WS-Policy is one of the very cool things that you get to leverage with WSE. I kind of love and hate the fact that there’s a lot of “magic” happening here. When you define policies, your application behaves based on those policies. So on the client end if you say “usernametoken needs to be encrypted”, it just happens, you don’t write code to do the encryption. On the receiving end, you can say “I won’t take anything where the usernametoken is not encrypted” and it does the checks for you – no coding involved.
So given that (very light explanation), there is a tool in WSE that helps you build these policies. The output of this tool is a policycache.config file. Since you can edit the config file manually (and do a lot more than the tool will let you do) remember that the tool cannot open a config file back up for editing.
Here’s what’s really important about this, and (I’ve noted this before) but that was before I had worked with this myself. At TechEd, in response to a question I asked, Don Box said that “non-plumbers” can do security with WSE without having to learn the deeper stuff, but you won’t be able to fix problems. This is very true. I am trying to learn WSE well enough so that I won’t be dangerous. You can get away with using the tools, but you should really know what’s going on in the background, even if you are just doing some simplistic stuff.
Another thing that I think is notable about about Policies is this list of Policy Limitations in the WSE documentation. This is not about the limitations of WS-Policy, but of WSE2’s implementation of it. Information like this is your best bet for not being a dangerous programmer. You don’t have to learn WSE inside and out to use it (thank you WSE2) but know where you might get in trouble, know enough to fix problems or do a little tweaking. I am doing a LOT of work to get myself to at least this point. Hopefully I’ll be able to make some of the info more digestable for non-plumbers (like myself) but my message will still be that you have to know what you are working with. Don’t think you can click a few buttons and get away with it.
Sign up for my newsletter so you don't miss my conference & Pluralsight course announcements!