OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wss] Critical ISSUE (RE: [wss-comment] Enumerations of QName fault codes)

Where is the simpleType "wsse:FaultcodeEnum" ever used?  If it is not
used anywhere, how can it cause a problem?


-----Original Message-----
From: Reid, Irving [mailto:irving.reid@hp.com] 
Sent: Thursday, January 29, 2004 2:09 PM
To: wss@lists.oasis-open.org
Subject: [wss] Critical ISSUE (RE: [wss-comment] Enumerations of QName
fault codes)

Scott pointed this out to me, and I encouraged him to send this in to
the comment list. Just to make sure people understand what the issue is:

SOAP faults are defined as XML QNAMEs; that is, strings that include
namespace tags based on the namespace declarations in scope at the point
in the document instance where the QNAME is found. As an example, the
two following documents have exactly the same meaning under XML
processing rules:

<ws:Fault xmlns:ws="http://what/ev/er";>

<wsse:Fault xmlns:wsse="http://what/ev/er";>

The only change is the namespace tag used within the instance; the
actual namespace is the same.

However, in
wssecurity-secext-1.0.xsd.xsd (why is this in the document repo with a
duplicated file extension?), right at the end of the schema, we have:

<xsd:simpleType name="FaultcodeEnum">
  <xsd:restriction base="xsd:QName">
    <xsd:enumeration value="wsse:UnsupportedSecurityToken"/>
    <xsd:enumeration value="wsse:UnsupportedAlgorithm"/>
    <xsd:enumeration value="wsse:InvalidSecurity"/>
    <xsd:enumeration value="wsse:InvalidSecurityToken"/>
    <xsd:enumeration value="wsse:FailedAuthentication"/>
    <xsd:enumeration value="wsse:FailedCheck"/>
    <xsd:enumeration value="wsse:SecurityTokenUnavailable"/>

This will cause a fully validating parser to reject any documents where
the namespace declaration doesn't always literally use "wsse" as the tag
for the namespace

This violates Pretty Well All of the XML Namespace processing rules, and
will likely break interoperability with all sorts of fully conforming
XML processing tools.

If this was my product, this would be a "Stop Ship" bug. While I am only
one voice, I will advise my company's OASIS voting member to vote
against the WSS spec at the OASIS level unless this is fixed.

 - irving -

> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu] 
> Sent: January 28, 2004 15:12
> To: wss-comment@lists.oasis-open.org
> Subject: [wss-comment] Enumerations of QName fault codes
> Hello,
> Commenting on the recently released committee draft schema, 
> I'd note that it
> seems like a bad idea to enumerate QName fault codes in the 
> schema. This has
> the unfortunate side effect of mandating a specific namespace 
> prefix on
> faults that appear in document instances, which is nice in 
> theory if you
> could get away with it, but is not really in the spirit of XML, IMHO.
> I pushed for the elimination of that approach in SAML 1.x to avoid
> hardcoding the prefix in the schema and just enumerating the "logical"
> Qnames in the spec. Of course, I think we (SSTC) may want to 
> fix that once
> and for all by using URIs instead, but obviously SOAP faults 
> are Qnames now,
> so in that light, my suggestion is to pull the enumeration.
> Failing that, it's not impossible to declare an enumeration 
> of Qnames using
> the NOTATION type that are more prefix-agnostic, but I've not 
> seen that used
> much.
> Scott C
> The Ohio State Univ / Internet2
> cantor.2@osu.edu
> To unsubscribe from this list, send a post to 
> wss-comment-unsubscribe@lists.oasis-open.org, or visit 

To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]