Integration Server 10.3 | Web Services Developer’s Guide | Web Service Authentication and Authorization | Authentication and Authorization for Consumer Web Service Descriptors
 
Authentication and Authorization for Consumer Web Service Descriptors
When Integration Server acts as the web service consumer, Integration Server authorizes the user by performing ACL checking for the consumer web service descriptor. Integration Server may perform authorization at other points by performing ACL checking for the web service connector and handler services. The following table summarizes the points at which Integration Server performs authorization and indicates when Integration Server executes the services used with a consumer web service descriptor.
Note:
On the consumer side, Integration Server performs ACL checking with the credentials used to connect to the Integration Server. The transport and message credentials passed into the web service connector or specified in the consumer web service endpoint alias are used only when sending the SOAP request to the provider.
Step
Description
1
Authorization check for the web service connector.
Integration Server determines whether the user is authorized to invoke the web service connector by checking the user credentials against the execute ACL assigned to the web service connector.
*If the web service connector is the top-level service, Integration Server performs ACL checking for the web service connector.
*If the web service connector is not the top-level service, Integration Server performs ACL checking for the web service connector only if the web service connector permissions specify that the Enforce execute ACL option is set to Always.
If access is denied, Integration Server does not continue to the next steps and the web service connector fails.
2
Authorization check for the consumer web service descriptor.
Integration Server determines whether the user is authorized to access the web service descriptor by checking the user credentials against the execute ACL assigned to the web service descriptor.
If access is denied, Integration Server does not continue to the next steps and the web service connector fails.
3
Authorization check for all handler services.
Integration Server determines whether the user is authorized to access the handler services by performing ACL checking. Integration Server checks the execute ACL for a handler service only if the handler service permissions specify that the Enforce execute ACL option is set to Always. Integration Server does not consider handler services to be top-level services.
If access is denied to any of the handler services, Integration Server does not continue to the next steps and the web service connector fails.
Note:Integration Server performs ACL checking for all request, response, and fault handler services at this point in the process. When non-Anonymous ReplyTo and/or FaultTo addresses are provided, Integration Server performs ACL checking for request handler services only. If ReplyTo is Anonymous and FaultTo is non-Anonymous, then Integration Server performs ACL checking for request and fault handler services.
4
Request handler services execute.
Integration Server executes the request handler services in the handler chain. For more information, see About Request Handler Services.
5
Authorization check for outbound callback service
Integration Server determines whether the user is authorized to access the outbound callback service by performing ACL checking. Integration Server checks the execute ACL for an outbound callback service only if the service permissions specify that the Enforce execute ACL option is set to Always. Integration Server does not consider outbound callback services to be top-level services.
If access is denied to the outbound callback service, Integration Server logs an access denied error in the error logs and the processing will continue without interruption. No SOAP fault is added to the SOAP message.
For more information about outbound callback services, see About Outbound Callback Services.
6
Outbound callback service executes
Integration Server executes the outbound callback service.
7
Send request message.
Integration Server sends the request message to the web service provider. For HTTP/S, Integration Server sends a SOAP message. For JMS, Integration Server sends a JMS message that contains a SOAP message.
8
Response handler services execute.
Integration Server receives the SOAP response and executes the response handler services in the handler chain. For more information, see About Response Handler Services.
9
Authorization check for response services.
Note:Integration Server performs this authorization check only if the web service descriptor is processing asynchronous responses.
Integration Server determines whether the user is authorized to access the response services by performing ACL checking. Integration Server checks the execute ACL for a response service only if the response service permissions specify that the Enforce execute ACL option is set to Always. Integration Server does not consider response services to be top-level services.
If access is denied to any of the response services, Integration Server invokes the generic_FaultResponse service. If access is denied to the generic_FaultResponse service, Integration Server logs an error.
Note:Integration Server performs ACL checking for all response and fault handler services at this point in the process.