In my case, I have a Virtualhost(login.example.com) already which is up and running in Production. I have a requirement to enable Authn/Authz webservices in the same SPS instance with the same VIP (login.example.com). But I was forced to use a new VH(wslogin.example.com) while enabling the webservices.
Is this mandatory to have a dedicated VirtualHost for webservice ? Can't I use an existing VH(login.example.com) for my webservice which was configured already ?
I think it is correct from a Security Standpoint to have a different end point for WebService Calls and regular HTTP requests. From the Secure Proxy Perspective, it is primarily a proxy. Hence the default VHs would serve only proxy functions. Combining the WS Calls in the same VH would create a lot of interference and possible performance issues within the single VH.
From a functional standpoint, As long as different VHs share the same cookie domain, SMSession is passed to different VHs. Hence I think this is more cleaner and segregated role functions for each VH. Infact you’d see customers want clear segregation of traffic. Check the new SPS ERs that have been raised.
I do agree from a deployment & operational maintenance perspective this is tad difficult, however the wider benefit of segregation of traffic does weigh-in heavily. Hence the design of running AuthAzWS on a VH of its own.
Thank You Hubert, it helps.