Hello,
Regarding the spec errata, this is also my understanding (eg the HttpsToken
must have a Policy child).
But what about the ws security policy schema ? Is this schema compliant to the
spec ?
One simple test is to see if to check if the policy which causes the issue with
CXF 2.6.1 is valid against this schema: what do you think ?
In fact, I have checked with Eclipse. It seems that the policy file with the
following section:
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
is well formed and valid against the ws security policy schema available at
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsd
which seems to be in contradiction with the spec :-( ????? BUG in the schema ?
Regarding the interop topic, this an issue between an application server using
Metro and a CXF client (2.6.1).
Best Regards.
-----Original Message-----
From: Colm O hEigeartaigh [mailto:[email protected]]
Sent: mercredi 10 octobre 2012 16:01
To: COURTAULT Francois
Cc: [email protected]
Subject: Re: Regression with UT over HTTPS on 2.6.1
Hi,
My interpretation is that the comment associated with TokenAssertionType
defined in the schema does not trump the specification requirements. The errata
for WS-SecurityPolicy 1.2 still requires that a HttpsToken have a Policy child:
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.2/errata01/os/ws-securitypolicy-1.2-errata01-os-complete.pdf
Having said that, if this is causing interop problems with WCF I'm willing to
reconsider. Does anyone else have an opinion on this?
Colm.
On Wed, Oct 10, 2012 at 2:41 PM, COURTAULT Francois <
[email protected]> wrote:
> Hello,
>
> It is an old topic but Company X people claims that are right (meaning
> that they are compliant to the spec).
> They said if you look at WSS security schema located at:
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsd
> - At one point, we have:
> <xs:element name="HttpsToken"
> type="tns:TokenAssertionType">
> <xs:annotation>
> <xs:documentation
> xml:lang="en">5.4.10 HttpsToken Assertion</xs:documentation>
> </xs:annotation>
> </xs:element>
> - At another location, we have:
> <xs:complexType name="TokenAssertionType">
> <xs:sequence>
> <xs:choice minOccurs="0">
> <xs:element name="Issuer"
> type="wsa:EndpointReferenceType"/>
> <xs:element
> name="IssuerName" type="xs:anyURI"/>
> </xs:choice>
> <!--
> Actual content model is non-deterministic,
> hence wildcard. The following shows intended content model:
> <xs:element ref="wsp:Policy" minOccurs="0" />
> -->
>
> <xs:any minOccurs="0"
> maxOccurs="unbounded" namespace="##other" processContents="lax"/>
> </xs:sequence>
> <xs:attribute ref="tns:IncludeToken"
> use="optional"/>
> <xs:anyAttribute namespace="##any"
> processContents="lax"/>
> </xs:complexType>
>
>
> According to the comment above <xs:element ref="wsp:Policy" minOccurs="0"
> />, they said that:
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken/>
> </wsp:Policy>
> </sp:TransportToken>
>
> is valid and compliant to the ws security policy schema !
>
> What should I believe ? The spec ? The schema ? Who is wrong ?
>
> Best Regards.
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:[email protected]]
> Sent: mercredi 30 mai 2012 09:56
> To: [email protected]
> Subject: Re: Regression with UT over HTTPS on 2.6.1
>
> Yes that looks right.
>
> Colm.
>
> On Wed, May 30, 2012 at 8:12 AM, COURTAULT Francois <
> [email protected]> wrote:
>
> > Hello everyone,
> >
> > You are right, I made a mistake in the extract policy I have sent.
> > So could you confirm that the right section is:
> > <sp:TransportToken>
> > <wsp:Policy>
> > <sp:HttpsToken>
> > <wsp:Policy/>
> > </sp:HttpsToken>
> > </wsp:Policy>
> > </sp:TransportToken>
> >
> > Instead of:
> > <sp:TransportToken>
> > <wsp:Policy>
> > <sp:HttpsToken/>
> > </wsp:Policy>
> > </sp:TransportToken>
> > ?
> >
> > Best Regards.
> >
> > -----Original Message-----
> > From: Glen Mazza [mailto:[email protected]]
> > Sent: mardi 29 mai 2012 20:33
> > To: [email protected]
> > Subject: Re: Regression with UT over HTTPS on 2.6.1
> >
> > No, I believe Colm was rather clear that a new ws:Policy element
> > needs to be added as a child element of the sp:HttpsToken (if you
> > break it up into two parts: <sp:HttpsToken> and </sp:HttpsToken> it
> > might be
> clearer
> > for you.) Not as a sibling element to the <sp:HttpsToken/> as you have
> > it below.
> >
> > Glen
> >
> >
> > On 05/29/2012 12:46 PM, COURTAULT Francois wrote:
> > > Resending ...
> > >
> > > -----Original Message-----
> > > From: COURTAULT Francois [mailto:[email protected]]
> > > Sent: lundi 28 mai 2012 19:36
> > > To: [email protected]
> > > Cc: [email protected]
> > > Subject: RE: Regression with UT over HTTPS on 2.6.1
> > >
> > > Hello,
> > >
> > > Sorry, you mean that in the policy file, I should have
> > > <sp:TransportToken>
> > > <wsp:Policy>
> > > <sp:HttpsToken/>
> > > <wsp:Policy/>
> > > </wsp:Policy>
> > > </sp:TransportToken>
> > >
> > > Instead of:
> > > <sp:TransportToken>
> > > <wsp:Policy>
> > > <sp:HttpsToken/>
> > > </wsp:Policy>
> > > </sp:TransportToken>
> > >
> > > Right ?
> > >
> > > Best Regards.
> > >
> > > From: COURTAULT Francois
> > > Sent: lundi 28 mai 2012 17:25
> > > To: '[email protected]'
> > > Cc: [email protected]
> > > Subject: RE: Regression with UT over HTTPS on 2.6.1
> > >
> > > Hello,
> > >
> > > But there is one in the policy I have sent to you.
> > > Extract:
> > > <sp:TransportToken>
> > > <wsp:Policy>
> > > <sp:HttpsToken/>
> > > </wsp:Policy>
> > > </sp:TransportToken>
> > >
> > > So what's wrong ?
> > >
> > > Best Regards.
> > >
> > > From: Colm O hEigeartaigh [mailto:[email protected]]
> > > Sent: lundi 28 mai 2012 17:19
> > > To: COURTAULT Francois
> > > Cc: [email protected]<mailto:[email protected]>
> > > Subject: Re: Regression with UT over HTTPS on 2.6.1
> > >
> > > wsp:Policy is still required by the following fragment:
> > >
> > > <wsp:Policy xmlns:wsp="...">
> > > (
> > > <sp:HttpBasicAuthentication /> |
> > > <sp:HttpDigestAuthentication /> |
> > > <sp:RequireClientCertificate /> |
> > > ...
> > > )?
> > >
> > > the "?" refers to the children of the Policy. So HttpsToken must
> > > still
> > have a<wsp:Policy> child element, the fact that the children are
> > all optional is irrelevant.
> > >
> > > Colm.
> > > On Mon, May 28, 2012 at 3:32 PM, COURTAULT Francois<
> > [email protected]<mailto:[email protected]
> > >>
> > wrote:
> > > Hello,
> > >
> > > I don't read the spec the same way than you, sorry.
> > >
> > > The spec says:
> > > <sp:HttpsToken xmlns:sp="..." ...>
> > > (
> > >
> > > <sp:Issuer>wsa:EndpointReferenceType</sp:Issuer> |
> > >
> > > <sp:IssuerName>xs:anyURI</sp:IssuerName>
> > >
> > > ) ?
> > >
> > > <wst:Claims Dialect="..."> ...</wst:Claims> ?
> > >
> > > <wsp:Policy xmlns:wsp="...">
> > > (
> > > <sp:HttpBasicAuthentication /> |
> > > <sp:HttpDigestAuthentication /> |
> > > <sp:RequireClientCertificate /> |
> > > ...
> > > )?
> > > ...
> > > </wsp:Policy>
> > > ...
> > > </sp:HttpsToken>
> > >
> > > And "?" means 0 or 1
> > > So, according to me, you can have<sp:HttpsToken.... with an
> > empty<wsp:Policy /> policy.
> > > More, the spec that:
> > > - /sp:HttpsToken/wsp:Policy/sp:HttpBasicAuthentication is OPTIONAL
> > > - /sp:HttpsToken/wsp:Policy/sp:HttpDigestAuthentication is OPTIONAL
> > > - /sp:HttpsToken/wsp:Policy/sp:RequireClientCertificate is
> > > OPTIONAL
> > Which is coherent with the ?
> > >
> > > So ??????
> > >
> > > Best Regards.
> > >
> > > -----Original Message-----
> > > From: Colm O hEigeartaigh
> > > [mailto:[email protected]<mailto:[email protected]>]
> > > Sent: lundi 28 mai 2012 15:39
> > > To: COURTAULT Francois
> > > Cc: [email protected]<mailto:[email protected]>
> > > Subject: Re: Regression with UT over HTTPS on 2.6.1
> > >
> > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-secu
> > > ri
> > > ty
> > > policy-1.3-spec-os.html
> > >
> > > "sp:HttpsToken/wsp:Policy
> > >
> > > This REQUIRED element identifies additional requirements for use
> > > of the
> > sp:HttpsToken assertion."
> > >
> > > Colm.
> > >
> > >
> > > On Mon, May 28, 2012 at 2:33 PM, COURTAULT Francois<
> > [email protected]<mailto:[email protected]
> > >>
> > wrote:
> > >
> > >> Hello,
> > >>
> > >> This means that the policy I have attached is not compliant: right?
> > >> Could you give me please a pointer or the spec paragraph which
> > >> specifies this ?
> > >>
> > >> Best Regards.
> > >>
> > >> -----Original Message-----
> > >> From: Colm O hEigeartaigh
> > >> [mailto:[email protected]<mailto:[email protected]>]
> > >> Sent: lundi 28 mai 2012 15:18
> > >> To: [email protected]<mailto:[email protected]>
> > >> Subject: Re: Regression with UT over HTTPS on 2.6.1
> > >>
> > >> It's not a regression, but a stricter enforcement of the
> > >> WS-SecurityPolicy spec. You need to add a "<wsp:Policy/>" child
> > >> to the sp:HttpsToken element to be compliant.
> > >>
> > >> Colm.
> > >>
> > >> On Mon, May 28, 2012 at 1:12 PM, COURTAULT Francois<
> > >> [email protected]<mailto:Francois.COURTAULT@gemalto.
> > >> co
> > >> m>>
> > wrote:
> > >>
> > >>> Hello,****
> > >>>
> > >>> ** **
> > >>>
> > >>> With the same WSS policy used, attached, at server side, I got
> > >>> this
> > >> error:
> > >>> ****
> > >>>
> > >>> 28 mai 2012 14:08:43
> > >>> org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolic
> > >>> yP
> > >>> ro
> > >>> vi
> > >>> der
> > >>> getElementPolicy****
> > >>>
> > >>> ATTENTION: Failed to build the policy
> > >>> 'Wssp1.2-2007-Https-UsernameToken-Plain.xml':sp:HttpsToken/wsp:P
> > >>> ol
> > >>> ic
> > >>> y
> > >>> must have a value****
> > >>>
> > >>> Exception in thread "main" *javax.xml.ws.soap.SOAPFaultException*:
> > >>> sp:HttpsToken/wsp:Policy must have a value****
> > >>>
> > >>> whereas I didn't get any error on 2.5.4.****
> > >>>
> > >>> ** **
> > >>>
> > >>> Do I have to enter an issue in CXF 2.6.1 ?****
> > >>>
> > >>> ** **
> > >>>
> > >>> Best Regards.****
> > >>>
> > >>
> > >>
> > >> --
> > >> Colm O hEigeartaigh
> > >>
> > >> Talend Community Coder
> > >> http://coders.talend.com
> > >>
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> >
> >
> > --
> > Glen Mazza
> > Talend Community Coders
> > coders.talend.com
> > blog: www.jroller.com/gmazza
> >
> >
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
