WAS v8.5 > End-to-end paths > Web services - Policy (WS-Policy) > Use WS-Policy to exchange policies in a standard format > WS-Policy

WS-MetadataExchange requests

We can use the Web Services Metadata Exchange (WS-MetadataExchange) GetMetadata request to exchange Web Services Description Language (WSDL) that is annotated with WS-Policy information. A service provider can use a WS-MetadataExchange request to share its policies, and a service client can use a WS-MetadataExchange request to apply the policies of a provider. We can secure WS-MetadataExchange requests using transport-level or message-level security.

The WS-MetadataExchange specification defines a mechanism to retrieve metadata from an endpoint. WebSphere Application Server supports the use of the WS-MetadataExchange 1.1 GetMetadata request to return metadata in a response. A service provider can use this mechanism to make WSDL that is annotated with WS-Policy information available, that is, the service provider can share its policies. A service client can use this mechanism to obtain WSDL that is annotated with WS-Policy information from a service provider and then apply those policies. The policy configuration must be in WS-PolicyAttachments format in the WSDL of the service provider.

We can use a WS-MetadataExchange request as an alternative to using an HTTP GET request.

By default, a service provider or a service client does not use WS-MetadataExchange to share or obtain WS-Policy information. You must configure the service provider to share its policies, or configure the service client to apply the policies of a service provider, and specify that a WS-MetadataExchange request is used to share or obtain the policy configuration. WS-Policy information can be shared or obtained at the application or service level. We can configure the service provider or service client using the dmgr console or using wsadmin commands.

Application developers can configure the service provider or service client using Rational Application Developer tools when a Web service is generated. For more information, see the Rational Application Developer documentation.

When a service provider is configured to share its policies through WS-MetadataExchange, the service supports incoming WS-MetadataExchange GetMetadata requests that are limited to the WSDL dialect. When the service receives such a request, the WSDL of the service is returned inline through a conformant WS-MetadataExchange response. The WSDL of the service contains WS-PolicyAttachments annotations that represent the current policy configuration. The policy configuration is in WS-PolicyAttachments format in the WSDL so that it is then available to other clients, service registries or services that support the Web Services Policy (WS-Policy) specification and the WS-MetadataExchange GetMetadata request.

When a service client is configured to use WS-MetadataExchange to obtain the policy of a service provider, the service client sends a WS-MetadataExchange GetMetadata request that specifies the WSDL dialect whenever it needs to obtain or refresh the policy of the provider.


WS-MetadataExchange security

You must ensure the GetMetadata request is secured so there is effective authentication, authorization, integrity, and confidentiality. End-to-end authentication is particularly important for the exchange of security metadata (SecurityPolicy), because if an unauthorized party could access this information, security credentials could be sent to non-trusted endpoints.

The GetMetadata request is targeted at the same port as the application endpoint, so if the application uses transport-level security, the GetMetadata request is also be targeted at the secure port and will, by default, use the same transport-level security configuration of the application.

Additionally, we can apply message-level security (WS-Security) to the metadata exchange. You might want to apply message-level security if transport-level security is not available on the application endpoint, or if transport-level security is not adequate for the requirements. An advantage of message-level security is that it provides end-to-end security by incorporating security features in the header of the SOAP message.

To provide message-level security, you attach system policy sets and general (named) bindings to the endpoint when we configure the service provider or service client to exchange policy configurations.
System policy sets are used for system messages that are not business-related, whereas application policy sets specify policy assertions for business-related messages. For example, system policy sets are used for messages that apply qualities of service (QoS), which includes the messages that are defined in the WS-MetadataExchange protocol. To provide message-level security for a GetMetadata request, attach a system policy set containing only WS-Security or Web Services Addressing (WS-Addressing) policies. We can specify general bindings scoped either to the global domain or to the security domain of the service.

When you apply message-level security, any transport policy of the application is always used.


Related concepts:

System policy sets


Related


Configure security for a WS-MetadataExchange request
Configure a service provider to share its policy configuration
Configure the client policy to use a service provider policy


Reference:

WS-Policy commands for AdminTask
Policies applied settings
Policy sharing settings
Policy set bindings settings


+

Search Tips   |   Advanced Search