Hi Sergey > To me this policy reads: > > Ensure the message satisfies both SecureConversation and > UsernameToken policies at the same time, because <wsp:ExactlyOne> > <SecureConversation> > <UsernameToken> > </wsp:ExactlyOne> > > is equivalent to > > <wsp:ExactlyOne> > <wsp:All> > <SecureConversation> > <UsernameToken> > <wsp:All> > </wsp:ExactlyOne>
Are you sure, that this is equivalent? In the WS-SecurityPolicy spec are examples, that imply <wsp:ExactlyOne> choses one of the direct childs, so <wsp:all> is used to combine multiple policies. But nevertheless, I wrapped each in a <wsp:all>. > Indeed. Sorry if I don't understand, but the way you > described the flow sounded like the one which would be > validated by this policy, that is, the first message is > starting SecConversation flow, no UT, and the subsequent > messages will be validated by the 2nd alternative where both > SecConversation and UT assertions are available.... > > Your original policy: > [...] > > is actually equivalent to two alternatives (because of embedded > wsp:Alls) : either SecureConversation only or UT only, it > does not express the requirement that UT messages should be > part of the SecConversation flow. thats exactly what I'd like to have - SecureConversation only or UT only. I hope this makes it clearer :) cheers Karl
