It's explained in section 6.6 - "[Entire Header and Body Signatures] Property".
Your interpretation is not correct. Essentially what it means is that only the SOAP Body, a SOAP Header, and/or a direct child of the security header can be signed, nothing else. It doesn't actually require that any of them actually be signed though. Colm. On Tue, Nov 5, 2013 at 9:32 AM, COURTAULT Francois < [email protected]> wrote: > Hello everyone, > > > > What is the meaning of OnlySignEntireHeadersAndBody policy assertion ? > > > > I looked at > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html > . > > As we are using asymmetric binding, the only description I got in this > spec is : > > “/sp:AsymmetricBinding/wsp:Policy/sp:OnlySignEntireHeadersAndBody > > > > This optional element is a policy assertion that indicates that the > [Entire Header And Body Signatures] property is set to 'true'.” > > > > My interpretation of the sentence above is that, if this assertion is used > for a web service endpoint it means that the client has to generate a > signature for all SOAP headers and the body of the SOAP request he has to > send: am I right or wrong ? > > Best Regards. > > ------------------------------ > This message and any attachments are intended solely for the addressees > and may contain confidential information. Any unauthorized use or > disclosure, either whole or partial, is prohibited. > E-mails are susceptible to alteration. Our company shall not be liable for > the message if altered, changed or falsified. If you are not the intended > recipient of this message, please delete it and notify the sender. > Although all reasonable efforts have been made to keep this transmission > free from viruses, the sender will not be liable for damages caused by a > transmitted virus > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
