Every policy will have a client and a server version
Server Policy : This policy does the actual work.
For ex,
The OWSM policy oracle/wss_http_token_server_policy does the http basic authentication, i.e. checks the provided userid/pwd against the server’s LDAP/IDAM/watever…
Client Policy :: Adds the security information
On the other hand, the client policy appends the required security information to the SOAP HTTP header before sending the request out
For ex, OWSM policy oracle/wss_http_token_client_policy adds the security header with userid/pwd or csf-key to the outgoing request
So, a service policy will be applied to the service provider, whereas the client policy will be applied to the service consumer/caller
Without a client policy to the service caller, the security information cannot be provided to the service request and thus the service policy on the service rejects the message. So, a service caller will have the client version of the policy on the actual service
SOA Blog 