cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From COURTAULT Francois <Francois.COURTA...@gemalto.com>
Subject RE: Regression with UT over HTTPS on 2.6.1
Date Thu, 11 Oct 2012 09:27:57 GMT
Hello,

Any answer regarding this topic ?

Best Regards.

-----Original Message-----
From: COURTAULT Francois [mailto:Francois.COURTAULT@gemalto.com] 
Sent: mercredi 10 octobre 2012 17:20
To: users@cxf.apache.org; coheigea@apache.org
Subject: RE: Regression with UT over HTTPS on 2.6.1

Hello,

Regarding the spec errata, this is also my understanding (eg the HttpsToken must have a Policy
child).
But what about the ws security policy schema ?  Is this schema compliant to the spec ?
One simple test is to see if to check if the policy which causes the issue with CXF 2.6.1
is valid against this schema: what do you think ?
In fact, I have checked with Eclipse. It seems that the policy file with the following section:
  <sp:TransportBinding>
  	<wsp:Policy>
  		<sp:TransportToken>
  			<wsp:Policy>
  				<sp:HttpsToken/>
  			</wsp:Policy>
  		</sp:TransportToken>
  		<sp:AlgorithmSuite>
  			<wsp:Policy>
  				<sp:Basic256/>
  			</wsp:Policy>
  		</sp:AlgorithmSuite>
  		<sp:Layout>
  			<wsp:Policy>
  				<sp:Lax/>
  			</wsp:Policy>
  		</sp:Layout>
  		<sp:IncludeTimestamp/>
  	</wsp:Policy>
  </sp:TransportBinding>

is well formed and valid against the ws security policy schema available at http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsd
which seems to be in contradiction with the spec :-( ?????  BUG in the schema ?

Regarding the interop topic, this an issue between an application server using Metro and a
CXF client (2.6.1). 

Best Regards.

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: mercredi 10 octobre 2012 16:01
To: COURTAULT Francois
Cc: users@cxf.apache.org
Subject: Re: Regression with UT over HTTPS on 2.6.1

Hi,

My interpretation is that the comment associated with TokenAssertionType defined in the schema
does not trump the specification requirements. The errata for WS-SecurityPolicy 1.2 still
requires that a HttpsToken have a Policy child:

http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.2/errata01/os/ws-securitypolicy-1.2-errata01-os-complete.pdf

Having said that, if this is causing interop problems with WCF I'm willing to reconsider.
Does anyone else have an opinion on this?

Colm.

On Wed, Oct 10, 2012 at 2:41 PM, COURTAULT Francois < Francois.COURTAULT@gemalto.com>
wrote:

> Hello,
>
> It is an old topic but Company X people claims that are right (meaning 
> that they are compliant to the spec).
> They said if you look at WSS security schema located at:
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsd
>      - At one point, we have:
>                         <xs:element name="HttpsToken"
> type="tns:TokenAssertionType">
>                                 <xs:annotation>
>                                         <xs:documentation
> xml:lang="en">5.4.10 HttpsToken Assertion</xs:documentation>
>                                 </xs:annotation>
>                         </xs:element>
>      - At another location, we have:
>                         <xs:complexType name="TokenAssertionType">
>                                 <xs:sequence>
>                                         <xs:choice minOccurs="0">
>                                                 <xs:element name="Issuer"
> type="wsa:EndpointReferenceType"/>
>                                                 <xs:element 
> name="IssuerName" type="xs:anyURI"/>
>                                         </xs:choice>
>                         <!--
>                         Actual content model is non-deterministic, 
> hence wildcard. The following shows intended content model:
>                         <xs:element ref="wsp:Policy" minOccurs="0" />
>                         -->
>
>                                         <xs:any minOccurs="0"
> maxOccurs="unbounded" namespace="##other" processContents="lax"/>
>                                 </xs:sequence>
>                                 <xs:attribute ref="tns:IncludeToken"
> use="optional"/>
>                                 <xs:anyAttribute namespace="##any"
> processContents="lax"/>
>                         </xs:complexType>
>
>
> According to the comment above <xs:element ref="wsp:Policy" minOccurs="0"
> />, they said that:
>         <sp:TransportToken>
>           <wsp:Policy>
>             <sp:HttpsToken/>
>           </wsp:Policy>
>         </sp:TransportToken>
>
> is valid and compliant to the ws security policy schema !
>
> What should I believe ? The spec ? The schema ? Who is wrong ?
>
> Best Regards.
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: mercredi 30 mai 2012 09:56
> To: users@cxf.apache.org
> Subject: Re: Regression with UT over HTTPS on 2.6.1
>
> Yes that looks right.
>
> Colm.
>
> On Wed, May 30, 2012 at 8:12 AM, COURTAULT Francois < 
> Francois.COURTAULT@gemalto.com> wrote:
>
> > Hello everyone,
> >
> > You are right, I made a mistake in the extract policy I have sent.
> > So could you confirm that the right section is:
> >         <sp:TransportToken>
> >          <wsp:Policy>
> >            <sp:HttpsToken>
> >                <wsp:Policy/>
> >            </sp:HttpsToken>
> >           </wsp:Policy>
> >        </sp:TransportToken>
> >
> > Instead of:
> >        <sp:TransportToken>
> >          <wsp:Policy>
> >            <sp:HttpsToken/>
> >          </wsp:Policy>
> >        </sp:TransportToken>
> > ?
> >
> > Best Regards.
> >
> > -----Original Message-----
> > From: Glen Mazza [mailto:gmazza@talend.com]
> > Sent: mardi 29 mai 2012 20:33
> > To: users@cxf.apache.org
> > Subject: Re: Regression with UT over HTTPS on 2.6.1
> >
> > No, I believe Colm was rather clear that a new ws:Policy element 
> > needs to be added as a child element of the sp:HttpsToken (if you 
> > break it up into two parts: <sp:HttpsToken> and </sp:HttpsToken> it

> > might be
> clearer
> > for you.)   Not as a sibling element to the <sp:HttpsToken/> as you have
> > it below.
> >
> > Glen
> >
> >
> > On 05/29/2012 12:46 PM, COURTAULT Francois wrote:
> > > Resending ...
> > >
> > > -----Original Message-----
> > > From: COURTAULT Francois [mailto:Francois.COURTAULT@gemalto.com]
> > > Sent: lundi 28 mai 2012 19:36
> > > To: coheigea@apache.org
> > > Cc: users@cxf.apache.org
> > > Subject: RE: Regression with UT over HTTPS on 2.6.1
> > >
> > > Hello,
> > >
> > > Sorry, you mean that in the policy file, I should have
> > >        <sp:TransportToken>
> > >          <wsp:Policy>
> > >            <sp:HttpsToken/>
> > >               <wsp:Policy/>
> > >          </wsp:Policy>
> > >        </sp:TransportToken>
> > >
> > > Instead of:
> > >        <sp:TransportToken>
> > >          <wsp:Policy>
> > >            <sp:HttpsToken/>
> > >          </wsp:Policy>
> > >        </sp:TransportToken>
> > >
> > > Right ?
> > >
> > > Best Regards.
> > >
> > > From: COURTAULT Francois
> > > Sent: lundi 28 mai 2012 17:25
> > > To: 'coheigea@apache.org'
> > > Cc: users@cxf.apache.org
> > > Subject: RE: Regression with UT over HTTPS on 2.6.1
> > >
> > > Hello,
> > >
> > > But there is one in the policy I have sent to you.
> > > Extract:
> > >       <sp:TransportToken>
> > >          <wsp:Policy>
> > >            <sp:HttpsToken/>
> > >            </wsp:Policy>
> > >        </sp:TransportToken>
> > >
> > > So what's wrong ?
> > >
> > > Best Regards.
> > >
> > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > > Sent: lundi 28 mai 2012 17:19
> > > To: COURTAULT Francois
> > > Cc: users@cxf.apache.org<mailto:users@cxf.apache.org>
> > > Subject: Re: Regression with UT over HTTPS on 2.6.1
> > >
> > > wsp:Policy is still required by the following fragment:
> > >
> > > <wsp:Policy xmlns:wsp="...">
> > >     (
> > >       <sp:HttpBasicAuthentication />  |
> > >       <sp:HttpDigestAuthentication />  |
> > >       <sp:RequireClientCertificate />  |
> > >       ...
> > >     )?
> > >
> > > the "?" refers to the children of the Policy. So HttpsToken must 
> > > still
> > have a<wsp:Policy>  child element, the fact that the children are 
> > all optional is irrelevant.
> > >
> > > Colm.
> > > On Mon, May 28, 2012 at 3:32 PM, COURTAULT Francois<
> > Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.com
> > >>
> >  wrote:
> > > Hello,
> > >
> > > I don't read the spec the same way than you, sorry.
> > >
> > > The spec says:
> > > <sp:HttpsToken xmlns:sp="..." ...>
> > >   (
> > >
> > >     <sp:Issuer>wsa:EndpointReferenceType</sp:Issuer>  |
> > >
> > >     <sp:IssuerName>xs:anyURI</sp:IssuerName>
> > >
> > >   ) ?
> > >
> > >   <wst:Claims Dialect="...">  ...</wst:Claims>  ?
> > >
> > >   <wsp:Policy xmlns:wsp="...">
> > >     (
> > >       <sp:HttpBasicAuthentication />  |
> > >       <sp:HttpDigestAuthentication />  |
> > >       <sp:RequireClientCertificate />  |
> > >       ...
> > >     )?
> > >     ...
> > >   </wsp:Policy>
> > >   ...
> > > </sp:HttpsToken>
> > >
> > > And "?" means 0 or 1
> > > So, according to me, you can have<sp:HttpsToken.... with an
> > empty<wsp:Policy />  policy.
> > > More, the spec that:
> > >     - /sp:HttpsToken/wsp:Policy/sp:HttpBasicAuthentication is OPTIONAL
> > >     - /sp:HttpsToken/wsp:Policy/sp:HttpDigestAuthentication is OPTIONAL
> > >     - /sp:HttpsToken/wsp:Policy/sp:RequireClientCertificate is 
> > > OPTIONAL
> > Which is coherent with the ?
> > >
> > > So ??????
> > >
> > > Best Regards.
> > >
> > > -----Original Message-----
> > > From: Colm O hEigeartaigh
> > > [mailto:coheigea@apache.org<mailto:coheigea@apache.org>]
> > > Sent: lundi 28 mai 2012 15:39
> > > To: COURTAULT Francois
> > > Cc: users@cxf.apache.org<mailto:users@cxf.apache.org>
> > > Subject: Re: Regression with UT over HTTPS on 2.6.1
> > >
> > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-secu
> > > ri
> > > ty
> > > policy-1.3-spec-os.html
> > >
> > > "sp:HttpsToken/wsp:Policy
> > >
> > > This REQUIRED element identifies additional requirements for use 
> > > of the
> > sp:HttpsToken assertion."
> > >
> > > Colm.
> > >
> > >
> > > On Mon, May 28, 2012 at 2:33 PM, COURTAULT Francois<
> > Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.com
> > >>
> >  wrote:
> > >
> > >> Hello,
> > >>
> > >> This means that the policy I have attached is not compliant: right?
> > >> Could you give me please a pointer or the spec paragraph which 
> > >> specifies this ?
> > >>
> > >> Best Regards.
> > >>
> > >> -----Original Message-----
> > >> From: Colm O hEigeartaigh
> > >> [mailto:coheigea@apache.org<mailto:coheigea@apache.org>]
> > >> Sent: lundi 28 mai 2012 15:18
> > >> To: users@cxf.apache.org<mailto:users@cxf.apache.org>
> > >> Subject: Re: Regression with UT over HTTPS on 2.6.1
> > >>
> > >> It's not a regression, but a stricter enforcement of the 
> > >> WS-SecurityPolicy spec. You need to add a "<wsp:Policy/>" child 
> > >> to the sp:HttpsToken element to be compliant.
> > >>
> > >> Colm.
> > >>
> > >> On Mon, May 28, 2012 at 1:12 PM, COURTAULT Francois< 
> > >> Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.
> > >> co
> > >> m>>
> >  wrote:
> > >>
> > >>> Hello,****
> > >>>
> > >>> ** **
> > >>>
> > >>> With the same WSS policy used, attached,  at server side, I got 
> > >>> this
> > >> error:
> > >>> ****
> > >>>
> > >>> 28 mai 2012 14:08:43
> > >>> org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolic
> > >>> yP
> > >>> ro
> > >>> vi
> > >>> der
> > >>> getElementPolicy****
> > >>>
> > >>> ATTENTION: Failed to build the policy 
> > >>> 'Wssp1.2-2007-Https-UsernameToken-Plain.xml':sp:HttpsToken/wsp:P
> > >>> ol
> > >>> ic
> > >>> y
> > >>> must have a value****
> > >>>
> > >>> Exception in thread "main" *javax.xml.ws.soap.SOAPFaultException*:
> > >>> sp:HttpsToken/wsp:Policy must have a value****
> > >>>
> > >>> whereas I didn't get any error on 2.5.4.****
> > >>>
> > >>> ** **
> > >>>
> > >>> Do I have to enter an issue in CXF 2.6.1 ?****
> > >>>
> > >>> ** **
> > >>>
> > >>> Best Regards.****
> > >>>
> > >>
> > >>
> > >> --
> > >> Colm O hEigeartaigh
> > >>
> > >> Talend Community Coder
> > >> http://coders.talend.com
> > >>
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> >
> >
> > --
> > Glen Mazza
> > Talend Community Coders
> > coders.talend.com
> > blog: www.jroller.com/gmazza
> >
> >
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message