Re: [sca-bindings]ISSUE 130: Testing experience suggests requirementsBWS40002 & BWS40003 are too strict for services

[Anish Karmarkar <Anish.Karmarkar@oracle.com>]

On 7/2/2010 4:06 AM, Mike Edwards wrote:
>
> Anish,
>
> One important point to remember here is that Intents mark restrictions -
> and the restrictions are supposed to be honoured.

Thanks for reminding me. Which raises the question:
why would anyone want to specify the version of SOAP in an intent?
Yes, there are differences between versions 1.1 and 1.2, but WS-I BP 
narrows those differences. From a practical POV, I don't think there is 
anyone who *relies* on SOAP 1.2-specific features (such as transport 
binding framework, features and properties, fault subcode nested 
structure etc).
I know what I'm raising is a separate issue, perhaps worth considering.

>
> If I follow your thought that "additional" stuff is OK, let's look at
> what that might mean when it comes to Intents in the area of Security.
>

What I mean by additional stuff is ok is:
what matters to SCA is what the component type says. But one cannot say 
anything about what the component code does wrt what doesn't show up in 
the CT. For example, I think it is perfectly OK to write a component 
that exposes an SCA service over SOAP 1.2. At the same time the 
component code may decide to expose SOAP 1.1 at the same URL but not be 
visible in the CT.
I understand that this is not relevant to the tests that you are 
writing. But just wanted to state that just because a component exposes 
an SCA service over SOAP 1.2 at a particular URL (with SOAP.1_2 intent) 
does not necessarily mean that SOAP 1.1 is not available at the same URL.

> Let's consider a Service marked with the @Confidentiality intent. So
> that means a restriction that the service is only supposed to
> deal with messages that are encrypted. May be encrypted in the transport
> (eg HTTPS) or encrypted in the Messages (various
> alternatives from WS-Security), but it must be encrypted.
>
> Following your logic below, it will be "OK" if the same service is ALSO
> offered via an additional transport/protocol that is NOT encrypted.
> This does not make sense to me, and I feel the heavy tramp of the
> corporate security guys towards my door.
>
> I think that in this scenario, it is most certainly NOT good to offer
> more ways of accessing such a service.
>
>
> Returning to SOAP.v1_2 - presumably if a service is marked this way, it
> is done for a reason. Perhaps the service inspects headers
> from SOAP 1.2 and depends on them.

Can't think of a practical usecase where it does?

> In this case too, offering the
> service over SOAP 1.1 is not going to work - @requires="SOAP.v1_2"
> is a restriction and has some meaning. The meaning needs to be honoured.
>
>
> So, my position now on Issue 130 is to Close with No Action - the spec
> is correct as written and the SCA Runtime vendors are going
> to have to fix up their code, for example using header processors of the
> type that Jim described in his recent note. This will work with
> the one fly in the ointment that Axis (as far as I can see) will still
> advertise support for SOAP 1.1 even when only SOAP 1.2 is accepted.
> Time to get Axis fixed....
>

I'm fine wrt close with no action.
But I don't quite understand why vendors need to fix up anything. Since 
your test code deals with it (by examining the namespace), when deployed 
on a particular SCA runtime, shouldn't it work as written?

-Anish
--

>
> Yours, Mike.
>
> Strategist - Emerging Technologies, SCA & SDO.
> Co Chair OASIS SCA Assembly TC.
> IBM Hursley Park, Mail Point 146, Winchester, SO21 2JN, Great Britain.
> Phone & FAX: +44-1962-818014 Mobile: +44-7802-467431
> Email: mike_edwards@uk.ibm.com
>
>
> From: 	Anish Karmarkar <Anish.Karmarkar@oracle.com>
> To: 	sca-bindings@lists.oasis-open.org
> Date: 	01/07/2010 17:05
> Subject: 	Re: [sca-bindings] NEW ISSUE: Testing experience suggests
> requirements BWS40002 & BWS40003 are too strict for services
>
>
> ------------------------------------------------------------------------
>
>
>
> I think the higher-level issue, regardless of whether an implementation
> as it exists can be restricted or not, is:
> does it make sense for the spec to say that a particular service must
> not support *additional* transports/protocols?
> I tend to think that it is sufficient for the spec to say what the
> service must do and stay away from saying what it must not do. For
> example, if a service wants to accept messages from entities outside of
> SCA, why should the SCA spec restrict it?
>
> -Anish
> --
>
> On 7/1/2010 8:54 AM, Jim Marino wrote:
>  > As quick thought, have you tried inserting a JAX-WS handler that checks
>  > the message version (I'm assuming Axis2 supports JAX-WS handlers since
>  > it claims to be JAX-WS compliant)?
>  >
>  > I'm pretty sure Metro (the JAX-WS RI) can also be configured at a lower
>  > level to do this by inserting a custom Tube into the processing chain
>  > that handles requests. WSIT layers on top of Metro in this way to
>  > provide support for WS-Policy, WS-Security and reliable messaging. We've
>  > done this for a number of things in Fabric3 as well, including
>  > integrating WS-Security with the F3 authentication and authorization
>  > infrastructure. In general, we have found Metro to be easier to deal
>  > with than Axis2.
>  >
>  > Jim
>  >
>  > On Jul 1, 2010, at 9:02 AM, Mike Edwards wrote:
>  >
>  >>
>  >> Bryan,
>  >>
>  >> The client (JAXWS) side is set up so that it either sends SOAP 1.1 or
>  >> SOAP 1.2. The SCA server side uses Tuscany which uses Axis2.
>  >>
>  >> We can't (yet) find a way to get Axis2 to stop accepting SOAP 1.1
>  >> messages for a simple <binding.ws requires="SOAP.v1_2"/> binding.
>  >>
>  >> We have not tried using a WSDL on the server side, but that is missing
>  >> the point, since the test is trying to test the simple binding of the
>  >> form above.
>  >>
>  >>
>  >> Yours, Mike.
>  >>
>  >> Strategist - Emerging Technologies, SCA & SDO.
>  >> Co Chair OASIS SCA Assembly TC.
>  >> IBM Hursley Park, Mail Point 146, Winchester, SO21 2JN, Great Britain.
>  >> Phone & FAX: +44-1962-818014 Mobile: +44-7802-467431
>  >> Email: mike_edwards@uk.ibm.com <mailto:mike_edwards@uk.ibm.com>
>  >>
>  >>
>  >> From: Bryan Aupperle <aupperle@us.ibm.com <mailto:aupperle@us.ibm.com>>
>  >> To: OASIS SCA Bindings <sca-bindings@lists.oasis-open.org
>  >> <mailto:sca-bindings@lists.oasis-open.org>>
>  >> Date: 30/06/2010 14:39
>  >> Subject: Re: [sca-bindings] NEW ISSUE: Testing experience suggests
>  >> requirements BWS40002 & BWS40003 are too strict for services
>  >>
>  >>
>  >> ------------------------------------------------------------------------
>  >>
>  >>
>  >>
>  >> Mike,
>  >> when you were trying to force a service to only receive messages using
>  >> SOAPI 1.2, what happened if the only binding in the WSDL had a
>  >> <SOAP:binding/> element with the transport attribute set to the SOAP
>  >> 1.2 URL (_http://www.w3.org/2003/05/soap/bindings/HTTP/_)?
>  >>
>  >> I think you can control this using the JAX-WS @BindingType annotation.
>  >>
>  >> Bryan Aupperle, Ph.D.
>  >> STSM, WebSphere Enterprise Platform Software Solution Architect
>  >> WW Center of Excellence for Enterprise Systems & Banking Center of
>  >> Excellence Application Integration Architect
>  >>
>  >> Research Triangle Park, NC
>  >> +1 919-254-7508 (T/L 444-7508)
>  >> Internet Address: aupperle@us.ibm.com <mailto:aupperle@us.ibm.com>
>  >>
>  >> From: Eric Johnson <eric@tibco.com <mailto:eric@tibco.com>>
>  >> To: OASIS SCA Bindings <sca-bindings@lists.oasis-open.org
>  >> <mailto:sca-bindings@lists.oasis-open.org>>
>  >> Date: 06/17/2010 06:59 PM
>  >> Subject: [sca-bindings] NEW ISSUE: Testing experience suggests
>  >> requirements BWS40002 & BWS40003 are too strict for services
>  >>
>  >>
>  >>
>  >> ------------------------------------------------------------------------
>  >>
>  >>
>  >>
>  >> Target: sca-wsbinding-1.1-spec-cd03
>  >>
>  >> Title: Testing experience suggests requirements BWS40002 & BWS40003 are
>  >> too strict for services
>  >>
>  >> Description:
>  >>
>  >> Current normative statements:
>  >>
>  >> When the SOAP.1_1 intent is required, the SCA runtime MUST transmit and
>  >> receive messages using only SOAP 1.1. [BWS40002]
>  >>
>  >> When the SOAP.1_2 intent is required, the SCA runtime MUST transmit and
>  >> receive messages using only SOAP 1.2. [BWS40003]
>  >>
>  >> Mike Edward's experience in creating test cases suggests that at least
>  >> two existing implementations (Axis, JAX-WS reference implementation) of
>  >> SOAP stacks will gladly accept SOAP 1.1 or SOAP 1.2 at a given endpoint,
>  >> and that restricting them to only allowing SOAP 1.1 or SOAP 1.2 is
>  >> actually tricky, if it is even possible.
>  >>
>  >> This suggests that the normative statements, when applied to *services*
>  >> are perhaps overly strict. Note that it still makes sense to have these
>  >> policy intents on references.
>  >>
>  >> Proposal:
>  >>
>  >> Change the normative statements to read as follows:
>  >> When the SOAP.1_1 intent is required on a reference, the SCA runtime
>  >> MUST transmit and receive messages using only SOAP 1.1. [BWS40002]
>  >>
>  >> When the SOAP.1_2 intent is required on a reference, the SCA runtime
>  >> MUST transmit and receive messages using only SOAP 1.2. [BWS40003]
>  >>
>  >>
>  >>
>  >> ---------------------------------------------------------------------
>  >> To unsubscribe from this mail list, you must leave the OASIS TC that
>  >> generates this mail. Follow this link to all your TCs in OASIS at:_
>  >>
> __https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php_
>  >>
>  >>
>  >>
>  >>
>  >>
>  >>
>  >>
>  >> ------------------------------------------------------------------------
>  >>
>  >> /
>  >> /
>  >>
>  >> /Unless stated otherwise above:
>  >> IBM United Kingdom Limited - Registered in England and Wales with
>  >> number 741598.
>  >> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
>  >> 3AU/
>  >>
>  >>
>  >>
>  >>
>  >>
>  >>
>  >
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail. Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> /
> /
>
> /Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number
> 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU/
>
>
>
>
>
>