[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] Critical ISSUE (RE: [wss-comment] Enumerations of QName fault codes)
In http://www.oasis-open.org/committees/download.php/5072/oasis-200401-wss-soap-message-security-1.0.pdf, section 12, lines 1483 and forward, repeats the wsse:whatever strings. However, you're right, it doesn't look like the enumeration defined in the .xsd file is directly connected to the rest of the schema or specification. Maybe that's a bug too... - irving - > -----Original Message----- > From: DeMartini, Thomas [mailto:Thomas.DeMartini@CONTENTGUARD.COM] > > Where is the simpleType "wsse:FaultcodeEnum" ever used? If it is not > used anywhere, how can it cause a problem? > > &Thomas. > > -----Original Message----- > From: Reid, Irving [mailto:irving.reid@hp.com] > > Scott pointed this out to me, and I encouraged him to send this in to > the comment list. Just to make sure people understand what > the issue is: > > SOAP faults are defined as XML QNAMEs; that is, strings that include > namespace tags based on the namespace declarations in scope > at the point > in the document instance where the QNAME is found. As an example, the > two following documents have exactly the same meaning under XML > processing rules: > > <ws:Fault xmlns:ws="http://what/ev/er";> > ws:faultCodeNumberOne > </ws:Fault> > > <wsse:Fault xmlns:wsse="http://what/ev/er";> > wsse:faultCodeNumberOne > </wsse:Fault> > > > The only change is the namespace tag used within the instance; the > actual namespace is the same. > > > However, in > http://www.oasis-open.org/committees/download.php/5076/oasis-2 00401-wss- > wssecurity-secext-1.0.xsd.xsd (why is this in the document repo with a > duplicated file extension?), right at the end of the schema, we have: > > <xsd:simpleType name="FaultcodeEnum"> > <xsd:restriction base="xsd:QName"> > <xsd:enumeration value="wsse:UnsupportedSecurityToken"/> > <xsd:enumeration value="wsse:UnsupportedAlgorithm"/> > <xsd:enumeration value="wsse:InvalidSecurity"/> > <xsd:enumeration value="wsse:InvalidSecurityToken"/> > <xsd:enumeration value="wsse:FailedAuthentication"/> > <xsd:enumeration value="wsse:FailedCheck"/> > <xsd:enumeration value="wsse:SecurityTokenUnavailable"/> > </xsd:restriction> > </xsd:simpleType> > > > This will cause a fully validating parser to reject any > documents where > the namespace declaration doesn't always literally use "wsse" > as the tag > for the namespace > "http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w ssecurity- > secext-1.0.xsd". > > This violates Pretty Well All of the XML Namespace processing > rules, and > will likely break interoperability with all sorts of fully conforming > XML processing tools. > > If this was my product, this would be a "Stop Ship" bug. > While I am only > one voice, I will advise my company's OASIS voting member to vote > against the WSS spec at the OASIS level unless this is fixed. > > - irving - > > > > -----Original Message----- > > From: Scott Cantor [mailto:cantor.2@osu.edu] > > Sent: January 28, 2004 15:12 > > To: wss-comment@lists.oasis-open.org > > Subject: [wss-comment] Enumerations of QName fault codes > > > > > > Hello, > > > > Commenting on the recently released committee draft schema, > > I'd note that it > > seems like a bad idea to enumerate QName fault codes in the > > schema. This has > > the unfortunate side effect of mandating a specific namespace > > prefix on > > faults that appear in document instances, which is nice in > > theory if you > > could get away with it, but is not really in the spirit of > XML, IMHO. > > > > I pushed for the elimination of that approach in SAML 1.x to avoid > > hardcoding the prefix in the schema and just enumerating > the "logical" > > Qnames in the spec. Of course, I think we (SSTC) may want to > > fix that once > > and for all by using URIs instead, but obviously SOAP faults > > are Qnames now, > > so in that light, my suggestion is to pull the enumeration. > > > > Failing that, it's not impossible to declare an enumeration > > of Qnames using > > the NOTATION type that are more prefix-agnostic, but I've not > > seen that used > > much. > > > > Scott C > > The Ohio State Univ / Internet2 > > cantor.2@osu.edu
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]