+

Search Tips   |   Advanced Search

Web service clients and policy configuration using the service provider policy


If a service provider publishes its policy in its WSDL, the policy configuration of a WAS service client can be configured dynamically, based on the policies supported by its service provider.

The service provider must publish its policy in WS-PolicyAttachment format in its WSDL and the client must be able to support those provider policies. The client can base its policy configuration entirely on the policy of the provider, or partly on the policy of the provider with restrictions defined by the policy set configuration of the client.

A client acquires the provider policy by using either an HTTP Get request or the Web Services Metadata Exchange (WS-MetadataExchange) protocol to obtain the WSDL of the provider. Configure how the client obtains the provider policy, and the endpoint at which the policy is acquired, by using the admin console or wsadmin commands. If we use the WS-MetadataExhange protocol to obtain the policy of the provider, this has the advantage that we can secure WS-MetadataExchange GetMetadata requests by using a suitable system policy set.

If the provider policy uses multipart WSDL, we can use an HTTP Get request to obtain the policy of the provider, but we cannot use the WS-MetadataExhange protocol.

See about multipart WSDL, see the topic about WSDL.

The Web app client-side policy is calculated and cached as a runtime configuration. This calculated policy is known as the effective policy and is used for subsequent outbound Web service requests to the endpoint or operation for which the calculation was performed. The original policy set configuration of the client does not change.

For a specific set of WSDL, dynamic policy configuration occurs once, and it is assumed that this configuration is the same for all endpoints that implement a service, because they have the same WSDL. The policy calculations that are based on this WSDL are cached in the client runtime (they are not persisted) and shared with each target service.

For example, in a cluster environment, this means that the client does not obtain the provider policy again for each endpoint instance of a Web service.

If we require a different policy configuration for each endpoint implementation, create a new port for each endpoint. Then we can specify a different policy configuration for each endpoint.

Transport policies such as HTTP, SSL, and JMS, cannot be expressed in WS-PolicyAttachment format, so the client cannot acquire the transport policies of the service provider. If the client requires transport policies, configure these policies as part of the policy set configuration of the client.

 

Policy in a registry

A client can obtain the policy configuration of a Web service provider from a registry, such as WebSphere Service Registry and Repository (WSRR), using an HTTP Get request.

The WSDL for the policy of the service provider, and its corresponding policies and policy attachments, are stored in a registry such as WSRR. That policy must contain its policy configuration in WS-PolicyAttachments format. The client must be able to support those provider policies.

The registry must support the use of HTTP Get requests to publish WSDL that contains WS-Policy attachments, for example WSRR V6.2 or later.

We can apply the provider policy that the client obtains from a registry at the service level, but not at the application level.

If there is a secure connection between the client and the registry, ensure that trust is established between the appserver and the registry server.

If the registry requires authentication, you also have to configure a policy to authenticate outbound service requests to the registry. The HTTP and HTTPS credentials are used for both the Web service endpoint and the registry. Therefore, it is advisable to secure any authorization credentials and ensure that those credentials are not sent to an unauthorized endpoint.

 

Policy inheritance

The provider policy can be attached at the application or service level. Endpoints and operations inherit their policy configuration from the relevant service.

 

Calculating policy

Policy intersection is the comparison of a client.policy and a provider policy to determine whether they are compatible, and the calculation of a new policy that complies with both their requirements and capabilities. When you obtain the policy of a service provider, we can choose to use the provider policy only, or to use the client and the provider policy. The outcome of policy intersection is as follows:

The WS-Policy language provides a way to express multiple policy choices, so the policy calculation might produce more than one result. For example, the service provider might support both WS-ReliableMessaging 1.0 and WS-ReliableMessaging 1.1. If the client also supports both versions, the client could use either version in its Web service requests to the provider. In this situation, where more than one spec version is acceptable to both the client and the provider, the effective policy is calculated using the most recent version.

 

Policy intersection in the JAX-WS dispatch client

Invocations that use the JAX-WS dispatch client (javax.xml.ws.Dispatch) use provider policy in their configuration if this is the administered behavior for the service. If the operation for the invocation is unknown, the client behaves as follows:

 

Refreshing the provider policy held by the client

The provider policy that the client holds for a service is refreshed the first time that the Web service is invoked after the application is loaded. After that, the provider policy is refreshed when the application restarts, or when you explicitly invoke an update of the provider policy. When the provider policy is refreshed, the effective policy is recalculated.

We can invoke an update of the provider policy in the application code. This might be useful if a JAX-WS invocation fails; in the exception handling, we can force a retry with refreshed policy. We can set the following property (available in the WSPConstants class of the API) on the JAX-WS client proxy, then reissue the JAX-WS request: com.ibm.wsspi.wspolicy.refreshProviderPolicy.

When the com.ibm.wsspi.wspolicy.refreshProviderPolicy property is set, the provider policy that the client holds for a service is refreshed, and the effective policy is recalculated at the next request. After the refresh and recalculation have occurred, the com.ibm.wsspi.wspolicy.refreshProviderPolicy property is unset.

After an update of the policy provider is invoked, the next time that the Web service that is associated with the endpoint you selected is invoked, the policy of the service provider is obtained and the policy intersection is recalculated.

The following example of code for a dispatch client shows the identification of an exception that might be resolved by refreshing the provider policy, followed by the invocation of the refresh.

try 
{  
    dispatch.invoke(params); 
}  catch (javax.xml.ws.WebServiceException e) 
{  
  Throwable cause = e.getCause();
  if ((cause instanceof NullPolicyException) || (cause instanceof PolicyException) ) 
{

// The exception might be because the policy of the provider is not up to date.

//

// There is also a message on the console that starts with the characters CWPOL, 

// which helps to decipher and debug the cause of the error.

// This message is also available by using

// 

String nlsedMessage = cause.getMessage();
  Map<String, Object>
 requestContext = dispatch.getRequestContext();
  requestContext.put(WSPConstants.REFRESH_PROVIDER_POLICY, Boolean.TRUE);


// The following method might cause another jax-ws invocation exception.

// The cause might still be policy, in which case, a message is written to the 

// console.  
dispatch.invoke(params);
 
}

// For all other exceptions, use the normal exception handling for the 

// application. In this case, assume there are no other exceptions and rethrow the 

// initial exception. Remember that the WebServiceException might be caused by a

// WSPolicyAdministrationException. In this situation, a message is written to the 

// console, but forcing a refresh in the application cannot resolve the problem. 
throw e; 
} 




 

Related concepts


WSDL

 

Related tasks


Set the client.policy using a service provider policy
Set the client.policy using a service provider policy from a registry
Set security for a WS-MetadataExchange request
Set the client.policy based on a service provider policy using wsadmin
Learn about WS-Policy

 

Related


Additional Application Programming Interfaces (APIs)
Policies applied settings
Policy set bindings settings