Policy Overview
The Web Services Enhancements for Microsoft .NET (WSE) provides a mechanism to declaratively state the requirements for incoming and outgoing SOAP messages. For example, a Web service might require that all incoming SOAP messages must be signed by an X.509 certificate from a particular certificate authority (CA).
Setting the Policy for an Application
Policy is defined for an application through the use of an XML document. Within the XML document, policies are defined. A policy includes one or more requirements for a SOAP message. Because an application often times sends or receives SOAP messages for more than one endpoint, these policies need to be mapped to the endpoints for which you want them to apply.
The conventional name for the XML documentation containing the policy is policyCache.xml, but the exact name of the file is arbitrary. The policy cache can be publicly accessible, so no confidential information should be stored in this file. The location of this document is defined in a configuration file, such as Web.config. A policy file is used to define both send-side and receive-side policy.
There are four basic steps to configure a Web service's policy:
- Create a policy file.
- Declare the set of policies for the policy file.
- Map the policies to SOAP endpoints.
- Configure the policy file.
WSE has built-in support the following policy assertions:
- Security token
- Integrity
- Confidentiality
- Message age
- Message predicate
If additional policy assertions are required, they can be implemented by writing a custom policy assertion. For more information, see Walkthrough: Creating a Policy Assertion.
Default Policy
Default policies that apply to unmapped messages for the entire application can be mapped with the <defaultEndpoint> Element element, which is a child of the <mappings> Element element.
Policy Design
WSE policy documents contain a mappings section and a policy section. Policy assertions are mapped to specific endpoints using the <endpoint> element. Each operation within the endpoint is described with the <operation> element. Each request message within an operation is mapped to a policy with the <request> element. Each response message is mapped with the <response> element. Fault messages are mapped with the <fault> element.