Enforcing actor or role for WS-Security messages

The DataPower® Gateway can enforce the S11:actor or S12:role attribute on WS-Security messages.

When enforcing, you must set the actor or role of the AAA policy when processing the WS-Security message. This setting takes effect only when the AAA policy attempts to process the incoming message before making an authorization decision.

Most of the times a WS-Security message has a S11:actor or S12:role attribute for its wsse:Security header. For example, there should be only one wsse:Security element with the same actor or role, and the AAA policy should only process the wsse:Security header for the designated actor or role identifier.

This setting applies to all AAA phases, except postprocessing. For postprocessing, the activity generally generate a new message for next SOAP node.

The Enforce Actor or Role for WS-Security Message and WS-Security Actor or Role Identifier properties are available on the Main tab of the generic configuration.