Applying policies at binding hierarchy in Apache Axis2 1.4

Archived Content
This article is provided for historical perspective only, and may not reflect current conditions. Please refer to relevant product page for more up-to-date product information and resources.
  • By Nandana Mihindukulasooriya
  • 3 Jul, 2008

Applies To

Apache Axis2/Java 1.4.x

Table of Contents

What are the different levels of binding hierarchy  ?

You can apply policies at three different policy subjects in the binding hierarchy.

  • Binding level
  • Binding operation level
  • Binding message level

How to apply policies at binding level ?

Say you want some policy to be added to both the SOAP 1.1 binding and SOAP 1.2 binding at binding level. You can define that using the services.xml using the following configuration.

<service>
       ...
   <wsp:PolicyAttachment xmlns:wsp="https://schemas.xmlsoap.org/ws/2004/09/policy">
      <wsp:AppliesTo>
        <policy-subject identifier="binding:soap11" />
        <policy-subject identifier="binding:soap12" />
      </wsp:AppliesTo>
        <wsp:Policy wsu:Id="binding_level_policy"
         xmlns:wsu="https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">  
           ... policy assertions ...
       </wsp:Policy> 
    </wsp:PolicyAttachment>
</service>


How to apply policies at binding operation level ?

This configuration is very similar earlier configuration and uses the <wsp:AppliesTo> element to define the scope of the policy. In this example opernation name is "secureEcho".

<service>
       ...
   <wsp:PolicyAttachment xmlns:wsp="https://schemas.xmlsoap.org/ws/2004/09/policy">
      <wsp:AppliesTo>
        <policy-subject identifier="binding:soap11/operation:secureEcho" />
        <policy-subject identifier="binding:soap12/operation:secureEcho" />
      </wsp:AppliesTo>
        <wsp:Policy wsu:Id="binding_level_policy"
         xmlns:wsu="https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">  
           ... policy assertions ...
       </wsp:Policy> 
    </wsp:PolicyAttachment>
</service>


How to apply policies at binding message level ?

Following configuration is used to attach a policy to the in message. For the out message, configuration is the similar, and identifier attribute of <policy-subject/> element in <wsp:AppliesTo> changes to "binding:soap11/operation:echo/out". In this example opernation name is "secureEcho".

<service>
       ...
   <wsp:PolicyAttachment xmlns:wsp="https://schemas.xmlsoap.org/ws/2004/09/policy">
      <wsp:AppliesTo>
        <policy-subject identifier="binding:soap11/operation:secureEcho/in" />
        <policy-subject identifier="binding:soap12/operation:secureEcho/in" />
      </wsp:AppliesTo>
        <wsp:Policy wsu:Id="binding_level_policy"
         xmlns:wsu="https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">  
           ... policy assertions ...
       </wsp:Policy> 
    </wsp:PolicyAttachment>
</service>

You can see a sample services.xml which has all the three configurations here.

How policies are attached to the bindings in the generated WSDL ?

You can find the WSDL generated for the service defined in the above service.xml here. If we take a look at the binding section of the WSDL you can see how policies are attached to the correct attachment points.

    <wsdl:binding name="SecureServiceSoap12Binding" type="ns:SecureServicePortType">
        <wsp:PolicyReference xmlns:wsp="https://schemas.xmlsoap.org/ws/2004/09/policy" URI="#binding_level_policy"/>
        <soap12:binding transport="https://schemas.xmlsoap.org/soap/http" style="document"/>
        <wsdl:operation name="secureEcho">
            <wsp:PolicyReference xmlns:wsp="https://schemas.xmlsoap.org/ws/2004/09/policy" URI="#operation_level_policy"/>
            <soap12:operation soapAction="urn:secureEcho" style="document"/>
            <wsdl:input>
                <wsp:PolicyReference xmlns:wsp="https://schemas.xmlsoap.org/ws/2004/09/policy" URI="#message_level_policy"/>
                <soap12:body use="literal"/>
            </wsdl:input>
            <wsdl:output>
                <soap12:body use="literal"/>
            </wsdl:output>
        </wsdl:operation>
        <wsdl:operation name="echo">
            <soap12:operation soapAction="urn:echo" style="document"/>
            <wsdl:input>
                <soap12:body use="literal"/>
            </wsdl:input>
            <wsdl:output>
                <soap12:body use="literal"/>
            </wsdl:output>
        </wsdl:operation>
    </wsdl:binding>

Policies are attached to the correct attachment points using <wsp:PolicyReference/> elements and policies are referred in <wsp:PolicyReference/> element using their "wsu:Id" attribute. So if you look carefully in the WSDL , you can see the policies referred using "wsu:Id" in the WSDL with in the <wsdl:definitions> element

<wsdl:definitions xmlns:wsdl="https://schemas.xmlsoap.org/wsdl/">
        ...
    <wsp:Policy wsu:Id="binding_level_policy" 
     xmlns:wsp="https://schemas.xmlsoap.org/ws/2004/09/policy" 
     xmlns:wsu="https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" >
        <wsp:ExactlyOne>
            <wsp:All>
                ... policy assertions ... 
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>
    <wsp:Policy wsu:Id="operation_level_policy" 
     xmlns:wsp="https://schemas.xmlsoap.org/ws/2004/09/policy" 
     xmlns:wsu="https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" >
        <wsp:ExactlyOne>
            <wsp:All>
                ... policy assertions ... 
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>
    <wsp:Policy wsu:Id="message_level_policy" 
     xmlns:wsp="https://schemas.xmlsoap.org/ws/2004/09/policy" 
     xmlns:wsu="https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" >
        <wsp:ExactlyOne>
            <wsp:All>
                ... policy assertions ... 
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>
        ...
</wsdl:definitions>


Should I use this configuration in Axis2 1.4 / Rampart 1.4 to configure security ?

Unfortunately you can't use this configuration in Axis2 1.4 to configure security due to the reason mentioned in the tutorial "Security vulnerabilities in Apace Axis2 1.4 / Rampart 1.4 and how to avoid them". But you will be able to get the full benefit of this feature in upcoming versions of Axis2, starting form 1.4.1 patch release.

References

Apache Axis 2

Author

Nandana Mihindukulasooriya, Software Engineer, WSO2 Inc. nandana AT wso2 DOT com