Associating Security Policies with Web Services

The Security Policy Association shared configuration resource allows you to associate a security policy with a web service. A security policy can either be associated with individual SOAP resources (SOAP Event Source, SOAP Request Reply, and so on), or it can be associated with each operation in a Service resource. You must create a Security Policy Association resource for each SOAP resource or Service operation to which you wish to apply a security policy.

Note: Security Policy Association shared configuration resources are not referenced by resources in process definitions. Therefore, they are not automatically included in Enterprise Archive files. You must manually add WS Policy Association resources to the Shared Archive within an Enterprise Archive for the associations to work properly in a deployed project. See TIBCO Administrator User’s Guide for more information about adding resources to the Shared Archive.

When you associate a policy with a Service operation, the policy applies to all regular or fault inbound and outbound messages for the operation. When you associate a policy with a specific SOAP Resource, the appropriate security policies are applied to the messages sent or received by the resource. For example, a SOAP Event Source can only receive messages, therefore a security policy can only be applied to incoming messages. A SOAP Request Reply activity can send and receive messages, and it may also receive a fault message. Therefore, you can associate a security policy for the inbound, outbound, and inbound fault messages.

Warning:
  • You can create more than one Security Policy Association resource for the same SOAP or Service resource in your project. This is not recommended because only the first policy association for the resource is used. All other policy associations are ignored.
  • To run a project with security policy associations successfully, ensure that all the policy associations in the project are valid. Any invalid associations must be removed from the project before running the project.