Configure the client policy to use a service provider policy
An application that is a web service client can obtain the policy configuration of a web service provider and use this information to establish a policy configuration that is acceptable to both the client and the service provider.
We have developed a web service client containing all the necessary artifacts, and deployed the web services application into the application server instance. If we require them, we have attached the policy sets and managed the associated bindings.
The service provider must publish its policy in its WSDL and that policy must contain its policy configuration at run time in WS-PolicyAttachments format. The client must be able to support those provider policies.
For a list of WS-Policy assertion specifications and WS-Policy domains supported, see the WS-Policy topic.
We can administer the client to configure itself dynamically at run time, based on the policy of the service provider in the standard WS-PolicyAttachments format. We can administer the client to apply dynamically the provider policy at the application or service or service reference level. By default, endpoints and operations inherit their policy configuration from the relevant service. However, it is possible to configure a service reference to override the service, in which case the endpoints and operations inherit their policy configuration from the service reference.
If the provider policy uses multipart WSDL, we can use an HTTP GET request to obtain the policy of the provider, but we cannot use the WS-MetadataExchange protocol. For more information about multipart WSDL, see the topic about WSDL.
Policy intersection is the comparison of a client policy and a provider policy to determine whether they are compatible, and the calculation of a new policy, known as the effective policy, that complies with both their requirements and capabilities.
This topic describes how to configure the client policy to use a service provider policy using the administrative console. We can also configure the client policy to use a service provider policy using wsadmin commands.
Tasks
- From the navigation panel of the administrative console, click Applications > Application Types > WebSphere enterprise applications > service_client_application_instance > [Web services properties] Service client policy sets and bindings.
- In the row for the application or service where we want to apply the policy, click the link in the Policies Applied column. The Policies Applied panel is displayed.
- Select one of the following options from the drop-down list:
- Provider policy only. Configure the client based solely on the policy of the service provider. This option is available when a client policy set is not attached.
- Client and provider policy. Configure the client based on both the client policy set and the policy of the service provider. This option is available when a client policy set is attached.
The other options in the list do not apply to this task.
- Use the radio buttons to select which method to employ to obtain the provider policy: an HTTP GET request (see step 5) or a WS-MetadataExchange request (see step 6).
- Optional: To obtain the provider policy using an HTTP GET request, click HTTP GET request. By default, the HTTP GET request is targeted at the URL for the service endpoint followed by ?WSDL. For example:
http://myhost:9080/WSSampleSei/EchoService?WSDLWhen the policy set attach point is at the application level we cannot change this value.
- Optional: If we are applying a policy to a service and the provider policy is located at the service endpoint, ensure that Use the default request target is selected.
- Optional: If we are applying a policy to a service and the provider policy is not located at the service endpoint, click Specify request target, then enter the URL for the location of the provider policy in the field. For example, we might change the target of the HTTP GET request if the provider policy is located in a repository.
- Optional: If we select HTTP GET request as the method to be used to obtain the provider policy and if we select Specify request target and we want to configure transport-level security, select Attach a system policy set to the HTTP GET request, then select a suitable policy set and binding from the drop-down lists. Select the policy set you require from the Policy set list to provide transport-level security for the HTTP GET request. Select from system policy sets that contain solely HTTP transport policies, solely SSL transport policies, or both; the policy set cannot contain other policy types. Select the binding you require from the Binding list for the HTTP GET request. We can select from general bindings scoped to the global domain or scoped to the security domain of this service.
- Optional: To obtain the provider policy using a Web Services Metadata Exchange (WS-MetadataExchange) GetMetadata request, click WS-MetadataExchange request.
- Optional: If we select WS-MetadataExchange request and want to use message-level security, select Attach a system policy set to the WS-MetadataExchange request, then select a suitable policy set and binding from the drop-down lists. See Configure security for a WS-MetadataExchange request.
- Click OK.
- Save changes to the master configuration.
The web application client-side policy is calculated when it is required at run time, based either on the policy of the service provider, or on the client policy set and the policy of the service provider, depending on which option we selected. This calculated policy is known as the "effective policy" and is cached as a runtime configuration. The effective policy is used for subsequent outbound web service requests to the endpoint or operation for which the dynamic policy calculation was performed. The policy set configuration of the client does not change.
The provider policy that the client holds for a service is refreshed the first time that the web service is invoked after the application is loaded. After that, the provider policy is refreshed when the application restarts, or if the application explicitly invokes a refresh. When the provider policy is refreshed, the effective policy is recalculated.
Subtopics
- Configure the client policy to use a service provider policy by
An application that is a web service client can obtain the policy configuration of a web service provider and use this information to establish a policy configuration that is acceptable to both the client and the service provider.- Configure the client policy to use a service provider policy from a registry
An application that is a web service client can obtain the policy configuration of a web service provider from a registry, such as WebSphere Service Registry and Repository (WSRR), and use this information to establish a policy configuration that is acceptable to both the client and the service provider.- Policies applied settings
Use this panel to view and change whether the policy configuration of a WAS service client is configured dynamically, based on the policies supported by its service provider. We can view or change how the client obtains the policy of the service provider; the client can use an HTTP GET request or a Web Services Metadata Exchange (WS-MetadataExchange) request. We can specify a policy set and binding to provide message-level security for WS-MetadataExchange requests or to specify HTTP transport and SSL transport configuration for HTTP GET requests.
Related:
WS-Policy Web service clients and policy configuration to use the service provider policy WSDL Deploy web services applications onto application servers Manage policy sets and bindings for service clients at the application level Configure a service provider to share its policy configuration Configure security for a WS-MetadataExchange request