See responses below. I've removed older discussion to make this easier to follow.
Simon Yang, Gang CTR US USA wrote:
Classification: UNCLASSIFIED Caveats: NONE
> (cut)
GY: The use case applies to SCA well. When a new service is developed referencing other existing services. The authorization is best done in a distributed fashion - the information owning service makes the authorization decision based on its existing policies. This means that when a client access this new service with its credential, this credential (in the form of some security token, say SAML) would need to be passed to the other existing services for authorization. Translated to SCA view, the handler for the service WS binding needs to pass the user credential to the handler for the reference WS binding. Since the two handlers does not have any direct relation, this is done (in other frameworks such as Axis2, JAX-WS and JAX-RPC) through the new service implementation code which connects the service (inbound from the client) to the reference (outbound to other services).
In SCA there's a getSecuritySubject() method on the RequestContext API. This is implemented by putting a Subject header in the ThreadMessageContext. This header is added by the service binding handler and would be available to the reference binding handler. Does this do what you need? Simon
