Component/s: Core Spec
When sending a UserMessage, the following parameter configures the use of X.509 or Username tokens on that message:
This applies to the user message. So if the user message is pulled, it applies to the pulled user message, not to the pull request.
Section 7.10 describes that Pull requests can be authorized using a secondary WS-Security header targeting the "ebms" role. This is configured using the following parameters:
This option is supported in AS4 (section 2.1.1) ebHandler as Authorization option 1.
Section 7.11.2 states that PullRequests can also be secured using WS-Security tokens targeting the default "role". Section 7.10 actually has an example that contains two WS-Security headers, targeting different roles. AS4 ebHandler refers to this as Authorization Option 2. In the Core Specification it is not clear how this header is configured.
See the next separate issue on AS4 and securing pull requests.