20 Feb
2008
20 Feb
'08
5:39 p.m.
Authentication and authorization are orthogonal to each other and out of scope of BES.
This is what I was trying to get across earlier. It's a property of the container and the service hosting policy NOT something the service should have to enforce. Only authenticated and authorized requests should make it to the service implementation. That is why there is no NotAuthorizedFault in the BESManagement port type operations. WS-Security just authenticates you. Your container (should) perform an authorization decision before passing your message on to your service. Steven