Enforcing actor or role for WS-Security messages
The DataPower® Gateway can enforce the S11:actor
or
S12:role
attribute on WS-Security messages.
When enforcing, you must set the actor or role of the AAA policy when processing the WS-Security message. This setting takes effect only when the AAA policy attempts to process the incoming message before making an authorization decision.
Most of the times a WS-Security message has a S11:actor
or
S12:role
attribute for its wsse:Security
header. For example,
there should be only one wsse:Security
element with the same actor or role, and the
AAA policy should only process the wsse:Security
header for the designated actor or
role identifier.
This setting applies to all AAA phases, except postprocessing. For postprocessing, the activity generally generate a new message for next SOAP node.
The Enforce Actor or Role for WS-Security Message and WS-Security Actor or Role Identifier properties are available on the Main tab of the generic configuration.