Manage Learn to apply best practices and optimize your operations.

The WS-Policy Story

William Brogden defines WS-Policy and whether it will help developers coordinate all of the various specifications related to Web services.

As the concept of XML-based "Web services" has grown from the simple days of XML-RPC things have gotten a lot more complicated. The pioneering developers communicated service requirements in text documentation, sample code and user mailing lists. Then came SOAP and more formal documentation such as WSDL and UDDI. Now the list of formal specifications related to Web services and generated by a variety of organizations is astonishingly long. Here are some of the most significant:

Name Lead Organization Function.
SOAP W3C Defines the XML message format for Web services.
WSDL W3C XML format description of a Web service suitable for automatically generating client code.
UDDI OASIS Provides a method for publishing the access information for a Web service.
WS-Security OASIS Sign, verify and encrypt SOAP messages.
WS-Addressing W3C Defines transport-neutral mechanisms to address Web services.

As Web services have gotten more complicated, communication between potential client and service has become more difficult and early attempts such as WSDL have not always been up to the task of completely defining the requirements. Typically developers fall back on text documentation, discussions on user mailing lists or calling a more knowledgeable person to resolve a problem.

What is WS-Policy?

The Web Services Policy Framework (or WS-Policy for short) is intended to provide a basic general purpose model and XML syntax for describing policies related to a Web service. Policies can be defined, not only for a given Web service, but also by potential clients of the service. For example, your company might require that developers only access Web services using digital signatures. WS-Policy functions as an addition to WSDL, UDDI and other WS-* specifications.

A WS-Policy document expresses rules that may be as simple as a requirement to use WS-Addressing in SOAP headers or as complex as giving a list of "assertions" about alternate message signing algorithms which the service can recognize. Essentially, WS-Policy attempts to formalize in both machine- and human-readable form aspects of Web service communication that might otherwise require extensive text documentation or direct person to person communication. The examples given by the WS-Policy working group show how to express complex security requirements.

The WS-Policy specification has undergone a series of drafts and is now at the "Last Call Working Draft" stage, but does not yet have official W3C status. You can get a copy of the current working draft documentation from the Web Services Policy Working Group URL given in the resources.

Creators of WS-Policy

The list of participants working on WS-Policy shows that a wide spectrum of industry heavyweights have been contributing to the process of refining the framework. As part of the W3C's recent emphasis on software patent policy, these companies have made licensing commitments to ensure that when WS-Policy reaches Recommendation stage it will be royalty free.

Web Services Policy Attachment

The basic WS-Policy specification does not state how a given policy document gets associated with a specific Web service. That function is being covered in a separate WS-PolicyAttachement specification that defines mechanisms by which a policy gets associated with a Web service entity and with WSDL or UDDI descriptions.


Microsoft provides the Web Services Enhancements add-on for Visual Studio.NET which supports WS-Policy and many other of the latest Web services related specifications.

The Apache "Commons" open source project contains a set of Java classes for reading and manipulating WS-Policy documents. This toolkit is part of the new Apache Axis2 Web services toolkit, but not part of Sun's Java Web Services Developer Package. The Apache API includes the rather elegant capability of automatically combining a WS-Policy document for a service with potential client policy alternatives to reveal the policy or policies where there is mutual agreement.


For me the question is - will WS-policy prove to be the solution to the obvious problem of helping developers coordinate all of the various specifications related to Web services or will it join the ranks of elegant specifications that everybody admires but few people use? Check back again in a year, maybe we will know by then.


The Web Services Policy Working Group status page

A summary list of specifications related to Web Services

A Java toolkit for implementation of WS-Policy in the Apache Commons project

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.