Listing 1: WS Security achieved through DerivedKeyTokens

(some namespaces have been truncated to fit this page)

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:wsse="http://docs.oasis-open.org/...wssecurity-secext-1.0.xsd"
  xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
  xmlns:wsu="http://docs.oasis-open.org/...wssecurity-utility-1.0.xsd">
  <soap:Header>
    <wsse:Security xmlns:wssc="http://schemas.xmlsoap.org/ws/2005/02/sc">
      <wssc:SecurityContextToken wsu:Id="scContext">
        <wssc:Identifier>uuid:5e78f6fc-bf05</wssc:Identifier>
      </wssc:SecurityContextToken>
      <wssc:DerivedKeyToken wsu:Id="signingkey">
        <wsse:SecurityTokenReference>
          <wsse:Reference URI="#scContext"/>
        </wsse:SecurityTokenReference>
        <wssc:Length>16</wssc:Length>
        <wssc:Label>WS-SecureConversation</wssc:Label>
        <wssc:Nonce>5zIc5sVkvSzZgDcB98G9qg==</wssc:Nonce>
      </wssc:DerivedKeyToken>
      <wssc:DerivedKeyToken wsu:Id="encryptingKey">
        <wsse:SecurityTokenReference>
          <wsse:Reference URI="#scContext"/>
        </wsse:SecurityTokenReference>
        <wssc:Length>16</wssc:Length>
        <wssc:Label>WS-SecureConversation</wssc:Label>
        <wssc:Nonce>mh9fNSRNMT6QTlyW7ovZnQ==</wssc:Nonce>
      </wssc:DerivedKeyToken>
      <xenc:ReferenceList>
        <xenc:DataReference URI="#encryptedContent"/>
      </xenc:ReferenceList>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
          <!-- ... -->
        </SignedInfo>
        <SignatureValue>R1bt...tB9RI.M=</SignatureValue>
        <KeyInfo>
          <wsse:SecurityTokenReference>
            <wsse:Reference URI="#signingkey"
              ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk"/>
          </wsse:SecurityTokenReference>
        </KeyInfo>
      </Signature>
    </wsse:Security>
  </soap:Header>
  <soap:Body>
    <xenc:EncryptedData Id="encryptedContent"
      Type="http://www.w3.org/2001/04/xmlenc#Content">
      <xenc:EncryptionMethod
        Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <wsse:SecurityTokenReference>
          <wsse:Reference URI="#encryptingKey"
            ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk"/>
        </wsse:SecurityTokenReference>
      </KeyInfo>
      <xenc:CipherData>
        <xenc:CipherValue>Hqjdc...+LEV51oMqtg=</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </soap:Body>
</soap:Envelope>

Listing 2: WS Security achieved through X509 Certificate Profile

(some namespaces have been truncated to fit this page)

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
  xmlns:wsu="http://docs.oasis-open.org/...utility-1.0.xsd">
  <soap:Header>
    <wsse:Security
      xmlns:wsse="http://docs.oasis-open.org/...secext-1.0.xsd"
      soap:mustUnderstand="1">
      <wsse:BinarySecurityToken
        EncodingType="..."
        ValueType="http://...x509-token-profile-1.0#X509v3"
        wsu:Id="x509bst">
          MIICLj...=
      </wsse:BinarySecurityToken>
      <xenc:EncryptedKey>
        <xenc:EncryptionMethod
          Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
        <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
          <wsse:SecurityTokenReference>
            <wsse:KeyIdentifier
              EncodingType="..."
              ValueType="http://...#X509SubjectKeyIdentifier">
              tVuqKSO89...Mw=
            </wsse:KeyIdentifier>
          </wsse:SecurityTokenReference>
        </dsig:KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue>OjGpFrTg...4MQ=</xenc:CipherValue>
        </xenc:CipherData>
        <xenc:ReferenceList>
          <xenc:DataReference URI="#bodyencdata"/>
        </xenc:ReferenceList>
      </xenc:EncryptedKey>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
          <!-- ... -->
        </ds:SignedInfo>
        <ds:SignatureValue>tbDUa...kqio=</ds:SignatureValue>
        <ds:KeyInfo>
          <wsse:SecurityTokenReference>
            <wsse:Reference URI="#x509bst"
              ValueType="http://...-x509-token-profile-1.0#X509v3"/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
  </soap:Header>
  <soap:Body>
    <xenc:EncryptedData Id="bodyencdata"
      Type="http://www.w3.org/2001/04/xmlenc#Content">
      <xenc:EncryptionMethod
        Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
      <xenc:CipherData>
        <xenc:CipherValue>mrsIN...WQ==</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </soap:Body>
</soap:Envelope>