When you start working with security policies, during initial days, often you get confused with server policy vs client policy.
Every policy will have a client and a server version
Server Policy : This policy does the actual work.
For ex,
The OWSM policy oracle/wss_http_token_server_policy does the http basic authentication, i.e. checks the provided userid/pwd against the server's LDAP/IDAM/watever...
Client Policy :: Adds the security information
On the other hand, the client policy asserts/includes the required security information to the SOAP HTTP header before sending the request out
For ex, OWSM policy oracle/wss_http_token_client_policy adds the security header with userid/pwd or csf-key to the outgoing request
So, a service policy will be applied to the service provider, whereas the client policy will be applied to the service consumer/caller
Without a client policy to the service caller, the security information cannot be propagated to the service provider and thus the service policy on the service rejects the message. So, a service caller will have the client version of the policy on the actual service
Every policy will have a client and a server version
Server Policy : This policy does the actual work.
For ex,
The OWSM policy oracle/wss_http_token_server_policy does the http basic authentication, i.e. checks the provided userid/pwd against the server's LDAP/IDAM/watever...
Client Policy :: Adds the security information
On the other hand, the client policy asserts/includes the required security information to the SOAP HTTP header before sending the request out
For ex, OWSM policy oracle/wss_http_token_client_policy adds the security header with userid/pwd or csf-key to the outgoing request
So, a service policy will be applied to the service provider, whereas the client policy will be applied to the service consumer/caller
Without a client policy to the service caller, the security information cannot be propagated to the service provider and thus the service policy on the service rejects the message. So, a service caller will have the client version of the policy on the actual service
No comments:
Post a Comment