I should know the answer to this, but it has been a while since I have written SiteMinder policy.
We have an API (one URI) that needs to be accessible anonymously via get, and protected for POST operations.
I have an unprotected realm, and a rule of * with POST.
It appears that this basically protects all methods for *, but only the POST method will be authorized via the attached policy.
Is there any way in policy (without using webappclientresponse) to leave get unprotected, and protect POST only?
If not, I will start looking at webappclient response, it just seems like it should be doable in policy.