WS Security From Target Policy
General Information
Policy Type
policy-ws-security-from-target
UI Documentation
📖 For detailed information: [UI Documentation Link - Link will be added here]
Description
WS Security From Target policy processes WS-Security headers from SOAP responses received from the backend service. It can decrypt encrypted content and verify signatures according to WS-Security standards.
Endpoints
List Policies
GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/
Add Policy
POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Update Policy
PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Delete Policy
DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
List Policies
Endpoint
GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
Response
Success Response (200 OK)
{
"success": true,
"resultList": [
{
"apiProxy": {
"name": "MyAPI",
"requestPolicyList": [],
"responsePolicyList": [
{
"type": "policy-ws-security-from-target",
"name": "ws-security-from-target-policy",
"description": "Process WS-Security from backend responses",
"active": true,
"decExists": true,
"verExists": true,
"decKeyStoreName": "decryption-keystore",
"verKeyStoreName": "verification-keystore",
"allowCaseInsensitiveId": false
}
],
"errorPolicyList": []
}
}
],
"resultCount": 1
}
cURL Example
curl -X GET \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/" \
-H "Authorization: Bearer YOUR_TOKEN"
Add Policy
Endpoint
POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
| Content-Type | application/json |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
| policyName | string | Yes | Policy name |
Request Body
Full JSON Body Example - Decryption and Verification
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "RESPONSE",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-ws-security-from-target",
"description": "Decrypt and verify WS-Security from backend",
"active": true,
"decExists": true,
"verExists": true,
"decKeyStoreName": "decryption-keystore",
"verKeyStoreName": "verification-keystore",
"allowCaseInsensitiveId": false
}
}
Full JSON Body Example - Decryption Only
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "RESPONSE",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-ws-security-from-target",
"description": "Decrypt WS-Security from backend",
"active": true,
"decExists": true,
"verExists": false,
"decKeyStoreName": "decryption-keystore",
"verKeyStoreName": null,
"allowCaseInsensitiveId": false
}
}
Full JSON Body Example - Verification Only
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "RESPONSE",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-ws-security-from-target",
"description": "Verify WS-Security signatures from backend",
"active": true,
"decExists": false,
"verExists": true,
"decKeyStoreName": null,
"verKeyStoreName": "verification-keystore",
"allowCaseInsensitiveId": false
}
}
Full JSON Body Example - Case Insensitive ID Matching
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "RESPONSE",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-ws-security-from-target",
"description": "Process WS-Security with case insensitive ID matching",
"active": true,
"decExists": true,
"verExists": true,
"decKeyStoreName": "decryption-keystore",
"verKeyStoreName": "verification-keystore",
"allowCaseInsensitiveId": true
}
}
Request Body Fields
operationMetadata
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| targetScope | string | Yes | - | Policy scope: ALL or ENDPOINT |
| targetEndpoint | string | No* | - | Endpoint path (required if targetScope=ENDPOINT) |
| targetEndpointHTTPMethod | string | No* | - | HTTP method (required if targetScope=ENDPOINT) |
| targetPipeline | string | Yes | - | Pipeline: REQUEST, RESPONSE, or ERROR |
| deploy | boolean | No | true | Whether to deploy after adding policy |
| deployTargetEnvironmentNameList | array | No | [] | List of environment names to deploy to |
| order | integer | No | null | Policy execution order (starts from 1) |
Enum: targetScope
ALL- Policy applies to all endpointsENDPOINT- Policy applies only to specified endpoint
Enum: targetPipeline
REQUEST- Executes in request pipeline (processes WS-Security from incoming requests)RESPONSE- Executes in response pipeline (processes WS-Security from backend responses)ERROR- Executes in error pipeline
Enum: targetEndpointHTTPMethod
GET,POST,PUT,DELETE,PATCH,OPTIONS,HEAD
policy
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| type | string | Yes | - | Policy type: policy-ws-security-from-target |
| description | string | No | - | Policy description |
| active | boolean | No | true | Whether policy is active |
| decExists | boolean | No* | false | Enable decryption (at least one of decExists or verExists must be true) |
| verExists | boolean | No* | false | Enable signature verification (at least one of decExists or verExists must be true) |
| decKeyStoreName | string | No* | null | Decryption keystore name (required if decExists=true) |
| verKeyStoreName | string | No* | null | Verification keystore name (required if verExists=true) |
| allowCaseInsensitiveId | boolean | No | false | Allow case insensitive ID attribute matching (for cross-platform compatibility) |
Note
- At least one of
decExistsorverExistsmust betrue. - If
decExists: true,decKeyStoreNameis required. - If
verExists: true,verKeyStoreNameis required. allowCaseInsensitiveIdis useful for cross-platform compatibility when ID attributes may have different cases.
Response
Success Response (200 OK)
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": [
{
"environmentName": "production",
"success": true,
"message": "Deployment successful"
}
]
}
}
cURL Example
curl -X POST \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/ws-security-from-target-policy/" \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "RESPONSE",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-ws-security-from-target",
"description": "Decrypt and verify WS-Security from backend",
"active": true,
"decExists": true,
"verExists": true,
"decKeyStoreName": "decryption-keystore",
"verKeyStoreName": "verification-keystore",
"allowCaseInsensitiveId": false
}
}'
Update Policy
Endpoint
PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
| Content-Type | application/json |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
| policyName | string | Yes | Policy name |
Request Body
Full JSON Body Example
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "RESPONSE",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-ws-security-from-target",
"description": "Updated: Enhanced WS-Security processing with production keystores",
"active": true,
"decExists": true,
"verExists": true,
"decKeyStoreName": "test-keystores",
"verKeyStoreName": "test-keystores",
"allowCaseInsensitiveId": true
}
}
Note: Request body structure is the same as Add Policy. All fields should be provided for update.
Response
Success Response (200 OK)
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": [
{
"environmentName": "production",
"success": true,
"message": "Deployment successful"
}
]
}
}
Delete Policy
Endpoint
DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
| Content-Type | application/json |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
| policyName | string | Yes | Policy name |
Request Body
Full JSON Body Example
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "RESPONSE",
"deploy": false
}
}
Response
Success Response (200 OK)
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": []
}
}
Notes and Warnings
- Decryption:
- Decrypts encrypted SOAP content from backend responses
- Requires decryption keystore with appropriate private keys
- Decryption keystore must match encryption keystore used by backend
- Verification:
- Verifies WS-Security signatures from backend responses
- Ensures message integrity and authenticity
- Requires verification keystore with appropriate public keys/certificates
- Case Insensitive ID Matching:
allowCaseInsensitiveId: trueallows matching ID attributes regardless of case- Useful for cross-platform compatibility (e.g., .NET vs Java)
- May be necessary when backend uses different ID attribute casing
- Key Stores:
- Decryption and verification keystores must be configured in Apinizer
- Keystores must contain appropriate keys/certificates
- Keys must match those used by the backend service
- Performance: WS-Security processing adds cryptographic overhead. Use for necessary security only.
- Pipeline:
REQUESTpipeline processes WS-Security from incoming requestsRESPONSEpipeline processes WS-Security from backend responses (most common)
- Error Handling:
- Decryption failure causes policy to fail
- Signature verification failure causes policy to fail
- Invalid keystore or missing keys causes policy to fail
- Deployment: Policy changes require deployment to take effect. Set
deploy: trueor deploy manually.
Related Documentation
- List Policies - List all policies
- Add Policy - General policy addition guide
- Update Policy - General policy update guide
- Delete Policy - General policy deletion guide
- WS Security To Target Policy - Add WS-Security to requests