W3C home > Mailing lists > Public > public-ws-policy@w3.org > October 2007

Ordering of Assertions: Comment on WS-Policy Primer LCWD

From: ashok malhotra <ashok.malhotra@oracle.com>
Date: Wed, 10 Oct 2007 09:56:05 -0700
Message-ID: <470D0425.2080102@oracle.com>
To: public-ws-policy@w3.org

  Ordering of Assertions

The Framework document says: “Assertions within an alternative are not 
ordered, and thus aspects such as the order in which behaviors 
(indicated by assertions) are applied to a subject 
<http://www.w3.org/TR/2007/REC-ws-policy-20070904/#policy_subject> are 
beyond the scope of this specification. However, authors can write 
assertions that control the order in which behaviors are applied.”. This 
is a curious head-in-the-sand statement as it admits that the order in 
which assertions within an alternative are applied can be important and 
then refuses to address the problem.

In a note to the WG 
Tony Rogers said:

“While I can appreciate the desire to avoid specifying the order of

applying the behaviors, I think the line has been crossed when

suggesting the possibility of an ordering assertion. By suggesting it, I

believe the WG is obligated to provide an example of a possible form :-)”

That the order in which assertions are applied is important is 
demonstrated by WS-SecurityPolicy which defines the assertions below to 
set the Protection Order Property:

<sp:SignBeforeEncrypting />

and <sp:EncryptBeforeSigning />

The WS-SecurityPolicy spec discusses the order in which assertions 
should be applied in several places, leaving no doubt that the order in 
which things are done is, indeed, important.

So, within a particular Policy domain, if the order of assertions is 
important, the domain can specify ordering assertions as shown in the 
above examples from the security domain. But, what about policy 
assertions from different domains? For example, how do we say that 
Reliable Messaging headers must be added before encryption is performed? 
And, who is to say that? Clearly, some general rules can be established, 
such as encryption is done last and decryption is done first. This seems 
like a sensible rule although WS-SecurityPolicy does not say that.

Into this mix of assertions from different domains add the possibility 
of custom assertions that an installation may want to support, say 
logging or auditing. In many cases the order in which assertions are 
processed may not matter, but where it does matter do we need to specify 
a special assertion for every pair of assertions that need to be 
ordered? Clearly, this is not feasible as the Policy processing engine 
will need to be undated whenever a new ordering assertion is added. So, 
what we need is a general-purpose ordering assertion.

Here is one way of accomplishing this. Create an ordering assertion 
which has a single attribute of type IDREFS, no element children or 
other attributes. Say,

<acme:ordering order = “1 3 2” />

Here the “ordering” assertion has a single attribute called “order” of 
type IDREFS. Use the extensibility mechanism to add an attribute of type 
ID to each assertion within a Policy alternative where ordering is 

Include the ordering assertion within the policy alternative. The order 
in which the assertions in the alternative will be applied is the order 
in which their IDs appear on the order attribute of the ordering assertion.

Consider the following Policy:



<sns:DoThis id=’banana’/>

<sns:DoThat id= ‘orange’/>

<acme:ordering order = ‘orange apple banana’/>

<sns:DoTheOther id=’apple’/>



where the three assertions in the namespace identified by the “sns” 
prefix have an attribute named ‘id’ of type ID. The assertions in this 
Policy would be applied in the order indicated by the ordering assertion.

All the best, Ashok
Received on Wednesday, 10 October 2007 16:57:19 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:38:36 UTC