Glossary of Message Security Terminology
The terminology used in this document is described below. The concepts are also discussed in
“Conguring the Enterprise Server for Message Security” on page 133.
■
Authentication Layer
The authentication layer is the message layer on which authentication processing must be
performed. The Enterprise Server enforces web services message security at the SOAP layer.
■
Authentication Provider
In this release of the Enterprise Server, the Enterprise Server invokes authentication
providers to process SOAP message layer security.
■
A client-side provider establishes (by signature or username/password) the source
identity of request messages and/or protects (by encryption) request messages such that
they can only be viewed by their intended recipients. A client-side provider also
establishes its container as an authorized recipient of a received response (by successfully
decrypting it) and validates passwords or signatures in the response to authenticate the
source identity associated with the response. Client-side providers congured in the
Enterprise Server can be used to protect the request messages sent and the response
messages received by server-side components (servlets and EJB components) acting as
clients of other services.
■
A server-side provider establishes its container as an authorized recipient of a received
request (by successfully decrypting it) and validates passwords or signatures in the
request to authenticate the source identity associated with the request. A server-side
provider also establishes (by signature or username/password) the source identity of
response messages and/or protects (by encryption) response messages such that they can
only be viewed by their intended recipients. Server-side providers are only invoked by
server-side containers.
■
Default Server Provider
The default server provider is used to identify the server provider to be invoked for any
application for which a specic server provider has not been bound. The default server
provider is sometimes referred to as the default provider.
■
Default Client Provider
The default client provider is used to identify the client provider to be invoked for any
application for which a specic client provider has not been bound.
■
Request Policy
The request policy denes the authentication policy requirements associated with request
processing performed by the authentication provider. Policies are expressed in message
sender order such that a requirement that encryption occur after content would mean that
the message receiver would expect to decrypt the message before validating the signature.
■
Response Policy
UnderstandingMessage Securityinthe EnterpriseServer
Chapter10 • ConguringMessage Security 131