Re: Regression with UT over HTTPS on 2.6.1

[Glen Mazza]

No, I believe Colm was rather clear that a new ws:Policy element needs 
to be added as a child element of the sp:HttpsToken (if you break it up 
into two parts: <sp:HttpsToken> and </sp:HttpsToken> it might be clearer 
for you.)   Not as a sibling element to the <sp:HttpsToken/> as you have 
it below.

Glen

On 05/29/2012 12:46 PM, COURTAULT Francois wrote:
Resending ...

-----Original Message-----
From: COURTAULT Francois [mailto:francois.courta...@gemalto.com]
Sent: lundi 28 mai 2012 19:36
To: cohei...@apache.org
Cc: users@cxf.apache.org
Subject: RE: Regression with UT over HTTPS on 2.6.1

Hello,

Sorry, you mean that in the policy file, I should have
       <sp:TransportToken>
         <wsp:Policy>
           <sp:HttpsToken/>
              <wsp:Policy/>
         </wsp:Policy>
       </sp:TransportToken>

Instead of:
       <sp:TransportToken>
         <wsp:Policy>
           <sp:HttpsToken/>
         </wsp:Policy>
       </sp:TransportToken>

Right ?

Best Regards.

From: COURTAULT Francois
Sent: lundi 28 mai 2012 17:25
To: 'cohei...@apache.org'
Cc: users@cxf.apache.org
Subject: RE: Regression with UT over HTTPS on 2.6.1

Hello,

But there is one in the policy I have sent to you.
Extract:
      <sp:TransportToken>
         <wsp:Policy>
           <sp:HttpsToken/>
           </wsp:Policy>
       </sp:TransportToken>

So what's wrong ?

Best Regards.

From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: lundi 28 mai 2012 17:19
To: COURTAULT Francois
Cc: users@cxf.apache.org<mailto:users@cxf.apache.org>
Subject: Re: Regression with UT over HTTPS on 2.6.1

wsp:Policy is still required by the following fragment:

<wsp:Policy xmlns:wsp="...">
    (
      <sp:HttpBasicAuthentication />  |
      <sp:HttpDigestAuthentication />  |
      <sp:RequireClientCertificate />  |
      ...
    )?

the "?" refers to the children of the Policy. So HttpsToken must still have 
a<wsp:Policy>  child element, the fact that the children are all optional is irrelevant.

Colm.
On Mon, May 28, 2012 at 3:32 PM, COURTAULT 
Francois<francois.courta...@gemalto.com<mailto:francois.courta...@gemalto.com>> 
 wrote:
Hello,

I don't read the spec the same way than you, sorry.

The spec says:
<sp:HttpsToken xmlns:sp="..." ...>
  (

    <sp:Issuer>wsa:EndpointReferenceType</sp:Issuer>  |

    <sp:IssuerName>xs:anyURI</sp:IssuerName>

  ) ?

  <wst:Claims Dialect="...">  ...</wst:Claims>  ?

  <wsp:Policy xmlns:wsp="...">
    (
      <sp:HttpBasicAuthentication />  |
      <sp:HttpDigestAuthentication />  |
      <sp:RequireClientCertificate />  |
      ...
    )?
    ...
  </wsp:Policy>
  ...
</sp:HttpsToken>

And "?" means 0 or 1
So, according to me, you can have<sp:HttpsToken.... with an empty<wsp:Policy /> 
 policy.
More, the spec that:
    - /sp:HttpsToken/wsp:Policy/sp:HttpBasicAuthentication is OPTIONAL
    - /sp:HttpsToken/wsp:Policy/sp:HttpDigestAuthentication is OPTIONAL
    - /sp:HttpsToken/wsp:Policy/sp:RequireClientCertificate is OPTIONAL Which 
is coherent with the ?

So ??????

Best Regards.

-----Original Message-----
From: Colm O hEigeartaigh 
[mailto:cohei...@apache.org<mailto:cohei...@apache.org>]
Sent: lundi 28 mai 2012 15:39
To: COURTAULT Francois
Cc: users@cxf.apache.org<mailto:users@cxf.apache.org>
Subject: Re: Regression with UT over HTTPS on 2.6.1

http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-securitypolicy-1.3-spec-os.html

"sp:HttpsToken/wsp:Policy

This REQUIRED element identifies additional requirements for use of the 
sp:HttpsToken assertion."

Colm.


On Mon, May 28, 2012 at 2:33 PM, COURTAULT Francois<  
francois.courta...@gemalto.com<mailto:francois.courta...@gemalto.com>>  wrote:

Hello,

This means that the policy I have attached is not compliant: right?
Could you give me please a pointer or the spec paragraph which
specifies this ?

Best Regards.

-----Original Message-----
From: Colm O hEigeartaigh
[mailto:cohei...@apache.org<mailto:cohei...@apache.org>]
Sent: lundi 28 mai 2012 15:18
To: users@cxf.apache.org<mailto:users@cxf.apache.org>
Subject: Re: Regression with UT over HTTPS on 2.6.1

It's not a regression, but a stricter enforcement of the
WS-SecurityPolicy spec. You need to add a "<wsp:Policy/>" child to the
sp:HttpsToken element to be compliant.

Colm.

On Mon, May 28, 2012 at 1:12 PM, COURTAULT Francois<
francois.courta...@gemalto.com<mailto:francois.courta...@gemalto.com>>  wrote:

Hello,****

** **

With the same WSS policy used, attached,  at server side, I got this
error:
****

28 mai 2012 14:08:43
org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyPro
vi
der
getElementPolicy****

ATTENTION: Failed to build the policy
'Wssp1.2-2007-Https-UsernameToken-Plain.xml':sp:HttpsToken/wsp:Polic
y
must have a value****

Exception in thread "main" *javax.xml.ws.soap.SOAPFaultException*:
sp:HttpsToken/wsp:Policy must have a value****

whereas I didn't get any error on 2.5.4.****

** **

Do I have to enter an issue in CXF 2.6.1 ?****

** **

Best Regards.****



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com


--
Glen Mazza
Talend Community Coders
coders.talend.com
blog: www.jroller.com/gmazza