- From: Marc Hadley <Marc.Hadley@Sun.COM>
- Date: Thu, 25 Sep 2003 11:47:05 -0400
- To: Jean-Jacques Moreau <jean-jacques.moreau@crf.canon.fr>
- Cc: xml-dist-app@w3.org
On Thursday, Sep 25, 2003, at 03:57 US/Eastern, Jean-Jacques Moreau wrote: > >> *** 410 "The <wsse:Security> header block without a specified S:role >> MAY be consumed by anyone, but MUST NOT be removed prior to the final >> destination or endpoint." What does 'consumed' mean. SOAP 1.2 makes >> it clear that SOAP headers without a role attribute are equivalent >> to those with a role of >> "http://www.w3.org/2003/05/soap-envelope/role/ultimateReceiver". In >> both cases the ultimate receiver of the message is the target of the >> header block. > > An active intermediary could still consume the header block; this is > part of the processing model. So, unless WSS includes a special header > block to implement the above assertion, it cannot be fulfilled, I > think. > I think the problem in the original text is the use of the word 'consumed' which implies removal, a forwarding intermediary should never be playing the ultimateReceiver role so the header block should never be removed until the message reaches the ultimate receiver. Active intermediaries can always change the message "in ways not described in the inbound SOAP message" so its questionable that adding a special header block would help. Marc. -- Marc Hadley <marc.hadley@sun.com> Web Technologies and Standards, Sun Microsystems.
Received on Thursday, 25 September 2003 11:47:11 UTC