Many message-based computing systems include security infrastructure to secure messages (e.g., integrity, confidentiality message authentication, signer authentication, sender authorization, etc.) sent from a sender to a recipient or receiver and to provide access control to resources targeted by the message. In some systems, a message requiring security can be sent to the receiver via one or more intermediate nodes. In a common scenario, an application to be run on a computing platform will have certain security requirements that the application attempts to satisfy via the security infrastructure.
Typical conventional security infrastructures are: (1) implemented either by a developer who writes the application (i.e., by which security is controlled by the code), which typically requires the developer to accurately know the environment in which the application will operate; or (2) configured/managed by an administrator for the computing system (after being installed by a deployer or configurer). Further, in typical conventional systems, the security infrastructure is selectively configured to either secure none of the messages or to secure all of the messages sent by the application. For example, the deployer can define a “policy” that all messages are to be secured using HyperText Transfer Protocol Secure (https).