Sunday, September 27, 2009

WS-Policy v/s WS-Security

Posting an article written in Sept 2008 regarding WS-Security and WS-Policy comparison after going through Policy Driven SOA by Sreedhar Kajeepeta.


WS-Policy - Will describe the capabilities and constraints of the security (and other business) policies on intermediaries and endpoints (e.g. required security tokens, supported encryption algorithms,privacy rules).

WS-Security- Describes how to attach signature and encryption headers to SOAP messages. In addition, it describes how to attach security tokens, including binary security tokens such as X.509 certificates and Kerberos tickets, to messages.

WS-Policy- WS-Policy will describe how senders and receivers can specify their requirements and capabilities.WS-Policy will be fully extensible and will not place limits on the types of requirements and capabilities that may be described; however, the specification will likely identify several basic service attributes including privacy attributes, encoding formats, security token requirements, and supported algorithms. This specification will define a generic SOAP policy format, which can support more than just security policies. This specification will also define a mechanism for attaching service policies to SOAP messages.

WS-Security -WS-Security describes enhancements to SOAP messaging to provide quality of protection through message integrity and message confidentiality. Message integrity is provided by leveraging XML Signature in conjunction with security tokens (which may contain or imply key data) to ensure that messages are transmitted without modifications. Similarly, message confidentiality is provided by leveraging XML Encryption in conjunction with security tokens to keep portions of SOAP messages confidential. Finally, WS-Security describes a mechanism for encoding binary security tokens.

3.Defining a Policy

WS-Policy- Policies are formulated through the use of different elements and document-level subjects provided by the various specifications under the WS-Policy Framework.

WS-Security - Coded as message handler using SAAJ API’s.

4.Integrating policies with services

WS-Policy-Policies may be integrated with services through addition of metadata either directly through usage of WS-PolicyAttachments or indirectly adding reusable Policy Definitions to registry/repository, and eventually referring to these through registry key references in the business service definition.

WS-Security - Message Handlers handling security configured in SOAP message chain using webservices.xml(Web Services deployment descriptors).

5.Policy enforcement Points(PEP)

WS-Policy-A policy enforcement tool references the registry/repository to determine which policies should be enforced for a given service. There are two ways to enforce policies: Using agents & Using a gateway.

WS-Security - SOAP Message chain enforces the security policy using SOAP headers. No additional tool required to enforce policy.

6. Policy Aware clients

WS-Policy - Yes, they can retrieve information about the policies through WS-MetadataExchange, and perform dynamic bindings with the endpoints, which satisfy the given criteria.

WS-Security - No. But once the contract is defined between service provider and service consumer, then SAAJ message handlers need to be coded for enforcing WS-Security specifications. But again not defined in WSDL or in repository.

7. Overhead of Frameworks

WS-Policy - Yes. Need to know PolicyExpressions, PolicyAssertive while defining policy. WS-Policy Attachment to integrate policy in WSDL. WS-MetadataExchange to get information about policy. Policy enforcement tools are required to enforce policies.

WS-Security - Only SAAJ are required to implement message handler.

8.Can policies be centrally managed

WS-Policy - Yes and can be implemented using XML network structure.

WS-Security - No

9.Policy registry/repository

WS-Policy - Policies can be centrally stored in registry/repository, which can be also used by policy ware clients to gather information about policy.

WS-Security - No. Implemented as part of web services deployment descriptor.

10.Centralized Management

WS-Policy - Yes, possible using some policy managements tools.

11.Monitoring and Alerting

WS-Policy - Yes, possible using some Monitoring tools.

12. Message Validation and Compliance

WS-Policy - Yes, can be done using the XML gateway(hardware) by reading the policies.

WS-Security - Message Interceptor Gateway can be coded using the message handler.

13.Access protection

WS-Policy - As part of web services infrastructure security, direct access to all service endpoints can be all disabled. Using an XML firewall or Web-proxy infrastructure that masks all the underlying service endpoints and communicates through network address translation (NAT) or URL rewriting mechanisms.

WS-Security - No

--Amit G --


  1. Though in brief but pretty good article for WS-Security.

  2. Article was more detailing out the differences between WS-Security & WS-Policy....

    But indeed WS-SecurityPolicy specs is specialized WS-Policy used for defining policies for WS-Security