There are many potential end to end security scenarios. Each of these might involve differing security steps. Several typical scenarios, with the necessary security options, are presented.
Inbound Web service request
In this scenario, a Web service client invokes a WebSphere® Process Server component. The request passes through several components in the WebSphere Process Server environment before being passed to an EIS by an adapter.
You can authenticate the Web service client as an SSL client, using HTTP Basic authentication or using WS-Security authentication. When the client is authenticated, access control is applied based on the SecurityPermission qualifier. Between the client and the WebSphere Process Server instance, you can secure the data integrity and privacy using SSL or WS-Security. SSL secures the entire pipe, whereas with WS-Security, you can encrypt or digitally sign parts of the SOAP message. For Web services, WS-Security is the preferred standard.
Outbound Web service request
In this scenario, the inbound request can be from an adapter, a Web service client, or an HTTP client. A component in WebSphere ESB (for example a mediation flow component) invokes an external Web service.
As for the inbound Web service request, you can authenticate with the external Web service as an SSL client, using HTTP Basic authentication or using WS-Security authentication. Use LTPACallBackHandler as the callback mechanism to extract the usernameToken from the current RunAs subject. Between WebSphere Process Server and the target Web service, you can ensure data privacy and integrity using WS-Security.
Web application - HTTP inbound request to WebSphere Process Server