Claim Selection Priority

[schmidtw]

The claims can come from a few different sources:

• The remote business logic service
• The HTTP request itself (as part of the payload submitted by the client)
• Configuration of Themis
• Time based claims

With the way Themis is assembled today there is a priority ordering as below:

1. Time based claims (applied last, not overwritten)
2. Configuration based claims
3. HTTP request based claims
4. Claims from the remote business logic service

Since the remote business logic service is given the HTTP request claims, it should be allowed to adjust/overwrite claims since it (in theory) will know better that the requesting agent.

I'll propose we change the processing order to be as follows:

1. Time based claims (applied last, not overwritten)
2. Configuration based claims
3. Claims from the remote business logic service
4. HTTP request based claims