Sun Microsystems 820433510 manual Glossary of Message Security Terminology, Response Policy

Understanding Message Security in the Enterprise Server

Glossary of Message Security Terminology

The terminology used in this document is described below. The concepts are also discussed in “Configuring the Enterprise Server for Message Security” on page 133.

■Authentication Layer

The authentication layer is the message layer on which authentication processing must be performed. The Enterprise Server enforces web services message security at the SOAP layer.

■Authentication Provider

In this release of the Enterprise Server, the Enterprise Server invokes authentication providers to process SOAP message layer security.

■A client-side provider establishes (by signature or username/password) the source identity of request messages and/or protects (by encryption) request messages such that they can only be viewed by their intended recipients. A client-side provider also establishes its container as an authorized recipient of a received response (by successfully decrypting it) and validates passwords or signatures in the response to authenticate the source identity associated with the response. Client-side providers configured in the Enterprise Server can be used to protect the request messages sent and the response messages received by server-side components (servlets and EJB components) acting as clients of other services.

■A server-side provider establishes its container as an authorized recipient of a received request (by successfully decrypting it) and validates passwords or signatures in the request to authenticate the source identity associated with the request. A server-side provider also establishes (by signature or username/password) the source identity of response messages and/or protects (by encryption) response messages such that they can only be viewed by their intended recipients. Server-side providers are only invoked by server-side containers.

■Default Server Provider

The default server provider is used to identify the server provider to be invoked for any application for which a specific server provider has not been bound. The default server provider is sometimes referred to as the default provider.

■Default Client Provider

The default client provider is used to identify the client provider to be invoked for any application for which a specific client provider has not been bound.

■Request Policy

The request policy defines the authentication policy requirements associated with request processing performed by the authentication provider. Policies are expressed in message sender order such that a requirement that encryption occur after content would mean that the message receiver would expect to decrypt the message before validating the signature.

■Response Policy