As the concept of XML-based "Web services" has grown from the simple days of XML-RPC things have gotten a lot more complicated. The pioneering developers communicated service requirements in text documentation, sample code and user mailing lists. Then came SOAP and more formal documentation such as WSDL and UDDI. Now the list of formal specifications related to Web services and generated by a variety of organizations is astonishingly long. Here are some of the most significant:
|SOAP||W3C||Defines the XML message format for Web services.|
|WSDL||W3C||XML format description of a Web service suitable for automatically generating client code.|
|UDDI||OASIS||Provides a method for publishing the access information for a Web service.|
|WS-Security||OASIS||Sign, verify and encrypt SOAP messages.|
|WS-Addressing||W3C||Defines transport-neutral mechanisms to address Web services.|
As Web services have gotten more complicated, communication between potential client and service has become more difficult and early attempts such as WSDL have not always been up to the task of completely defining the requirements. Typically developers fall back on text documentation, discussions on user mailing lists or calling a more knowledgeable person to resolve a problem.
What is WS-Policy?
The Web Services Policy Framework (or WS-Policy for short) is intended to provide a basic general purpose model and XML syntax for describing policies related to a Web service. Policies can be defined, not only for a given Web service, but also by potential clients of the service. For example, your company might require that developers only access Web services using digital signatures. WS-Policy functions as an addition to WSDL, UDDI and other WS-* specifications.
A WS-Policy document expresses rules that may be as simple as a requirement to use WS-Addressing in SOAP headers or as complex as giving a list of "assertions" about alternate message signing algorithms which the service can recognize. Essentially, WS-Policy attempts to formalize in both machine- and human-readable form aspects of Web service communication that might otherwise require extensive text documentation or direct person to person communication. The examples given by the WS-Policy working group show how to express complex security requirements.
The WS-Policy specification has undergone a series of drafts and is now at the "Last Call Working Draft" stage, but does not yet have official W3C status. You can get a copy of the current working draft documentation from the Web Services Policy Working Group URL given in the resources.
Creators of WS-Policy
The list of participants working on WS-Policy shows that a wide spectrum of industry heavyweights have been contributing to the process of refining the framework. As part of the W3C's recent emphasis on software patent policy, these companies have made licensing commitments to ensure that when WS-Policy reaches Recommendation stage it will be royalty free.
Web Services Policy Attachment
The basic WS-Policy specification does not state how a given policy document gets associated with a specific Web service. That function is being covered in a separate WS-PolicyAttachement specification that defines mechanisms by which a policy gets associated with a Web service entity and with WSDL or UDDI descriptions.
Microsoft provides the Web Services Enhancements add-on for Visual Studio.NET which supports WS-Policy and many other of the latest Web services related specifications.
The Apache "Commons" open source project contains a set of Java classes for reading and manipulating WS-Policy documents. This toolkit is part of the new Apache Axis2 Web services toolkit, but not part of Sun's Java Web Services Developer Package. The Apache API includes the rather elegant capability of automatically combining a WS-Policy document for a service with potential client policy alternatives to reveal the policy or policies where there is mutual agreement.
For me the question is - will WS-policy prove to be the solution to the obvious problem of helping developers coordinate all of the various specifications related to Web services or will it join the ranks of elegant specifications that everybody admires but few people use? Check back again in a year, maybe we will know by then.
A Java toolkit for implementation of WS-Policy in the Apache Commons project