Service composition is a new paradigm for efficient and cost-effective IT service provisioning over the network. To safely and effectively deploy composed services within an organization or among multiple domains, one must be able to specify and enforce a variety of constraints such as those derived from legal regulations, Quality of Service (QoS) requirements and privacy and security policies. In this paper, we show through concrete examples that constraints involving topologies are common for composed services but are rarely supported by existing service composition policy languages. We then present a rule-based constraint policy language built on top of a general graph-based service composition model. The language provides a unified treatment to support both attribute-based and topology-based constraints. We further design an ontology-based policy framework for effective policy enforcement and analysis. Finally, we implement a prototype policy management system for service composition, and conduct extensive experiments to evaluate the effectiveness of the proposed techniques.