Network Deployment (Distributed operating systems), v8.0 > End-to-end paths > Web services - Policy (WS-Policy) > Use WS-Policy to exchange policies in a standard format > WS-Policy


Web service clients and policy configuration to use the service provider policy

If a service provider publishes its policy in its Web Services Description Language (WSDL), the policy configuration of a WAS service client can be configured dynamically, based on the policies supported by its service provider.

The service provider must publish its policy in WS-PolicyAttachment format in its WSDL and the client must be able to support those provider policies. The client can base its policy configuration entirely on the policy of the provider, or partly on the policy of the provider with restrictions that are defined by the policy set configuration of the client.

A client acquires the provider policy by using either an HTTP GET request or the Web Services Metadata Exchange (WS-MetadataExchange) protocol to obtain the WSDL of the provider. We can configure how the client obtains the provider policy, and the endpoint at which the policy is acquired, by using the admin console or wsadmin commands. If you use the WS-MetadataExchange protocol to obtain the policy of the provider, this has the advantage that you can secure WS-MetadataExchange GetMetadata requests by using a suitable system policy set.
If the provider policy uses multipart WSDL, you can use an HTTP GET request to obtain the policy of the provider, but you cannot use the WS-MetadataExchange protocol. For more information about multipart WSDL, see the topic about WSDL.

The web application client-side policy is calculated and cached as a runtime configuration. This calculated policy is known as the effective policy and is used for subsequent outbound web service requests to the endpoint or operation for which the calculation was performed. The original policy set configuration of the client does not change.

For a specific service, dynamic policy configuration occurs once by default, and it is assumed that this configuration is the same for all endpoints that implement a service, because they have the same WSDL. The policy calculations that are based on this WSDL are cached in the client runtime (they are not persisted) and shared with each target service.

In a cluster environment, this means that the client does not obtain the provider policy again for each endpoint instance of a web service.

New feature: New feature:

In WAS v8.0, a service reference can be configured to use a different WSDL document to the WSDL configured for the client service. By default, service references inherit their policy set and WS-Policy configuration from their parent service, however, if desired, the policy set and WS-Policy configuration can be overwritten. See the Use WS-Policy to exchange policies in a standard format topic and its child topics for further details. New feature:

If you require a different policy configuration for each endpoint implementation, create a new port for each endpoint. Then you can specify a different policy configuration for each endpoint.

Transport policies such as HTTP, SSL, and JMS, cannot be expressed in WS-PolicyAttachment format, so the client cannot acquire the transport policies of the service provider. If the client requires transport policies, configure these policies as part of the policy set configuration of the client.

For an HTTP GET request, when the request is targeted at the same location as the endpoint, the request uses the same HTTP and SSL transport policies as the application. When the HTTP GET request is targeted at a different endpoint, you can also attach a system policy set to specify different HTTP and SSL transport policies.

For a WS-MetadataExchange GetMetadata request, the WS-Security configuration in the specified system policy set is used. The HTTP transport properties are inherited from the application.

A client that is configured to use Security Assertion Markup Language (SAML) can use dynamic policy configuration. However, the client must be configured to use general bindings.


Policy in a registry

A client can obtain the policy configuration of a web service provider from a registry, such as WebSphere Service Registry and Repository (WSRR), by using an HTTP GET request.

The WSDL for the policy of the service provider, and its corresponding policies and policy attachments, are stored in a registry such as WSRR. That policy must contain its policy configuration in WS-PolicyAttachments format. The client must be able to support those provider policies.

The registry must support the use of HTTP GET requests to publish WSDL that contains WS-Policy attachments, for example WSRR v6.2 or later.

You can apply the provider policy that the client obtains from a registry at the service or service reference level, but not at the application level.

If there is a secure connection between the client and the registry, ensure that trust is established between the application server and the registry server.

If the registry requires authentication, you also have to configure a policy to authenticate outbound service requests to the registry. By default, the HTTP and HTTPS credentials are used for both the web service endpoint and the registry. Therefore, it is advisable to secure any authorization credentials and ensure that these credentials are not sent to an unauthorized endpoint. We can also attach a system policy set to specify different HTTP and SSL transport policies.


Policy inheritance

The provider policy can be attached at the application or service level. Endpoints and operations inherit their policy configuration from the relevant service.


Calculate policy

Policy intersection is the comparison of a client.policy and a provider policy to determine whether they are compatible, and the calculation of a new policy that complies with both their requirements and capabilities. When you obtain the policy of a service provider, you can choose to use the provider policy only, or to use the client and the provider policy. The outcome of policy intersection is as follows:

The WS-Policy language provides a way to express multiple policy choices, so the policy calculation might produce more than one result. For example, the service provider might support both WS-ReliableMessaging 1.0 and WS-ReliableMessaging 1.1. If the client also supports both versions, the client can use either version in its web service requests to the provider. In this situation, where more than one specification version is acceptable to both the client and the provider, the effective policy is calculated by using the most recent version.


Policy intersection in the JAX-WS dispatch client

Invocations that use the JAX-WS dispatch client (javax.xml.ws.Dispatch) use provider policy in their configuration if this is the administered behavior for the service. If the operation for the invocation is unknown, the client behaves as follows:


Refresh the provider policy held by the client

The provider policy that the client holds for a service is refreshed the first time that the web service is invoked after the application is started. After that, the provider policy is refreshed when the application restarts, or when you explicitly invoke an update of the provider policy. When the provider policy is refreshed, the effective policy is recalculated.

You can invoke an update of the provider policy in the application code. This might be useful if a JAX-WS invocation fails; in the exception handling, you can force a retry with refreshed policy. We can set the following property (available in the WSPConstants class of the API) on the JAX-WS client proxy, then reissue the JAX-WS request: com.ibm.websphere.wspolicy.refreshProviderPolicy.

When the com.ibm.websphere.wspolicy.refreshProviderPolicy property is set, the provider policy that the client holds for a service is refreshed, and the effective policy is recalculated at the next request. After the refresh and recalculation have occurred, the com.ibm.websphere.wspolicy.refreshProviderPolicy property is unset.

The following example of code for a dispatch client shows the identification of an exception that might be resolved by refreshing the provider policy, followed by the invocation of the refresh.

try
{
dispatch.invoke(params);

catch (javax.xml.ws.WebServiceException e)
{
Throwable cause = e.getCause();
if ((cause instanceof NullPolicyException) || (cause instanceof PolicyException) )
{
// The exception might be because the policy of the provider is not up to date.
//
// There is also a message on the console that starts with the characters CWPOL, // which helps to decipher and debug the cause of the error.
// This message is also available by using // String nlsedMessage = cause.getMessage();
Map
<String, Object> requestContext = dispatch.getRequestContext();
requestContext.put(WSPConstants.REFRESH_PROVIDER_POLICY, Boolean.TRUE);
// The following method might cause another jax-ws invocation exception.
// The cause might still be policy, in which case, a message is written to the // console.
dispatch.invoke(params);
}
// For all other exceptions, use the normal exception handling for the // application. In this case, assume there are no other exceptions and rethrow the // initial exception. Remember that the WebServiceException might be caused by a // WSPolicyAdministrationException. In this situation, a message is written to the // console, but forcing a refresh in the application cannot resolve the problem.
throw e;


WSDL
SAML concepts
WS-Policy
Configure the client.policy to use a service provider policy
Configure the client.policy to use a service provider policy from a registry
Configure security for a WS-MetadataExchange request
Configure the client.policy to use a service provider policy using wsadmin.sh


Related


Additional Application Programming Interfaces (APIs)
Policies applied settings
Policy set bindings settings

+

Search Tips   |   Advanced Search