A version 04 draft of the XACML Profile for Web-Services specification has been produced by members of the OASIS Extensible Access Control Markup Language TC. Also referenced as 'WSPL', the specification "defines a profile of XACML that enables it to be used for describing policy associated with Web service end-points and using them in a successful invocation."
Background to the WSPL design is supplied in a Web-Services Policy Language Use Cases and Requirements document, summarized in the version 04 spec: "Access to a standard-conformant Web-service end-point involves a number of aspects, such as: reliable messaging, privacy, authorization, trust, authentication and cryptographic security. Each aspect addresses a number of optional features and parameters, which must be coordinated between communicating end-points if the service invocation is to be successful. The provider and consumer of the service likely have different preferences amongst the available choices of features and parameters. Therefore, a mechanism is required by which end-points may describe the mandatory features of service invocation, optional features that they support and the order of their preference amongst such features. Additionally, a procedure is required for combining and reducing these feature descriptions into a service invocation instance that respects both end-points' requirements. According to the WSPL profile, an XACML <PolicySet> element is associated with a concrete Web-service end-point definition."
Appendix A of the specification provides an example from the realm of data-rate allocation; it illustrates the procedure for combining and reducing XACML policies that conform with the WSPL profile using two simple policy instances.
XACML Profile for Web-Services. Edited by Tim Moses (Entrust). Contributing authors: Anne Anderson (Sun Microsystems), Seth Proctor (Sun Microsystems), and Simon Godik (Overxeer). XACML TC Working draft, Version 04. September 29, 2003. Document identifier: 'draft-xacml-wspl-04]. Comments to firstname.lastname@example.org. 41 pages.
From the WSPL Model Description
In this profile, an XACML <PolicySet> element is associated with a concrete Web-service end-point definition. To that end, its <Target> element must identify the WSDL 1.1 port whose features and parameters it describes. In the case that a policy must be targeted more finely than a port, a second level of <PolicySet> whose <Target> element identifies the port's operations and messages must be inserted. The <PolicySet> elements must contain <Policy> elements that define the objective of each aspect of policy associated with the port.
An XACML <Policy> element is associated with a single aspect of an end-point policy. The <Target> element of a <Policy> must identify the one objective of the end-point policy to which it applies. Developers of Web-service specifications that make use of XACML must define a name and type for its objective. In order for an end-point to be successfully invoked, all of its objectives must be achieved by the service invocation. The <Policy> element must contain <Rule> elements that define acceptable alternative strategies for achieving the objective.
An XACML <Rule> element must describe one alternative strategy for achieving an objective. At least one strategy must be successful if its objective is to be achieved. The lexical order of the strategies in the objective should reflect the policy-writer's preferences. For example, the policy writer's preferred strategy should appear first. The <Rule> element must contain a set of <Apply> elements that define predicates.
An XACML <Apply> element must contain exactly one predicate. All predicates must be satisfied by a service invocation if the associated strategy is to be successful. An <Apply> element shall not contain another <Apply> element..." [adapted from the Version 04 spec]
- Sun XACML reference page:
- XACML Profile for Web-Services. WSPL Draft version 04. [source PDF, posted by Bill Parducci 2003-09-29]
- "Motion to Approve WSPL as OASIS Committee Draft." From Tim Moses (September 29, 2003).
- Web-Services Policy Language Use Cases and Requirements. Version 04. April 16, 2003. [source]
- Previous WSPL versions:
- XACML TC website
- XACML TC FAQ document
- "A Brief Introduction to XACML."
- XACML TC document list
- XACML TC list archives
- Contact: Hal Lockhart and Bill Parducci, TC Chairs.
- See also: "Updated Versions of Web Services Policy (WS-Policy) Specifications."
- "Extensible Access Control Markup Language (XACML)" - Main reference page.