Hi, Sometimes we may not need this change and have to move the security phase > after dispatching. Please see the possible two security attacks I have > mentioned here.
I think we have to have the operation dispatched before the security phase in all cases. Otherwise there will be no way of doing a proper security validation because we can't get the operation level ( and also message level ) security constraints and requirements. But then, something like body based dispatching will not be possible in some scenarios when security is engaged, because the body may still not be decrypted when it comes to dispatching. will this be a problem ? IFAIK, According to the soap spec "An HTTP client MUST use SOAPAction header field when issuing a SOAP HTTP Request." Regards, Nandana
