As discussed in [TAS3ARCH] section 4.1 "Protocol Support for
Conveyance of Sticky Policies", Encapsulating Security Layer (ESL) is
one approach for implementing sticky policies. While total
encapsulation is possible, for already established applications
protocols something lighter weight is desired. Most properties of ESL
can also be implemented by a special SOAP header that references all
the elements that would have been contained or referenced by the ESL
approach. The subtle, but salient, diffenrence is that instead of the
intrusive encapsulation layer, all the relevant policy data is carried
in the
The reference is either by XML id attribute (preferred) or a simplified absolute XPath [XPATH99].
Example
<e:Envelope>
<e:Header>
<wsse:Security>...(signature here to bind ESLPolicies and Body)...</>
<tas3:ESLPolicies mustUnderstand="1">
<tas3:ESLApply>
<tas3:ESLRef ref="#data1"/>
<tas3:ESLRef xpath="container/subcontainer"/>
<xa:Obligation ObligationId="urn:tas3:sol1">
<xa:AttributeAssignment
AttributeId="urn:tas3:sol1:require"
DataType="http://www.w3.org/2001/XMLSchema#string">
urn:tas3:sol:vers=1
urn:tas3:sol1:delon=1255555377
</xa:AttributeAssignment>
</xa:Obligation>
</tas3:ESLApply>
<tas3:ESLApply>
<tas3:ESLRef ref="#data2"/>
<xa:Obligation ObligationId="urn:tas3:sol1">
<xa:AttributeAssignment
AttributeId="urn:tas3:sol1:require"
DataType="http://www.w3.org/2001/XMLSchema#string">
urn:tas3:sol:vers=1
urn:tas3:sol1:delon=1255566666
</xa:AttributeAssignment>
</xa:Obligation>
</tas3:ESLApply>
</tas3:ESLPolicies>
</e:Header>
<e:Body>
<data id="data1" value="foo">
<data id="data2" value="bar">
<container>
<subcontainer value="goo"/>
</container>
</e:Body>
</e:Envelope>
In the above example both id based references to