Security statement for ResponseReceiverPaths of long-running services

[kmohr-soprasteria]

Task:
Add a new section for this in ConceptOfAuthenticationAuthorization for the special handling of ResponseReceiverPaths of callbacks where the answer cannot be sent immediately due to long execution time.

---

Problem description:

• When a consuming application calls a service with a longer processing time, the result cannot be returned in the ResponseBody.
• In this case, the consuming application must pass the TCP address and ResponseReceiverPath (OperationName) in the RequestBody.
• The serving application must respond a case identifier.
• The serving application later sends the result along with the case identifier to the ResponseReceiverPath of the consuming application.
• Because the consuming application's ResponseReceiverPath is sent with each call, no ClientStack (HttpClient etc.) is created in the serving application.
• Because there is no OperationClient in the serving application, OperationKeyManagement cannot store an OperationKey for calling the ResponseReceiverPath.

---

Regulation:

• ResponseReceiverPaths must not be protected by an OperationKey, they shall not contain any security statement.
• Existing specifications that have not yet been fully implemented must be corrected accordingly as part of a BugFix release.

It is assumed that this regulation will make life easier for the implementers and therefore will not cause any commercial consequences.