OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [ws-sx] Issue i148: Syntax of XPath for Signed, Encrypted andRequired Elements


Issue i148

 

From: Symon Chang [mailto:sychang@bea.com]
Sent: Thursday, August 02, 2007 8:38 PM
To: ws-sx@lists.oasis-open.org
Cc: Marc Goodner
Subject: [ws-sx] NEW Issue: Syntax of XPath for Signed, Encrypted and Required Elements

 

PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER.  
The issues coordinators will notify the list when that has occurred.
 
Protocol:  ws-sp 
 
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.pdf  
 
Artifact:  spec 
 
Type: design
 
Title: Syntax of XPath for Signed, Encrypted and Required Elements
 
 
Description: 
 
The syntax of XPath Assertion should be changed from <sp:XPath> to <sp:XPath ...>
 
This is related to the following four assertions: 
 
·        SignedElements Assertion – Section 4.1.2 
·        EncryptedElements Assertion – Section 4.2.2 
·        ContentEncryptedElements Assertion – Section 4.2.3 
·        RequiredElements Assertion – Section 4.3.1 
 
Syntax from the current spec like this for the EncryptedElement: 
 

<sp:EncryptedElements XPathVersion="xs:anyURI"? xmlns:sp="..." ... >
  <sp:XPath>xs:string</sp:XPath>+
  ...
</sp:EncryptedElements>

 
However, the policy for specify an Xpath element to be encrypted will not work. For example, if we use this for encryption of the ProductGradePricingResponse element, the following policy is broken. This is due to the namespace of env and m is not defined.  
 

<wsp:Policy

  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"

  xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512"  >

  <sp:EncryptedElements XPathVersion="http://www.w3.org/TR/1999/REC-xpath-19991116">

     <sp:XPath>/env:Envelope/env:Body/m:getProductsAndPricingResponse/result/ProductGradePricingResponse

    </sp:XPath>

  </sp:EncryptedElements>

</wsp:Policy>

 
The following policy will be better:
 

<wsp:Policy

  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"

  xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"  >

  <sp:EncryptedElements XPathVersion="http://www.w3.org/TR/1999/REC-xpath-19991116"

                        xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">

    <sp:XPath xmlns:m="http://www.soapbuyer.org/soapexample/message">

        /env:Envelope/env:Body/m:getProductsAndPricingResponse/result/ProductGradePricingResponse</sp:XPath>

  </sp:EncryptedElements>

</wsp:Policy>

 
The namespace of the xpath string should be placed as attributes in either the element of <sp:EncryptedElements>, or <sp:XPath > elements.
 
In addition, if we want this encrypted element to be optional, then the policy example will look like this: 
 

<wsp:Policy

  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"

  xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"   >

  <sp:EncryptedElements XPathVersion="http://www.w3.org/TR/1999/REC-xpath-19991116"

                        xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">

    <sp:XPath xmlns:m=”http://www.soapbuyer.org/soapexample/message" wsp:Optional="true">

        /env:Envelope/env:Body/m:getProductsAndPricingResponse/result/ProductGradePricingResponse</sp:XPath>

  </sp:EncryptedElements>

</wsp:Policy>

 
Base on above policy examples, the syntax of the XPath assertion should be <sp:XPath ...> instead of <sp:XPath>. 
 
 
 
Related issues:

None.


Proposed Resolution:
 
The syntax on the following sessions should be changed: 
 
Section 4.1.2 SignedElements Assertion  
 
Before: 
 

<sp:SignedElements XPathVersion="xs:anyURI"? xmlns:sp="..." ... >
  <sp:XPath>xs:string</sp:XPath>+
  ...
</sp:SignedElements>

 

Change to:  

 

<sp:SignedElements XPathVersion="xs:anyURI"? xmlns:sp="..." ... >
  <sp:XPath ...>xs:string</sp:XPath>+
  ...
</sp:SignedElements>

 
 
 
Section 4.2.2 EncryptedElements Assertion  
 
Before:
 

<sp:EncryptedElements XPathVersion="xs:anyURI"? xmlns:sp="..." ... >
  <sp:XPath>xs:string</sp:XPath>+
  ...
</sp:EncryptedElements>

 
 
Change to: 
 

<sp:EncryptedElements XPathVersion="xs:anyURI"? xmlns:sp="..." ... >
  <sp:XPath ...>xs:string</sp:XPath>+
  ...
</sp:EncryptedElements>

 
 
Section 4.2.3 ContentEncryptedElementsAssertion 
 
Before: 
 

<sp:ContentEncryptedElements XPathVersion="xs:anyURI"? xmlns:sp="..." ... >
  <sp:XPath>xs:string</sp:XPath>+
  ...
</sp:ContentEncryptedElements>

 
Change to: 
 

<sp:ContentEncryptedElements XPathVersion="xs:anyURI"? xmlns:sp="..." ... >
  <sp:XPath ...>xs:string</sp:XPath>+
  ...
</sp:ContentEncryptedElements>

 
  
Section 4.3.1 RequiredElementsAssertion
 
Before: 
 

<sp: RequiredElements XPathVersion="xs:anyURI"? xmlns:sp="..." ... >
  <sp:XPath>xs:string</sp:XPath>+
  ...
</sp: RequiredElements>

 
Change to: 
 

<sp:RequiredElements XPathVersion="xs:anyURI"? xmlns:sp="..." ... >
  <sp:XPath ...>xs:string</sp:XPath>+
  ...
</sp:RequiredElements>

 
 
 
 
 
Symon Chang  
BEA Systems
  

 


Notice: This email message, together with any attachments, may contain information of BEA Systems, Inc., its subsidiaries and affiliated entities, that may be confidential, proprietary, copyrighted and/or legally privileged, and is intended solely for the use of the individual or entity named in this message. If you are not the intended recipient, and have received this message in error, please immediately return this by email and then delete it.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]