NEW ISSUE: Clarify the policy model for Web Services




I suggest that the policy model in section 3.4 of the Framework
specification be described in a slightly more generic form. The main
reason is to enhance the policy model so it'll better fit with the
potential Framework use cases 




Yakov Sverdlov





Clarify the policy model for Web Services



I think it makes sense to decouple the policy model for web services in
section 3.4 from the requester/provider paradigm and to describe the
model in terms of entities in a Web services-based system. Let's look at
the traditional stock trading use case for the authorization domain,
i.e. a client application sends a trade request to a web service.


There may be the following entities (with associated distinct
policies/subjects) involved in this interaction: requester application;
requester device (wireless PDA, cell phone), on which the application is
running; and web service provider (application). Any component of Web
infrastructure (WAP gateway, web server, application server, etc) may
also be considered an entity in this interaction and may have an
authorization policy - for example, "Do not accept a trade order with
the amount of more than $1M if the order comes through WAP". The same
may apply to the policy processor itself with the policy specifying
something like "Only policies starting from the WS-Policy version 1.6
are accepted..."


It is my understanding that, in this particular example, at least five
policies for the same policy domain will have to be evaluated. It is
also my understanding that these polices may be attached to different
policy subjects: requester app or message; requester device; message;
Web infrastructure component; and WS-Policy version; respectively.


In my opinion, the policy model in the section 3.4 should describe such
actions, as conveying the conditions, using the policy, choosing an
alternative, policy assertion support, etc, in regard to an entity in a
Web services-based system instead of binding these actions to a
requester or provider.




The proposal is intended to address the following discrepancies/issues:

1.       The title does not correctly reflect the content of the section

2.       The model should be presented in a slightly more abstract form
to better fit with the potential Framework use cases.

3.       The use case, which is described in the section, should not be
presented as typical.



WS-Policy Framework, 3.4 Web Services



The proposal includes the following changes:


1. Change the section 3.4 title from "Web Services" to "Policies of
Entities in a Web services-based system"


2. Modify the text of section 3.4. 


I don't have the actual text for the proposed change. 


The first paragraph may begin as:


 "Applied in the Web services model, policy is used to convey conditions
on an interaction between entities in a Web services-based system
(requester, provider, Web infrastructure component, etc). Typically, an
entity in a Web services-based system exposes a policy to convey
conditions under which it functions..."


The requester/provider scenario should be present in the section almost
"as is" to illustrate one of the possible use cases.


Received on Friday, 8 September 2006 01:07:40 UTC