Access Control to a web service

Question

I would like to implement access control to a Web service (operations, messages, etc.). My findings indicate that this can be done via WS-Policy or XACML. It looked to me like Axis2 has a good implementation of WS-Policy and one can define assertions that regulate access to every operation for example. I have some questions:

1) Assuming I have WS-Policy xml file in place, how do I include it in the WSDL (using APIs to include it in the generated WSDL or manually)

2) Assuming I have an application design where client discover services through a broker residing in a repository, are the policies integrated within the wsdl in this repository and every provider who wants to implement a service follows the wsdl+policies in the borker repo OR every provider gets the wsdl from the repo and augments it with its own policies ? Which approach is correct and feasible in the context of Axis2

3) Can i limit what services a client can search for in the repo by using WS-Policy with UDDI ? Is is supported by Axis2 ?

Thank you very much !!

Answer 1

WS-Policy is a very generic policy language that is not particularly aimed at authorization or access control. WS-Policy focuses more on what should happen to the message (e.g. signature, encryption...). WS-Policy policies can be referenced to from the WSDL or you can use XSLT to embed the policy inside the WSDL after you generated your WSDL from the service stub.

XACML is much more specific to access control. In that sense, it is probably better suited to your use case. There are several open-source and vendor alternatives. Axiomatics, the vendor I work for, has a JAX-WS interceptor which intercepts your web service message and applies fine-grained authorization using XACML.

Regarding your third question:

Can i limit what services a client can search for in the repo by using WS-Policy with UDDI ? Is is supported by Axis2 ?

I don't believe you can do that. Also, UDDI isn't actively developed anymore. The standard is a bit old.

Bottom line: WS-Policy is more about how to expose your service and how to handle operations and messages. XACML is more about the actual business authorization logic.