Installation Guides › SOA Agent for Web Servers Guide › SOA Agent for Web Servers Introduction › The SOA Agent for Web Servers and the Policy Server
The SOA Agent for Web Servers and the Policy Server
To enforce Web service access control, the SOA Agent for Web Servers interacts with the Policy Server, where all authentication and authorization decisions are made.
The SOA Agent for Web Servers intercepts XML messages posted to a Web server and checks with the Policy Server to see if the requested resource is protected. If the resource is unprotected, the access request proceeds directly to the Web server. If the resource is protected, the following occurs:
- The SOA Agent for Web Servers checks which authentication method is required for this resource. Typical credentials are a name and password, but other credentials, such as a certificate or SAML assertion, may be required.
- The SOA Agent for Web Servers obtains credentials from the transport, header, or body of the XML message.
- The SOA Agent for Web Servers passes the credentials to the Policy Server, which determines if the credentials are sufficient for the authentication method.
- If the posted XML message passes the authentication phase, the Policy Server determines if the message is authorized to access the resource. If a policy uses policy expressions as part of the authorization process, the SOA Agent for Web Servers may need to resolve the variables used in these expressions if the Policy Server cannot resolve them.
- Once the Policy Server grants access, the SOA Agent for Web Servers allows the access request to proceed to the Web service.
The SOA Agent for Web Servers can also receive message-specific attributes, in the form of responses, to be passed on to the Web service. A response is a personalized message or other message-specific information returned to the SOA Agent for Web Servers from the Policy Server after authorizing the message. A response consists of name-value attribute pairs that instruct the SOA Agent for Web Servers to generate SAML Session Tickets and WS-Security tokens.
