cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From COURTAULT Francois <Francois.COURTA...@gemalto.com>
Subject RE: Regression with UT over HTTPS on 2.6.1
Date Wed, 10 Oct 2012 13:41:37 GMT
Hello,

It is an old topic but Company X people claims that are right (meaning that they are compliant
to the spec).
They said if you look at WSS security schema located at: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsd
     - At one point, we have:
			<xs:element name="HttpsToken" type="tns:TokenAssertionType">
				<xs:annotation>
					<xs:documentation xml:lang="en">5.4.10 HttpsToken Assertion</xs:documentation>
				</xs:annotation>
			</xs:element>		
     - At another location, we have:
			<xs:complexType name="TokenAssertionType">
				<xs:sequence>
					<xs:choice minOccurs="0">
						<xs:element name="Issuer" type="wsa:EndpointReferenceType"/>
						<xs:element name="IssuerName" type="xs:anyURI"/>
					</xs:choice>
			<!--
			Actual content model is non-deterministic, hence wildcard. The following shows intended
content model:
			<xs:element ref="wsp:Policy" minOccurs="0" />
			-->

					<xs:any minOccurs="0" maxOccurs="unbounded" namespace="##other" processContents="lax"/>
				</xs:sequence>
				<xs:attribute ref="tns:IncludeToken" use="optional"/>
				<xs:anyAttribute namespace="##any" processContents="lax"/>
			</xs:complexType>


According to the comment above <xs:element ref="wsp:Policy" minOccurs="0" />, they said
that:
        <sp:TransportToken>
          <wsp:Policy>
            <sp:HttpsToken/>
          </wsp:Policy>
        </sp:TransportToken>

is valid and compliant to the ws security policy schema !

What should I believe ? The spec ? The schema ? Who is wrong ?

Best Regards.

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org] 
Sent: mercredi 30 mai 2012 09:56
To: users@cxf.apache.org
Subject: Re: Regression with UT over HTTPS on 2.6.1

Yes that looks right.

Colm.

On Wed, May 30, 2012 at 8:12 AM, COURTAULT Francois < Francois.COURTAULT@gemalto.com>
wrote:

> Hello everyone,
>
> You are right, I made a mistake in the extract policy I have sent.
> So could you confirm that the right section is:
>         <sp:TransportToken>
>          <wsp:Policy>
>            <sp:HttpsToken>
>                <wsp:Policy/>
>            </sp:HttpsToken>
>           </wsp:Policy>
>        </sp:TransportToken>
>
> Instead of:
>        <sp:TransportToken>
>          <wsp:Policy>
>            <sp:HttpsToken/>
>          </wsp:Policy>
>        </sp:TransportToken>
> ?
>
> Best Regards.
>
> -----Original Message-----
> From: Glen Mazza [mailto:gmazza@talend.com]
> Sent: mardi 29 mai 2012 20:33
> To: users@cxf.apache.org
> Subject: Re: Regression with UT over HTTPS on 2.6.1
>
> No, I believe Colm was rather clear that a new ws:Policy element needs 
> to be added as a child element of the sp:HttpsToken (if you break it 
> up into two parts: <sp:HttpsToken> and </sp:HttpsToken> it might be clearer
> for you.)   Not as a sibling element to the <sp:HttpsToken/> as you have
> it below.
>
> Glen
>
>
> On 05/29/2012 12:46 PM, COURTAULT Francois wrote:
> > Resending ...
> >
> > -----Original Message-----
> > From: COURTAULT Francois [mailto:Francois.COURTAULT@gemalto.com]
> > Sent: lundi 28 mai 2012 19:36
> > To: coheigea@apache.org
> > Cc: users@cxf.apache.org
> > Subject: RE: Regression with UT over HTTPS on 2.6.1
> >
> > Hello,
> >
> > Sorry, you mean that in the policy file, I should have
> >        <sp:TransportToken>
> >          <wsp:Policy>
> >            <sp:HttpsToken/>
> >               <wsp:Policy/>
> >          </wsp:Policy>
> >        </sp:TransportToken>
> >
> > Instead of:
> >        <sp:TransportToken>
> >          <wsp:Policy>
> >            <sp:HttpsToken/>
> >          </wsp:Policy>
> >        </sp:TransportToken>
> >
> > Right ?
> >
> > Best Regards.
> >
> > From: COURTAULT Francois
> > Sent: lundi 28 mai 2012 17:25
> > To: 'coheigea@apache.org'
> > Cc: users@cxf.apache.org
> > Subject: RE: Regression with UT over HTTPS on 2.6.1
> >
> > Hello,
> >
> > But there is one in the policy I have sent to you.
> > Extract:
> >       <sp:TransportToken>
> >          <wsp:Policy>
> >            <sp:HttpsToken/>
> >            </wsp:Policy>
> >        </sp:TransportToken>
> >
> > So what's wrong ?
> >
> > Best Regards.
> >
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > Sent: lundi 28 mai 2012 17:19
> > To: COURTAULT Francois
> > Cc: users@cxf.apache.org<mailto:users@cxf.apache.org>
> > Subject: Re: Regression with UT over HTTPS on 2.6.1
> >
> > wsp:Policy is still required by the following fragment:
> >
> > <wsp:Policy xmlns:wsp="...">
> >     (
> >       <sp:HttpBasicAuthentication />  |
> >       <sp:HttpDigestAuthentication />  |
> >       <sp:RequireClientCertificate />  |
> >       ...
> >     )?
> >
> > the "?" refers to the children of the Policy. So HttpsToken must 
> > still
> have a<wsp:Policy>  child element, the fact that the children are all 
> optional is irrelevant.
> >
> > Colm.
> > On Mon, May 28, 2012 at 3:32 PM, COURTAULT Francois<
> Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.com>>
>  wrote:
> > Hello,
> >
> > I don't read the spec the same way than you, sorry.
> >
> > The spec says:
> > <sp:HttpsToken xmlns:sp="..." ...>
> >   (
> >
> >     <sp:Issuer>wsa:EndpointReferenceType</sp:Issuer>  |
> >
> >     <sp:IssuerName>xs:anyURI</sp:IssuerName>
> >
> >   ) ?
> >
> >   <wst:Claims Dialect="...">  ...</wst:Claims>  ?
> >
> >   <wsp:Policy xmlns:wsp="...">
> >     (
> >       <sp:HttpBasicAuthentication />  |
> >       <sp:HttpDigestAuthentication />  |
> >       <sp:RequireClientCertificate />  |
> >       ...
> >     )?
> >     ...
> >   </wsp:Policy>
> >   ...
> > </sp:HttpsToken>
> >
> > And "?" means 0 or 1
> > So, according to me, you can have<sp:HttpsToken.... with an
> empty<wsp:Policy />  policy.
> > More, the spec that:
> >     - /sp:HttpsToken/wsp:Policy/sp:HttpBasicAuthentication is OPTIONAL
> >     - /sp:HttpsToken/wsp:Policy/sp:HttpDigestAuthentication is OPTIONAL
> >     - /sp:HttpsToken/wsp:Policy/sp:RequireClientCertificate is 
> > OPTIONAL
> Which is coherent with the ?
> >
> > So ??????
> >
> > Best Regards.
> >
> > -----Original Message-----
> > From: Colm O hEigeartaigh
> > [mailto:coheigea@apache.org<mailto:coheigea@apache.org>]
> > Sent: lundi 28 mai 2012 15:39
> > To: COURTAULT Francois
> > Cc: users@cxf.apache.org<mailto:users@cxf.apache.org>
> > Subject: Re: Regression with UT over HTTPS on 2.6.1
> >
> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-securi
> > ty
> > policy-1.3-spec-os.html
> >
> > "sp:HttpsToken/wsp:Policy
> >
> > This REQUIRED element identifies additional requirements for use of 
> > the
> sp:HttpsToken assertion."
> >
> > Colm.
> >
> >
> > On Mon, May 28, 2012 at 2:33 PM, COURTAULT Francois<
> Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.com>>
>  wrote:
> >
> >> Hello,
> >>
> >> This means that the policy I have attached is not compliant: right?
> >> Could you give me please a pointer or the spec paragraph which 
> >> specifies this ?
> >>
> >> Best Regards.
> >>
> >> -----Original Message-----
> >> From: Colm O hEigeartaigh
> >> [mailto:coheigea@apache.org<mailto:coheigea@apache.org>]
> >> Sent: lundi 28 mai 2012 15:18
> >> To: users@cxf.apache.org<mailto:users@cxf.apache.org>
> >> Subject: Re: Regression with UT over HTTPS on 2.6.1
> >>
> >> It's not a regression, but a stricter enforcement of the 
> >> WS-SecurityPolicy spec. You need to add a "<wsp:Policy/>" child to 
> >> the sp:HttpsToken element to be compliant.
> >>
> >> Colm.
> >>
> >> On Mon, May 28, 2012 at 1:12 PM, COURTAULT Francois< 
> >> Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.co
> >> m>>
>  wrote:
> >>
> >>> Hello,****
> >>>
> >>> ** **
> >>>
> >>> With the same WSS policy used, attached,  at server side, I got 
> >>> this
> >> error:
> >>> ****
> >>>
> >>> 28 mai 2012 14:08:43
> >>> org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyP
> >>> ro
> >>> vi
> >>> der
> >>> getElementPolicy****
> >>>
> >>> ATTENTION: Failed to build the policy 
> >>> 'Wssp1.2-2007-Https-UsernameToken-Plain.xml':sp:HttpsToken/wsp:Pol
> >>> ic
> >>> y
> >>> must have a value****
> >>>
> >>> Exception in thread "main" *javax.xml.ws.soap.SOAPFaultException*:
> >>> sp:HttpsToken/wsp:Policy must have a value****
> >>>
> >>> whereas I didn't get any error on 2.5.4.****
> >>>
> >>> ** **
> >>>
> >>> Do I have to enter an issue in CXF 2.6.1 ?****
> >>>
> >>> ** **
> >>>
> >>> Best Regards.****
> >>>
> >>
> >>
> >> --
> >> Colm O hEigeartaigh
> >>
> >> Talend Community Coder
> >> http://coders.talend.com
> >>
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
>
>
> --
> Glen Mazza
> Talend Community Coders
> coders.talend.com
> blog: www.jroller.com/gmazza
>
>


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message