OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Critical ISSUE (RE: [wss-comment] Enumerations of QName fault codes)

Scott pointed this out to me, and I encouraged him to send this in to the comment list. Just to make sure people understand what the issue is:

SOAP faults are defined as XML QNAMEs; that is, strings that include namespace tags based on the namespace declarations in scope at the point in the document instance where the QNAME is found. As an example, the two following documents have exactly the same meaning under XML processing rules:

<ws:Fault xmlns:ws="http://what/ev/er";>

<wsse:Fault xmlns:wsse="http://what/ev/er";>

The only change is the namespace tag used within the instance; the actual namespace is the same.

However, in http://www.oasis-open.org/committees/download.php/5076/oasis-200401-wss-wssecurity-secext-1.0.xsd.xsd (why is this in the document repo with a duplicated file extension?), right at the end of the schema, we have:

<xsd:simpleType name="FaultcodeEnum">
  <xsd:restriction base="xsd:QName">
    <xsd:enumeration value="wsse:UnsupportedSecurityToken"/>
    <xsd:enumeration value="wsse:UnsupportedAlgorithm"/>
    <xsd:enumeration value="wsse:InvalidSecurity"/>
    <xsd:enumeration value="wsse:InvalidSecurityToken"/>
    <xsd:enumeration value="wsse:FailedAuthentication"/>
    <xsd:enumeration value="wsse:FailedCheck"/>
    <xsd:enumeration value="wsse:SecurityTokenUnavailable"/>

This will cause a fully validating parser to reject any documents where the namespace declaration doesn't always literally use "wsse" as the tag for the namespace "http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";.

This violates Pretty Well All of the XML Namespace processing rules, and will likely break interoperability with all sorts of fully conforming XML processing tools.

If this was my product, this would be a "Stop Ship" bug. While I am only one voice, I will advise my company's OASIS voting member to vote against the WSS spec at the OASIS level unless this is fixed.

 - irving -

> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu] 
> Sent: January 28, 2004 15:12
> To: wss-comment@lists.oasis-open.org
> Subject: [wss-comment] Enumerations of QName fault codes
> Hello,
> Commenting on the recently released committee draft schema, 
> I'd note that it
> seems like a bad idea to enumerate QName fault codes in the 
> schema. This has
> the unfortunate side effect of mandating a specific namespace 
> prefix on
> faults that appear in document instances, which is nice in 
> theory if you
> could get away with it, but is not really in the spirit of XML, IMHO.
> I pushed for the elimination of that approach in SAML 1.x to avoid
> hardcoding the prefix in the schema and just enumerating the "logical"
> Qnames in the spec. Of course, I think we (SSTC) may want to 
> fix that once
> and for all by using URIs instead, but obviously SOAP faults 
> are Qnames now,
> so in that light, my suggestion is to pull the enumeration.
> Failing that, it's not impossible to declare an enumeration 
> of Qnames using
> the NOTATION type that are more prefix-agnostic, but I've not 
> seen that used
> much.
> Scott C
> The Ohio State Univ / Internet2
> cantor.2@osu.edu
> To unsubscribe from this list, send a post to 
> wss-comment-unsubscribe@lists.oasis-open.org, or visit 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]