Multiple Security Elements in Requests/Responses
SOAP allows you to send multiple security elements in the SOAP header of a request or response. When CloudStreams receives a message with multiple security elements in the SOAP header, it will process only the first security element listed. It ignores all other security elements in the request.
In order for CloudStreams to process the security element, the virtual service must be configured with the proper policy action to handle the element (for example, "Require WSS Username Token", "Require X.509 Token", etc.). If the proper policy actions are not configured for the virtual service, CloudStreams will not process the security header (even if the mustUnderstand attribute of the security element is set to 1 (true)). In this case, CloudStreams will forward the message to the native service or the consumer unchanged.
If the proper policy actions are configured for the virtual service, CloudStreams processes the requests/responses as follows:
1. CloudStreams processes the first security element found in the message.
2. CloudStreams removes the security element from the message before sending it to the native service or the consumer.
3. If the security policy has been violated, CloudStreams sends a policy violation event notification (assuming that the policy is configured for policy violation event notifications).
4. Processing is complete; CloudStreams ignores all but the first security element.