[ http://issues.apache.org/jira/browse/AXIS2-891?page=comments#action_12421124 ] Brian DePradine commented on AXIS2-891: ---------------------------------------
Hi Eran, You are correct when you say that the SOAP 1.1 spec requires that every request must have a SOAPAction. In fact, the WS-Addressing 1.0 SOAP Binding spec takes this into account as stated here, http://www.w3.org/TR/ws-addr-soap/#s11extdesc. The point of this patch is that a user may want to encrypt the SOAP headers on a request without having the value of the WS-Addressing action header leaked in the clear via the SOAPAction header. One alternative is to use transport level security, such as SSL, to encrypt the entire session, but the overhead associated with doing this may be prohibitive. The other alternative, and the one put forward in the WS-Addressing 1.0 SOAP Binding spec, is to allow the SOAPAction to be set to the empty value, "". This means that we will still be compliant with the SOAP 1.1 spec, as the SOAPAction header will be present on the request, and the WS-Addressing action won't be leaked in the clear. When isUseSoapAction() returns true the request should include the following: SOAPAction: foo ... <wsa:action>foo</wsa:action> ... when isUseSoapAction() returns false the request should include the following: SOAPAction: "" ... <wsa:action>foo</wsa:action> ... You have alerted me to one problem though. It seems that, according to the WS-I Basic Profile version 1.1, when the SOAPAction field is set that the value should always be quoted. This is not happeinging at the moment, i.e. SOAPAction: foo should be, SOAPAction: "foo" I will raise a separate JIRA issue to cover this. > Allow the WS-Addressing action to be set, in the client, without also setting > the SOAP action > --------------------------------------------------------------------------------------------- > > Key: AXIS2-891 > URL: http://issues.apache.org/jira/browse/AXIS2-891 > Project: Apache Axis 2.0 (Axis2) > Issue Type: Improvement > Components: core > Reporter: Brian DePradine > Attachments: patch.txt > > > Modify the Options class to allow a user to set the WS-Addressing action > without also setting the soap action. This is important as, according to the > WS-Addressing 1.0 SOAP Binding Spec, it will allow the ability to obscure the > action through SOAP-level security mechanisms, without having to resort to > transport level security mechanisms. Patch to follow. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
