Applying policies at binding hierarchy in Apache Axis2 1.4

One of the new features introduced in Apache Axis 1.4 is the ability to apply policies at the binding hierarchy. Prior to Axis2 1.4, we were only able to apply policies at server level, operation level and message level and those policies were applied to all the SOAP bindings. But with Axis2 1.4, we can apply policies at diffrent policy subjects in binding hierarchy using the new policy configuration. In this Knowledge Base item, we will look at how to apply policies at different policy subjects ( different levels such as binding , binding operation, binding message ) in binding hierarchy using Axis2 1.4 new policy configuration.

Applies To

Table of Contents

• What are the different levels of binding hierarchy?
  • How to apply policies at binding level?
  • How to apply policies at binding operation level?
  • How to apply policies at binding message level?
• How policies are attached to the bindings in the generated WSDL?
• Should I use this configuration in Axis2 1.4 / Rampart 1.4  to configure security?

What are the different levels of binding hierarchy  ?

You can apply policies at three different policy subjects in the binding hierarchy.

• Binding level
• Binding operation level
• Binding message level

How to apply policies at binding level ?

Say you want some policy to be added to both the SOAP 1.1 binding and SOAP 1.2 binding at binding level. You can define that using the services.xml using the following configuration.

<service>
       ...
   <wsp:PolicyAttachment xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
      <wsp:AppliesTo>
        <policy-subject identifier="binding:soap11" />
        <policy-subject identifier="binding:soap12" />
      </wsp:AppliesTo>
        <wsp:Policy wsu:Id="binding_level_policy"
         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">  
           ... policy assertions ...
       </wsp:Policy> 
    </wsp:PolicyAttachment>
</service>

How to apply policies at binding operation level ?

This configuration is very similar earlier configuration and uses the <wsp:AppliesTo> element to define the scope of the policy. In this example opernation name is "secureEcho".

<service>
       ...
   <wsp:PolicyAttachment xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
      <wsp:AppliesTo>
        <policy-subject identifier="binding:soap11/operation:secureEcho" />
        <policy-subject identifier="binding:soap12/operation:secureEcho" />
      </wsp:AppliesTo>
        <wsp:Policy wsu:Id="binding_level_policy"
         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">  
           ... policy assertions ...
       </wsp:Policy> 
    </wsp:PolicyAttachment>
</service>

How to apply policies at binding message level ?

Following configuration is used to attach a policy to the in message. For the out message, configuration is the similar, and identifier attribute of <policy-subject/> element in <wsp:AppliesTo> changes to "binding:soap11/operation:echo/out". In this example opernation name is "secureEcho".

<service>
       ...
   <wsp:PolicyAttachment xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
      <wsp:AppliesTo>
        <policy-subject identifier="binding:soap11/operation:secureEcho/in" />
        <policy-subject identifier="binding:soap12/operation:secureEcho/in" />
      </wsp:AppliesTo>
        <wsp:Policy wsu:Id="binding_level_policy"
         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">  
           ... policy assertions ...
       </wsp:Policy> 
    </wsp:PolicyAttachment>
</service>

You can see a sample services.xml which has all the three configurations here.

How policies are attached to the bindings in the generated WSDL ?

You can find the WSDL generated for the service defined in the above service.xml here. If we take a look at the binding section of the WSDL you can see how policies are attached to the correct attachment points.

    <wsdl:binding name="SecureServiceSoap12Binding" type="ns:SecureServicePortType">
        <wsp:PolicyReference xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" URI="#binding_level_policy"/>
        <soap12:binding transport="http://schemas.xmlsoap.org/soap/http" style="document"/>
        <wsdl:operation name="secureEcho">
            <wsp:PolicyReference xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" URI="#operation_level_policy"/>
            <soap12:operation soapAction="urn:secureEcho" style="document"/>
            <wsdl:input>
                <wsp:PolicyReference xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" URI="#message_level_policy"/>
                <soap12:body use="literal"/>
            </wsdl:input>
            <wsdl:output>
                <soap12:body use="literal"/>
            </wsdl:output>
        </wsdl:operation>
        <wsdl:operation name="echo">
            <soap12:operation soapAction="urn:echo" style="document"/>
            <wsdl:input>
                <soap12:body use="literal"/>
            </wsdl:input>
            <wsdl:output>
                <soap12:body use="literal"/>
            </wsdl:output>
        </wsdl:operation>
    </wsdl:binding>

Policies are attached to the correct attachment points using <wsp:PolicyReference/> elements and policies are referred in <wsp:PolicyReference/> element using their "wsu:Id" attribute. So if you look carefully in the WSDL , you can see the policies referred using "wsu:Id" in the WSDL with in the <wsdl:definitions> element

<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">
        ...
    <wsp:Policy wsu:Id="binding_level_policy" 
     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" >
        <wsp:ExactlyOne>
            <wsp:All>
                ... policy assertions ... 
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>
    <wsp:Policy wsu:Id="operation_level_policy" 
     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" >
        <wsp:ExactlyOne>
            <wsp:All>
                ... policy assertions ... 
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>
    <wsp:Policy wsu:Id="message_level_policy" 
     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" >
        <wsp:ExactlyOne>
            <wsp:All>
                ... policy assertions ... 
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>
        ...
</wsdl:definitions>

Should I use this configuration in Axis2 1.4 / Rampart 1.4 to configure security ?

Unfortunately you can't use this configuration in Axis2 1.4 to configure security due to the reason mentioned in the tutorial "Security vulnerabilities in Apace Axis2 1.4 / Rampart 1.4 and how to avoid them". But you will be able to get the full benefit of this feature in upcoming versions of Axis2, starting form 1.4.1 patch release.

References

Apache Axis 2

Author

Nandana Mihindukulasooriya, Software Engineer, WSO2 Inc. nandana AT wso2 DOT com