In 0.6, we only support confidentiality and clientAuthentication. We do not yet support authorization.

We should be able to:
1) Set rolesAllowed and runAs on the security configuration.
2) Add roles to the Subject (after successful authentication).
3) Verify the Subject has the roles required before invoking a service.

Much of the above is already in the code for 0.6, but commented out. This is because it was forecast as a future requirement for SwitchYard, after having looked at the JBossESB Security implementation.