I should know the answer to this, but it has been a while since I have written SiteMinder policy.
We have an API (one URI) that needs to be accessible anonymously via get, and protected for POST operations.
I have an unprotected realm, and a rule of * with POST.
It appears that this basically protects all methods for *, but only the POST method will be authorized via the attached policy.
Is there any way in policy (without using webappclientresponse) to leave get unprotected, and protect POST only?
If not, I will start looking at webappclient response, it just seems like it should be doable in policy.
To check if the resource is protected, it sufficient to just have a rule matching the resource. The web agent action type (GET/POST/PUT etc.) is not checked during IsProtected checking.
So , based on this it doesn't seems possible to protect only POST action for the same resource and unprotect GET.