RE: [ws-sx] Issue i148: Syntax of XPath for Signed, Encrypted and RequiredElements

[Anthony Nadalin <drsecure@us.ibm.com>]

Your missing the point, sp:XPath is not an assertion

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122

"Symon Chang" ---08/14/2007 02:05:40 PM---

From:	"Symon Chang" <sychang@bea.com>
To:	"Marc Goodner" <mgoodner@microsoft.com>, "Greg Carpenter" <gregcarp@microsoft.com>, <ws-sx@lists.oasis-open.org>
Cc:	"Will Hopkins" <whopkins@bea.com>
Date:	08/14/2007 02:05 PM
Subject:	RE: [ws-sx] Issue i148: Syntax of XPath for Signed, Encrypted and Required Elements

---

Attribute extensibility is required, not only for defining namespaces, but also for additional attribute required for that sp:XPath assertion. For example, given the following XPath Filter 2.0 <Sp:SignedEelements> assertion for the signature transformation:
 
<sp:SignedElements
    XPathVersion="http://www.w3.org/2002/06/xmldsig-filter2"
    xmlns:sp="..." >
    <sp:XPath Filter="intersect"
xmlns:m="http://example">
       //m:credit/num[@len>11]
    </sp:XPath>
</sp:SignedElements>
 
The attribute of Filter=”intersect” is just that <sp:XPath> assertion, and it cannot be moved onto its parent, i.e. the <sp:SignedElements> assertion. 
 
The namespace attributes also required for some SOAP messages. For example, in a large SOAP document, there may have some elements with different namespace but use the same namespace prefix. For example, in the following SOAP message, the namespace prefix m and n1 in <m:getProductsAndPricingResponse> and <m:CreditInfo> elements have different definitions: 
 
<env:Envelope xmlns:env=". . ." …>
  <env:Header>
   . . . 
  </env:Header>
  <env:Body . . .>
    <m:getProductsAndPricingResponse xmlns:m="http://NCEN-WS3222:7001/ede/EDEService">
      <result xmlns:n1="java:com.newcentury.response" soapenc:arrayType="n1:ProductGradePricingResponse[1]">
        <ProductGradePricingResponse xsi:type="n1:ProductGradePricingResponse">
   ...
        </ProductGradePricingResponse>
      </result>
    </m:getProductsAndPricingResponse>
    <m:CreditInfo xmlns:m="http://myBank.com/creditInfo" n1="com.mybank.response">
      <candidateProductProgramGrades soapenc:arrayType="n1:CandidateProductProgramGrade">
   . . .
    </m:CreditInfo>
  </env:Body>
</env:Envelope>
 
If we want to specify policy for signature and/or encryption for both  <m:getProductsAndPricingResponse>  and  <m:CreditInfo> elements,  putting namespace attributes in the <sp:SignedElements> or <sp:EncryptedElements> assertions will not work. It has to define namespace attribute of m and n1 separately for each <sp:Xpath> assertion. 
 
Therefore, the syntax changes for <sp:XPath> assertion from <sp:XPath> to <sp:XPath ...> is required for more flexible of policy specifying. 
 
Best regards, 
 
 
 
Symon Chang
BEA Systems Inc.

---

From: Marc Goodner [mailto:mgoodner@microsoft.com] 
Sent: Tuesday, August 07, 2007 7:30 AM
To: Greg Carpenter; Symon Chang; ws-sx@lists.oasis-open.org
Subject: RE: [ws-sx] Issue i148: Syntax of XPath for Signed, Encrypted and Required Elements
 
Attribute extensibility is not required in order to define a namespace. Also, sp:XPath is not an assertion, it is a parameter that qualifies the policy assertion in which it appears. This means that wsp:Optional is not valid for use on sp:XPath. The use of wsp:Optional is permitted for each of the policy assertions that has an sp:XPath parameter, i.e. the sp:EncryptedElements assertion.
 
 
From: Greg Carpenter 
Sent: Friday, August 03, 2007 4:21 AM
To: Symon Chang; ws-sx@lists.oasis-open.org
Cc: Marc Goodner
Subject: [ws-sx] Issue i148: Syntax of XPath for Signed, Encrypted and Required Elements
 
Issue i148
 
From: Symon Chang [mailto:sychang@bea.com] 
Sent: Thursday, August 02, 2007 8:38 PM
To: ws-sx@lists.oasis-open.org
Cc: Marc Goodner
Subject: [ws-sx] NEW Issue: Syntax of XPath for Signed, Encrypted and Required Elements
 
PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER.  
The issues coordinators will notify the list when that has occurred.
 
Protocol:  ws-sp 
 
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.pdf  
 
Artifact:  spec 
 
Type: design
 
Title: Syntax of XPath for Signed, Encrypted and Required Elements
 
 
Description: 
 
The syntax of XPath Assertion should be changed from <sp:XPath> to <sp:XPath ...>
 
This is related to the following four assertions:

· SignedElements Assertion – Section 4.1.2
· EncryptedElements Assertion – Section 4.2.2
· ContentEncryptedElements Assertion – Section 4.2.3
· RequiredElements Assertion – Section 4.3.1

Syntax from the current spec like this for the EncryptedElement:

<sp:EncryptedElements XPathVersion="xs:anyURI"? xmlns:sp="..." ... >
<sp:XPath>xs:string</sp:XPath>+
...
</sp:EncryptedElements>

However, the policy for specify an Xpath element to be encrypted will not work. For example, if we use this for encryption of the ProductGradePricingResponse element, the following policy is broken. This is due to the namespace of env and m is not defined.  
 
<wsp:Policy
  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512"  >
  <sp:EncryptedElements XPathVersion="http://www.w3.org/TR/1999/REC-xpath-19991116">
     <sp:XPath>/env:Envelope/env:Body/m:getProductsAndPricingResponse/result/ProductGradePricingResponse
    </sp:XPath> 
  </sp:EncryptedElements>
</wsp:Policy>
 
The following policy will be better:
 
<wsp:Policy
  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
  xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"  >
  <sp:EncryptedElements XPathVersion="http://www.w3.org/TR/1999/REC-xpath-19991116"
                        xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
    <sp:XPath xmlns:m="http://www.soapbuyer.org/soapexample/message">
        /env:Envelope/env:Body/m:getProductsAndPricingResponse/result/ProductGradePricingResponse</sp:XPath>
  </sp:EncryptedElements>
</wsp:Policy>
 
The namespace of the xpath string should be placed as attributes in either the element of <sp:EncryptedElements>, or <sp:XPath > elements.
 
In addition, if we want this encrypted element to be optional, then the policy example will look like this: 
 
<wsp:Policy
  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"   >
  <sp:EncryptedElements XPathVersion="http://www.w3.org/TR/1999/REC-xpath-19991116"
                        xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
    <sp:XPath xmlns:m=”http://www.soapbuyer.org/soapexample/message" wsp:Optional="true">
        /env:Envelope/env:Body/m:getProductsAndPricingResponse/result/ProductGradePricingResponse</sp:XPath>
  </sp:EncryptedElements>
</wsp:Policy>
 
Base on above policy examples, the syntax of the XPath assertion should be <sp:XPath ...> instead of <sp:XPath>. 
 
 
 
Related issues:









 










 
 
None.










 










 
 
Proposed Resolution:
 
The syntax on the following sessions should be changed: 
 
Section 4.1.2 SignedElements Assertion  
 
Before:

<sp:SignedElements XPathVersion="xs:anyURI"? xmlns:sp="..." ... >
<sp:XPath>xs:string</sp:XPath>+
...
</sp:SignedElements>

Change to:

<sp:SignedElements XPathVersion="xs:anyURI"? xmlns:sp="..." ... >
<sp:XPath ...>xs:string</sp:XPath>+
...
</sp:SignedElements>

Section 4.2.2 EncryptedElements Assertion

Before:

<sp:EncryptedElements XPathVersion="xs:anyURI"? xmlns:sp="..." ... >
<sp:XPath>xs:string</sp:XPath>+
...
</sp:EncryptedElements>

Change to:

<sp:EncryptedElements XPathVersion="xs:anyURI"? xmlns:sp="..." ... >
<sp:XPath ...>xs:string</sp:XPath>+
...
</sp:EncryptedElements>

Section 4.2.3 ContentEncryptedElementsAssertion

Before:

<sp:ContentEncryptedElements XPathVersion="xs:anyURI"? xmlns:sp="..." ... >
<sp:XPath>xs:string</sp:XPath>+
...
</sp:ContentEncryptedElements>

Change to:

<sp:ContentEncryptedElements XPathVersion="xs:anyURI"? xmlns:sp="..." ... >
<sp:XPath ...>xs:string</sp:XPath>+
...
</sp:ContentEncryptedElements>

Section 4.3.1 RequiredElementsAssertion

Before:

<sp: RequiredElements XPathVersion="xs:anyURI"? xmlns:sp="..." ... >
<sp:XPath>xs:string</sp:XPath>+
...
</sp: RequiredElements>

Change to:

<sp:RequiredElements XPathVersion="xs:anyURI"? xmlns:sp="..." ... >
<sp:XPath ...>xs:string</sp:XPath>+
...
</sp:RequiredElements>

Symon Chang
BEA Systems



Notice: This email message, together with any attachments, may contain information of BEA Systems, Inc., its subsidiaries and affiliated entities, that may be confidential, proprietary, copyrighted and/or legally privileged, and is intended solely for the use of the individual or entity named in this message. If you are not the intended recipient, and have received this message in error, please immediately return this by email and then delete it.

Notice: This email message, together with any attachments, may contain information of BEA Systems, Inc., its subsidiaries and affiliated entities, that may be confidential, proprietary, copyrighted and/or legally privileged, and is intended solely for the use of the individual or entity named in this message. If you are not the intended recipient, and have received this message in error, please immediately return this by email and then delete it.