Hi Glen, - Let's aim to get 1.4.1 out the door at the end of next week, i.e. July > 18th (is that enough time, Nandana?).
I think we have to check Sanka's input on this. He will be fixing the major issue in policy. - As always it's good to go through at least one RC so people can kick the > tires, check the artifacts, etc. So let's aim to get the RC out by Tuesday > the 15th. +1 for the RC. thanks, nandana Davanum Srinivas wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Exactly what i was afraid of :( Sigh! this is a *very* slippery slope. >> >> - -- dims >> >> Amila Suriarachchi wrote: >> | On Mon, Jul 7, 2008 at 6:03 PM, Davanum Srinivas <[EMAIL PROTECTED]> >> wrote: >> | >> |> Nandana, >> |> >> |> +1 from me for you to be the Release Manager for 1.4.1 >> | >> | >> | + 1 from me. >> | >> |> >> |> IMHO, we should use 1.4 branch. The *ONLY* change should be the >> |> security change. Nothing more. >> | >> | I think we need to fix any possible other critical issues as well. >> | eg. https://issues.apache.org/jira/browse/AXIS2-3870 >> | This is a memory leak and we need to fix this. >> | >> | thanks, >> | Amila. >> | >> | >> | >> |> >> |> thanks, >> |> dims >> |> >> |> On Mon, Jul 7, 2008 at 6:50 AM, Nandana Mihindukulasooriya >> |> <[EMAIL PROTECTED]> wrote: >> |>> I would like to volunteer to be the release manager for Axis2 1.4.1. >> |>> >> |>> I think we can fix the critical issues in the 1.4 branch (or a 1.4.1 >> |> branch >> |>> ) and do the 1.4.1 release. I don't think doing 1.4.1 from the trunk >> is >> |> the >> |>> appropriate way as trunk is now java 1.5 and has lot of major changes >> |> after >> |>> Axis2 1.4 . However we can fix any issues that are not already fixed >> in >> |> the >> |>> trunk at the same time when we fix those in the branch. >> |>> >> |>> Hope this is oky with Axis2 release guidelines. >> |>> >> |>> thanks, >> |>> nandana >> |>> >> |>> On Tue, Jul 1, 2008 at 6:39 PM, Davanum Srinivas <[EMAIL PROTECTED]> >> |> wrote: >> |>>> IMHO, The logic is the same as for blockers. If there is a work >> |>>> around, it's not a blocker. So i am +0 on a 1.4.1 since there is a >> |>>> work around that can be documented. >> |>>> >> |>>> That said, If someone is willing to drive a 1.4.1 as the release >> |>>> manager, please do go ahead. >> |>>> >> |>>> thanks, >> |>>> dims >> |>>> >> |>>> On Tue, Jul 1, 2008 at 2:48 AM, Sanka Samaranayake <[EMAIL PROTECTED] >> > >> |>>> wrote: >> |>>>> Hi, >> |>>>> >> |>>>> For the users who is already using 1.4 version, the workaround would >> |> be >> |>>>> to >> |>>>> define policies in services.xml without using >> <wsa:PolicyAttachment>. >> |>>>> Then >> |>>>> the problem is that those policies will appear in <wsdl:PortType> >> |> which >> |>>>> is >> |>>>> not correct but security will apply for both format of service URLs. >> |>>>> >> |>>>> Hence +1 for fixing that issue and do 1.4.1 release. >> |>>>> >> |>>>> Thanks, >> |>>>> Sanka >> |>>>> >> |>>>> >> |>>>> On Mon, Jun 30, 2008 at 8:59 PM, Nandana Mihindukulasooriya >> |>>>> <[EMAIL PROTECTED]> wrote: >> |>>>>> Hi, >> |>>>>> There are few issues with Axis2 1.4 / Rampart 1.4 with the new >> |>>>>> policy >> |>>>>> configuration. The new policy configuration which allows us to >> apply >> |>>>>> policies to binding hierarchy is a great feature when in comes to >> ws >> |>>>>> security policy configuration. It allows security policies to be >> |>>>>> attached to >> |>>>>> the correct attachment points. But there are few issues that need >> to >> |> be >> |>>>>> fixed in Axis2 1.4. I will list them below. >> |>>>>> 1.) If we configure security using new configuration, service >> can >> |>>>>> be >> |>>>>> accessed without security. >> |>>>>> In Axis2 1.4, a service is exposed in two EPRs (consider >> |> SOAP >> |>>>>> 1.1 >> |>>>>> binding). >> |>>>>> eg. >> |>>>>> >> |>>>>> >> |>>>>> >> |> >> http://localhost:8080/axis2/services/SecureService.SecureServiceHttpSoap11Endpoint >> |>>>>> http://localhost:8080/axis2/services/SecureService >> |>>>>> But if we you set the policies using the new >> configuration, >> |>>>>> if >> |>>>>> you do a web service call to the older EPR, you can access the >> |> service >> |>>>>> without any security even though it is secured using the binding >> |>>>>> hierarchy. >> |>>>>> This happens because if we call the old EPR, it is not dispatched >> to >> |> a >> |>>>>> binding. But this leaves the service vulnerable. I think we should >> |>>>>> dispatch >> |>>>>> to one of the bindings may be using soap envelope version if we >> have >> |>>>>> only >> |>>>>> one binding with that soap version. We should have a way to >> dispatch >> |>>>>> messages which comes to old EPR to one of the bindings else we >> should >> |>>>>> have >> |>>>>> an option to disable that EPR. >> |>>>>> >> |>>>>> 2.) In the out flow, policies are not set correctly in the >> |> binding >> |>>>>> message. >> |>>>>> This is fixed in the trunk but this bug is there in Axis2 >> |>>>>> 1.4. >> |>>>>> >> |>>>>> So the option we have is to configure security using the old >> |>>>>> configuration. But then the problem is policies are attached to the >> |>>>>> port >> |>>>>> type which is the correct way to do if we have policies using >> |>>>>> <service>,<operation><message> tags. But this makes Axis2 not >> |>>>>> interoperable >> |>>>>> as security policies should be attached to binding hierarchy >> |> according >> |>>>>> WS >> |>>>>> Security policy specification. Ideally we should always use the new >> |>>>>> configuration to apply security. And code generation also doesn't >> |> work >> |>>>>> correctly when the policies attached to the port type (polices are >> |> not >> |>>>>> correctly attached to the stub). >> |>>>>> >> |>>>>> So I think it would be great if can consider a Axis2 1.4.1 with >> |>>>>> these >> |>>>>> things fixed. >> |>>>>> >> |>>>>> thanks, >> |>>>>> nandana >> |>>>> >> |>>>> -- >> |>>>> Sanka Samaranayake >> |>>>> WSO2 Inc. >> |>>>> >> |>>>> http://sankas.blogspot.com/ >> |>>>> http://www.wso2.org/ >> |>>> >> |>>> >> |>>> -- >> |>>> Davanum Srinivas :: http://davanum.wordpress.com >> |>>> >> |>>> --------------------------------------------------------------------- >> |>>> To unsubscribe, e-mail: [EMAIL PROTECTED] >> |>>> For additional commands, e-mail: [EMAIL PROTECTED] >> |>>> >> |> >> |> >> |> -- >> |> Davanum Srinivas :: http://davanum.wordpress.com >> |> >> |> --------------------------------------------------------------------- >> |> To unsubscribe, e-mail: [EMAIL PROTECTED] >> |> For additional commands, e-mail: [EMAIL PROTECTED] >> |> >> |> >> | >> | >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.6 (GNU/Linux) >> >> iD8DBQFIchYLgNg6eWEDv1kRAo7lAKDKyTiR50/aWOSuc9d7pVPHQPUoeACgkg+A >> sQpm1+6vbyVf0CMQkT1aYXI= >> =hpVj >> -----END PGP SIGNATURE----- >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
