
for issue
3543.
20060809
DBO
Implemented the
resolution
for issue
3546: wsdl 2.0 status mention.
20060809
ASV
Implemented the
resolution
for issue
3556
and the resolution
for issue 3558.
20060811
DBO
Completed action items: 15
remove use if emph/ital terms. Framework: removed emph on conceptually replace and support; attachment: make merge a termdef
20060813
ASV
Added a new Section (that provides
a list of substantive chanages since the previous publication).
20060825
PY
Implemented the
resolution
for issue
3544.
20060827
TIB
Completed action item:
resolution
for adding Conformance section.
20060827
TIB
Implemented the
resolution
for issue
3605: typo in example.
20060829
ASV
Implemented the
resolution
for issue
3561: replaced URI with IRI.
200609006
DBO
Completed partial resolution for issue
3590.
for adding document attribute extensbility of wsp:Policy/@{any} and wsp:Policy/.../wsp:PolicyReference/@{any},
specifically making attribute extensibility for any namespace.
20060906
ASV
Implemented the
resolution
for issue
3557: clarify the use of domain expressions.