It's fixed here: https://issues.apache.org/jira/browse/CXF-4558
Colm. On Fri, Oct 12, 2012 at 8:51 AM, COURTAULT Francois < [email protected]> wrote: > Hello, > > So what will be the final decision ? > I suppose that if CXF will relax on this topic, it will be included in the > next CXF version: right ? > > Can someone confirm me that please ? > > Best Regards. > > -----Original Message----- > From: Daniel Kulp [mailto:[email protected]] > Sent: jeudi 11 octobre 2012 21:07 > To: [email protected]; COURTAULT Francois > Subject: Re: Regression with UT over HTTPS on 2.6.1 > > > On Oct 11, 2012, at 5:27 AM, COURTAULT Francois < > [email protected]> wrote: > > > Hello, > > > > Any answer regarding this topic ? > > IMO: in general, I consider the written text of the spec to be the > definitive answer and thus the HttpsToken should have Policy child element > in it for it to be a valid policy. Any tooling and such that we provide > (not that we do, but if we did) should definitely be generating the child > Policy element. > > However, the more pragmatic side of me says that if the schema doesn't > mandate it and there is another product that specifically isn't generating > it, we should likely relax the check a bit, possibly down to a > Log.warn(...), to allow the interoperability. > > That's my opinion though. > > Dan > > > > > > > Best Regards. > > > > -----Original Message----- > > From: COURTAULT Francois [mailto:[email protected]] > > Sent: mercredi 10 octobre 2012 17:20 > > To: [email protected]; [email protected] > > Subject: RE: Regression with UT over HTTPS on 2.6.1 > > > > Hello, > > > > Regarding the spec errata, this is also my understanding (eg the > HttpsToken must have a Policy child). > > But what about the ws security policy schema ? Is this schema compliant > to the spec ? > > One simple test is to see if to check if the policy which causes the > issue with CXF 2.6.1 is valid against this schema: what do you think ? > > In fact, I have checked with Eclipse. It seems that the policy file with > the following section: > > <sp:TransportBinding> > > <wsp:Policy> > > <sp:TransportToken> > > <wsp:Policy> > > <sp:HttpsToken/> > > </wsp:Policy> > > </sp:TransportToken> > > <sp:AlgorithmSuite> > > <wsp:Policy> > > <sp:Basic256/> > > </wsp:Policy> > > </sp:AlgorithmSuite> > > <sp:Layout> > > <wsp:Policy> > > <sp:Lax/> > > </wsp:Policy> > > </sp:Layout> > > <sp:IncludeTimestamp/> > > </wsp:Policy> > > </sp:TransportBinding> > > > > is well formed and valid against the ws security policy schema available > at > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsdwhich > seems to be in contradiction with the spec :-( ????? BUG in the > schema ? > > > > Regarding the interop topic, this an issue between an application server > using Metro and a CXF client (2.6.1). > > > > Best Regards. > > > > -----Original Message----- > > From: Colm O hEigeartaigh [mailto:[email protected]] > > Sent: mercredi 10 octobre 2012 16:01 > > To: COURTAULT Francois > > Cc: [email protected] > > Subject: Re: Regression with UT over HTTPS on 2.6.1 > > > > Hi, > > > > My interpretation is that the comment associated with TokenAssertionType > defined in the schema does not trump the specification requirements. The > errata for WS-SecurityPolicy 1.2 still requires that a HttpsToken have a > Policy child: > > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.2/errata01/os/ws > > -securitypolicy-1.2-errata01-os-complete.pdf > > > > Having said that, if this is causing interop problems with WCF I'm > willing to reconsider. Does anyone else have an opinion on this? > > > > Colm. > > > > On Wed, Oct 10, 2012 at 2:41 PM, COURTAULT Francois < > [email protected]> wrote: > > > >> Hello, > >> > >> It is an old topic but Company X people claims that are right > >> (meaning that they are compliant to the spec). > >> They said if you look at WSS security schema located at: > >> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsd > >> - At one point, we have: > >> <xs:element name="HttpsToken" > >> type="tns:TokenAssertionType"> > >> <xs:annotation> > >> <xs:documentation > >> xml:lang="en">5.4.10 HttpsToken Assertion</xs:documentation> > >> </xs:annotation> > >> </xs:element> > >> - At another location, we have: > >> <xs:complexType name="TokenAssertionType"> > >> <xs:sequence> > >> <xs:choice minOccurs="0"> > >> <xs:element name="Issuer" > >> type="wsa:EndpointReferenceType"/> > >> <xs:element > >> name="IssuerName" type="xs:anyURI"/> > >> </xs:choice> > >> <!-- > >> Actual content model is non-deterministic, > >> hence wildcard. The following shows intended content model: > >> <xs:element ref="wsp:Policy" minOccurs="0" /> > >> --> > >> > >> <xs:any minOccurs="0" > >> maxOccurs="unbounded" namespace="##other" processContents="lax"/> > >> </xs:sequence> > >> <xs:attribute ref="tns:IncludeToken" > >> use="optional"/> > >> <xs:anyAttribute namespace="##any" > >> processContents="lax"/> > >> </xs:complexType> > >> > >> > >> According to the comment above <xs:element ref="wsp:Policy" > minOccurs="0" > >> />, they said that: > >> <sp:TransportToken> > >> <wsp:Policy> > >> <sp:HttpsToken/> > >> </wsp:Policy> > >> </sp:TransportToken> > >> > >> is valid and compliant to the ws security policy schema ! > >> > >> What should I believe ? The spec ? The schema ? Who is wrong ? > >> > >> Best Regards. > >> > >> -----Original Message----- > >> From: Colm O hEigeartaigh [mailto:[email protected]] > >> Sent: mercredi 30 mai 2012 09:56 > >> To: [email protected] > >> Subject: Re: Regression with UT over HTTPS on 2.6.1 > >> > >> Yes that looks right. > >> > >> Colm. > >> > >> On Wed, May 30, 2012 at 8:12 AM, COURTAULT Francois < > >> [email protected]> wrote: > >> > >>> Hello everyone, > >>> > >>> You are right, I made a mistake in the extract policy I have sent. > >>> So could you confirm that the right section is: > >>> <sp:TransportToken> > >>> <wsp:Policy> > >>> <sp:HttpsToken> > >>> <wsp:Policy/> > >>> </sp:HttpsToken> > >>> </wsp:Policy> > >>> </sp:TransportToken> > >>> > >>> Instead of: > >>> <sp:TransportToken> > >>> <wsp:Policy> > >>> <sp:HttpsToken/> > >>> </wsp:Policy> > >>> </sp:TransportToken> > >>> ? > >>> > >>> Best Regards. > >>> > >>> -----Original Message----- > >>> From: Glen Mazza [mailto:[email protected]] > >>> Sent: mardi 29 mai 2012 20:33 > >>> To: [email protected] > >>> Subject: Re: Regression with UT over HTTPS on 2.6.1 > >>> > >>> No, I believe Colm was rather clear that a new ws:Policy element > >>> needs to be added as a child element of the sp:HttpsToken (if you > >>> break it up into two parts: <sp:HttpsToken> and </sp:HttpsToken> it > >>> might be > >> clearer > >>> for you.) Not as a sibling element to the <sp:HttpsToken/> as you > have > >>> it below. > >>> > >>> Glen > >>> > >>> > >>> On 05/29/2012 12:46 PM, COURTAULT Francois wrote: > >>>> Resending ... > >>>> > >>>> -----Original Message----- > >>>> From: COURTAULT Francois [mailto:[email protected]] > >>>> Sent: lundi 28 mai 2012 19:36 > >>>> To: [email protected] > >>>> Cc: [email protected] > >>>> Subject: RE: Regression with UT over HTTPS on 2.6.1 > >>>> > >>>> Hello, > >>>> > >>>> Sorry, you mean that in the policy file, I should have > >>>> <sp:TransportToken> > >>>> <wsp:Policy> > >>>> <sp:HttpsToken/> > >>>> <wsp:Policy/> > >>>> </wsp:Policy> > >>>> </sp:TransportToken> > >>>> > >>>> Instead of: > >>>> <sp:TransportToken> > >>>> <wsp:Policy> > >>>> <sp:HttpsToken/> > >>>> </wsp:Policy> > >>>> </sp:TransportToken> > >>>> > >>>> Right ? > >>>> > >>>> Best Regards. > >>>> > >>>> From: COURTAULT Francois > >>>> Sent: lundi 28 mai 2012 17:25 > >>>> To: '[email protected]' > >>>> Cc: [email protected] > >>>> Subject: RE: Regression with UT over HTTPS on 2.6.1 > >>>> > >>>> Hello, > >>>> > >>>> But there is one in the policy I have sent to you. > >>>> Extract: > >>>> <sp:TransportToken> > >>>> <wsp:Policy> > >>>> <sp:HttpsToken/> > >>>> </wsp:Policy> > >>>> </sp:TransportToken> > >>>> > >>>> So what's wrong ? > >>>> > >>>> Best Regards. > >>>> > >>>> From: Colm O hEigeartaigh [mailto:[email protected]] > >>>> Sent: lundi 28 mai 2012 17:19 > >>>> To: COURTAULT Francois > >>>> Cc: [email protected]<mailto:[email protected]> > >>>> Subject: Re: Regression with UT over HTTPS on 2.6.1 > >>>> > >>>> wsp:Policy is still required by the following fragment: > >>>> > >>>> <wsp:Policy xmlns:wsp="..."> > >>>> ( > >>>> <sp:HttpBasicAuthentication /> | > >>>> <sp:HttpDigestAuthentication /> | > >>>> <sp:RequireClientCertificate /> | > >>>> ... > >>>> )? > >>>> > >>>> the "?" refers to the children of the Policy. So HttpsToken must > >>>> still > >>> have a<wsp:Policy> child element, the fact that the children are > >>> all optional is irrelevant. > >>>> > >>>> Colm. > >>>> On Mon, May 28, 2012 at 3:32 PM, COURTAULT Francois< > >>> [email protected]<mailto:[email protected] > >>>>> > >>> wrote: > >>>> Hello, > >>>> > >>>> I don't read the spec the same way than you, sorry. > >>>> > >>>> The spec says: > >>>> <sp:HttpsToken xmlns:sp="..." ...> > >>>> ( > >>>> > >>>> <sp:Issuer>wsa:EndpointReferenceType</sp:Issuer> | > >>>> > >>>> <sp:IssuerName>xs:anyURI</sp:IssuerName> > >>>> > >>>> ) ? > >>>> > >>>> <wst:Claims Dialect="..."> ...</wst:Claims> ? > >>>> > >>>> <wsp:Policy xmlns:wsp="..."> > >>>> ( > >>>> <sp:HttpBasicAuthentication /> | > >>>> <sp:HttpDigestAuthentication /> | > >>>> <sp:RequireClientCertificate /> | > >>>> ... > >>>> )? > >>>> ... > >>>> </wsp:Policy> > >>>> ... > >>>> </sp:HttpsToken> > >>>> > >>>> And "?" means 0 or 1 > >>>> So, according to me, you can have<sp:HttpsToken.... with an > >>> empty<wsp:Policy /> policy. > >>>> More, the spec that: > >>>> - /sp:HttpsToken/wsp:Policy/sp:HttpBasicAuthentication is OPTIONAL > >>>> - /sp:HttpsToken/wsp:Policy/sp:HttpDigestAuthentication is OPTIONAL > >>>> - /sp:HttpsToken/wsp:Policy/sp:RequireClientCertificate is > >>>> OPTIONAL > >>> Which is coherent with the ? > >>>> > >>>> So ?????? > >>>> > >>>> Best Regards. > >>>> > >>>> -----Original Message----- > >>>> From: Colm O hEigeartaigh > >>>> [mailto:[email protected]<mailto:[email protected]>] > >>>> Sent: lundi 28 mai 2012 15:39 > >>>> To: COURTAULT Francois > >>>> Cc: [email protected]<mailto:[email protected]> > >>>> Subject: Re: Regression with UT over HTTPS on 2.6.1 > >>>> > >>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-secu > >>>> ri > >>>> ty > >>>> policy-1.3-spec-os.html > >>>> > >>>> "sp:HttpsToken/wsp:Policy > >>>> > >>>> This REQUIRED element identifies additional requirements for use of > >>>> the > >>> sp:HttpsToken assertion." > >>>> > >>>> Colm. > >>>> > >>>> > >>>> On Mon, May 28, 2012 at 2:33 PM, COURTAULT Francois< > >>> [email protected]<mailto:[email protected] > >>>>> > >>> wrote: > >>>> > >>>>> Hello, > >>>>> > >>>>> This means that the policy I have attached is not compliant: right? > >>>>> Could you give me please a pointer or the spec paragraph which > >>>>> specifies this ? > >>>>> > >>>>> Best Regards. > >>>>> > >>>>> -----Original Message----- > >>>>> From: Colm O hEigeartaigh > >>>>> [mailto:[email protected]<mailto:[email protected]>] > >>>>> Sent: lundi 28 mai 2012 15:18 > >>>>> To: [email protected]<mailto:[email protected]> > >>>>> Subject: Re: Regression with UT over HTTPS on 2.6.1 > >>>>> > >>>>> It's not a regression, but a stricter enforcement of the > >>>>> WS-SecurityPolicy spec. You need to add a "<wsp:Policy/>" child to > >>>>> the sp:HttpsToken element to be compliant. > >>>>> > >>>>> Colm. > >>>>> > >>>>> On Mon, May 28, 2012 at 1:12 PM, COURTAULT Francois< > >>>>> [email protected]<mailto:Francois.COURTAULT@gemalto. > >>>>> co > >>>>> m>> > >>> wrote: > >>>>> > >>>>>> Hello,**** > >>>>>> > >>>>>> ** ** > >>>>>> > >>>>>> With the same WSS policy used, attached, at server side, I got > >>>>>> this > >>>>> error: > >>>>>> **** > >>>>>> > >>>>>> 28 mai 2012 14:08:43 > >>>>>> org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolic > >>>>>> yP > >>>>>> ro > >>>>>> vi > >>>>>> der > >>>>>> getElementPolicy**** > >>>>>> > >>>>>> ATTENTION: Failed to build the policy > >>>>>> 'Wssp1.2-2007-Https-UsernameToken-Plain.xml':sp:HttpsToken/wsp:P > >>>>>> ol > >>>>>> ic > >>>>>> y > >>>>>> must have a value**** > >>>>>> > >>>>>> Exception in thread "main" *javax.xml.ws.soap.SOAPFaultException*: > >>>>>> sp:HttpsToken/wsp:Policy must have a value**** > >>>>>> > >>>>>> whereas I didn't get any error on 2.5.4.**** > >>>>>> > >>>>>> ** ** > >>>>>> > >>>>>> Do I have to enter an issue in CXF 2.6.1 ?**** > >>>>>> > >>>>>> ** ** > >>>>>> > >>>>>> Best Regards.**** > >>>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> Colm O hEigeartaigh > >>>>> > >>>>> Talend Community Coder > >>>>> http://coders.talend.com > >>>>> > >>>> > >>>> > >>>> -- > >>>> Colm O hEigeartaigh > >>>> > >>>> Talend Community Coder > >>>> http://coders.talend.com > >>>> > >>>> > >>>> > >>>> -- > >>>> Colm O hEigeartaigh > >>>> > >>>> Talend Community Coder > >>>> http://coders.talend.com > >>> > >>> > >>> -- > >>> Glen Mazza > >>> Talend Community Coders > >>> coders.talend.com > >>> blog: www.jroller.com/gmazza > >>> > >>> > >> > >> > >> -- > >> Colm O hEigeartaigh > >> > >> Talend Community Coder > >> http://coders.talend.com > >> > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > -- > Daniel Kulp > [email protected] - http://dankulp.com/blog Talend Community Coder - > http://coders.talend.com > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
