Hi Massimiliano, So the problem is that if the module finds the > securitypolicy > it puts the security header, with mustUnderstand set to true. >
Yes. This is a bug in Rampart. Even if the policy is not a security policy, Rampart puts a security header to the soap message. Other scenario is when there is a transport binding without any supporting tokens,actually no security header is needed but Rampart creates an empty security header here too. We should not create empty security headers in these situations. Can you please raise a JIRA for this ? Thanks, Nandana
