Hi Karl
>> <wsp:ExactlyOne> >> <wsp:All> >> <SecureConversation> >> <UsernameToken> >> <wsp:All> >> </wsp:ExactlyOne> > > Are you sure, that this is equivalent? In the WS-SecurityPolicy spec are > examples, that imply <wsp:ExactlyOne> choses one of the direct childs, > so <wsp:all> is used to combine multiple policies. But nevertheless, I > wrapped each in a <wsp:all>. > http://www.w3.org/TR/ws-policy/#Normal_Form_Policy_Expression seems to be indicating that wsp:All is needed, it's not used in the examples, but ExactlyOne with direct assertion children seems like a shortcut for ExactlyOne/All...Not really sure 100% though :-) >> Indeed. Sorry if I don't understand, but the way you >> described the flow sounded like the one which would be >> validated by this policy, that is, the first message is >> starting SecConversation flow, no UT, and the subsequent >> messages will be validated by the 2nd alternative where both >> SecConversation and UT assertions are available.... >> >> Your original policy: >> [...] >> >> is actually equivalent to two alternatives (because of embedded >> wsp:Alls) : either SecureConversation only or UT only, it >> does not express the requirement that UT messages should be >> part of the SecConversation flow. > > thats exactly what I'd like to have - SecureConversation only or UT > only. Do you mean you are ok with UT requests which are not part of the SecureConversation flow being accepted as well ? thanks, Sergey > > I hope this makes it clearer :) > > cheers > Karl >
