Previous Topic: How to Identify a Web Service Resource by Agent, Realm, and RuleNext Topic: Variables

Web Services Security GuidesCA SiteMinder WSS Policy Configuration GuideConfigure Security Policies Using Domain-based Policy ManagementGuided Example: Create Security Policies from a WSDL File

Guided Example: Create Security Policies from a WSDL File

Deployed web services are typically described in an associated Web Services Description Language (WSDL) file. One way of getting started creating security policies using tradtional policy management, especially in terms of creating realms, rules, and the resource mappings they define, is to work from the WSDL file associated with a deployed web service.

Follow these steps:

  1. Parse the WSDL file for the web service you want to secure. Look for <service> elements. A <service> element contains the web service <port> elements which need to be secured. The name attribute of a <port> element identities the port type (and hence contains a reference to a <portType> element). A <port> element also contains the binding URL which refers to the URL where the web service is located. The web service port is protected by creating a realm whose Resource Filter is the combination of the binding URL and port name.

    In the following snippet from ExampleSearch.wsdl, the web service port to secure is ExampleSearchPort. This port is bound to the URL http://api.example.com/search/beta2. 

     <service name="ExampleSearchService">
    <port name="ExampleSearchPort" binding="typens:ExampleSearchBinding">
      <soap:address location="http://api.example.com/search/beta2"/>
    </port>
  </service>
  2. To protect the ExampleSearchPort web service, create a realm named ExampleSearchRealm whose Resource Filter is /search/beta2/. Choose a SiteMinder WSS Agent and authentication scheme with which to secure this realm as appropriate.
  3. Repeat Step 2 (create a realm) for every <port> element contained within the <service> element in the WSDL file.
  4. Look for all the web service operations that are available under the above web service port by looking for the <portType> element whose name matches the name of the <port> element.

    In the following snippet, the three web service operations to secure are doGetCachedPage, doSpellingSuggestion and doExampleSearch. All these three operations are children of ExampleSearchPort which has been secured by the realm named ExampleSearchRealm.

      <portType name="ExampleSearchPort">
    <operation name="doGetCachedPage">
      <input message="typens:doGetCachedPage"/>
      <output message="typens:doGetCachedPageResponse"/>
    </operation>

    <operation name="doSpellingSuggestion">
      <input message="typens:doSpellingSuggestion"/>
      <output message="typens:doSpellingSuggestionResponse"/>
    </operation>

    <operation name="doExampleSearch">
      <input message="typens:doExampleSearch"/>
      <output message="typens:doExampleSearchResponse"/>
    </operation>

  </portType>
  5. To configure fine-grain authorization policies, you must secure every child <operation> element. Create a rule under the ExampleSearchRealm realm for each operation with the following properties:

    Resource Filter: “/Web Service Operation Name"

    Action: Post, ProcessSOAP and ProcessXML Web Agent actions

  6. Create a policy containing the rules you created for every web service operation in the WSDL; assign users to the policy, as required.