developerWorks

AIX and UNIX
Information Mgmt
Lotus
Rational
Tivoli
WebSphere

Architecture
Autonomic computing
Java™ technology
Linux
Multicore acceleration
Open source
SOA and Web services
	New to SOA and Web services
	Downloads & products
	Open source projects
	Standards
	Technical library
	Training
	Forums
	Events
Web development
XML

About dW
Submit content
Feedback

Related links
	ISV resources
	alphaWorks (emerging technologies)
	IBM Academic Initiative
	IBM Redbooks
	IBM Press books
	IBM communities

Local sites
	developerWorks 中国
	developerWorks Japan
	developerWorks 한국
	developerWorks Россия

developerWorks > SOA and Web services >

Updated: Web Services Security Policy Language

Level: Advanced

Contributors: IBM, Microsoft, RSA Security, VeriSign

18 Dec 2002
Updated 13 Jul 2005

The recently updated Web Services Security Policy Language (WS-SecurityPolicy) specification indicates the policy assertions which apply to Web Services Security: SOAP Message Security, WS-Trust, and WS-SecureConversation.

With the re-publication of the WS-SecurityPolicy specification, IBM, Microsoft, and 12 co-authors are committing to submit it and two other security specifications to a worldwide standards body in September. The commitment is a key action on completing the Web Services Security framework and Web Services Security roadmap that IBM and Microsoft created in 2002 to help the industry produce and implement a standards-based architecture that is comprehensive, yet flexible enough to meet the Web services security needs of businesses (see Resources).

Web services are a loosely-coupled, language-neutral, platform-independent way of linking applications within organizations, across enterprises, and across the Internet. A key benefit of the emerging Web services architecture is the ability to deliver integrated, interoperable solutions -- which makes it critical to ensure the integrity, confidentiality, and overall security of these services.

The recently updated Web Services Security Policy Language (WS-SecurityPolicy) specification defines a set of security policy assertions which apply to Web Services Security: SOAP Message Security, WS-Trust, and WS-SecureConversation. This document takes the approach of defining a base set of assertions that describe how messages are to be secured. Flexibility with respect to token types, cryptographic algorithms, and mechanisms used, including using transport-level security, is part of the design and allows for evolution over time. The intent is to provide enough information for compatibility and interoperability to be determined by Web services participants, along with all information necessary to actually enable a participant to engage in a secure exchange of messages.

Get the specification and related material

Description	Date	Access method
Web Services Security Policy Language V1.1 specification (PDF, 755 KB)	July, 2005	HTTP download
WS-SecurityPolicy XSD	July 2005	HTTP Web page

If you would like to contribute technical comments on this specification, please do so through our Feedback page.

The following three specifications will be submitted to OASIS (Organization for the Advancement of Structured Information Standards):

WS-SecurityPolicy: Defines general security policy assertions which apply to Web Services Security: SOAP Message Security, WS-Trust, and WS-SecureConversation.
WS-Trust: Defines extensions that build on WS-Security to both provide a framework for requesting and issuing security tokens and broker trust relationships.
WS-SecureConversation: Defines extensions that build on WS-Security and WS-Trust to provide secure communication across one or more messages. Specifically, this specification defines mechanisms for establishing and sharing security contexts and for deriving keys from established security contexts (or any shared secret).

If you would like to view the earlier version of this specification, click on the following link:

WS-SecurityPolicy specification draft (December, 2002)

Resources

"Security in a Web Services World: A Proposed Architecture and Roadmap" defines a comprehensive Web services security model that supports, integrates, and unifies several popular security models, mechanisms, and technologies in a way that enables a variety of systems to securely interoperate in a platform- and language-neutral manner.
Read the related Web Services Trust specification that explains how trust relationships are defined between Web services.
WS-SecureConversation defines extensions that build on WS-Security to provide secure communication.
Web Services Addressing defines how to identify services across a network.
Web Services Policy Framework defines how to apply policies to control individual services behavior.
Web Services Security describes enhancements to SOAP to provide quality of protection through message integrity, confidentiality, and authentication.

Back to top

Document options

Document options requiring JavaScript are not displayed