Re: [wss] Critical ISSUE (RE: [wss-comment] Enumerations of QName fault codes)

[Peter Dapkus <pdapkus@bea.com>]

The fault codes are for use in the fault messages defined by SOAP.   Those schema use QNames, so in this case, I don't believe we have the option to use URIs.

regards,

-Pete


On Thu, Jan 29, 2004 at 11:42:20PM -0500, Reid, Irving wrote:
> In http://www.oasis-open.org/committees/download.php/5072/oasis-200401-wss-soap-message-security-1.0.pdf, section 12, lines 1483 and forward, repeats the wsse:whatever strings. However, you're right, it doesn't look like the enumeration defined in the .xsd file is directly connected to the rest of the schema or specification. Maybe that's a bug too...
> 
>  - irving -
>  
> 
> > -----Original Message-----
> > From: DeMartini, Thomas [mailto:Thomas.DeMartini@CONTENTGUARD.COM] 
> > 
> > Where is the simpleType "wsse:FaultcodeEnum" ever used?  If it is not
> > used anywhere, how can it cause a problem?
> > 
> > &Thomas.
> > 
> > -----Original Message-----
> > From: Reid, Irving [mailto:irving.reid@hp.com] 
> > 
> > Scott pointed this out to me, and I encouraged him to send this in to
> > the comment list. Just to make sure people understand what 
> > the issue is:
> > 
> > SOAP faults are defined as XML QNAMEs; that is, strings that include
> > namespace tags based on the namespace declarations in scope 
> > at the point
> > in the document instance where the QNAME is found. As an example, the
> > two following documents have exactly the same meaning under XML
> > processing rules:
> > 
> > <ws:Fault xmlns:ws="http://what/ev/er";>
> >     ws:faultCodeNumberOne
> > </ws:Fault>
> > 
> > <wsse:Fault xmlns:wsse="http://what/ev/er";>
> >     wsse:faultCodeNumberOne
> > </wsse:Fault>
> > 
> > 
> > The only change is the namespace tag used within the instance; the
> > actual namespace is the same.
> > 
> > 
> > However, in
> > http://www.oasis-open.org/committees/download.php/5076/oasis-2
> 00401-wss-
> > wssecurity-secext-1.0.xsd.xsd (why is this in the document repo with a
> > duplicated file extension?), right at the end of the schema, we have:
> > 
> > <xsd:simpleType name="FaultcodeEnum">
> >   <xsd:restriction base="xsd:QName">
> >     <xsd:enumeration value="wsse:UnsupportedSecurityToken"/>
> >     <xsd:enumeration value="wsse:UnsupportedAlgorithm"/>
> >     <xsd:enumeration value="wsse:InvalidSecurity"/>
> >     <xsd:enumeration value="wsse:InvalidSecurityToken"/>
> >     <xsd:enumeration value="wsse:FailedAuthentication"/>
> >     <xsd:enumeration value="wsse:FailedCheck"/>
> >     <xsd:enumeration value="wsse:SecurityTokenUnavailable"/>
> >   </xsd:restriction>
> > </xsd:simpleType>
> > 
> > 
> > This will cause a fully validating parser to reject any 
> > documents where
> > the namespace declaration doesn't always literally use "wsse" 
> > as the tag
> > for the namespace
> > "http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w
> ssecurity-
> > secext-1.0.xsd".
> > 
> > This violates Pretty Well All of the XML Namespace processing 
> > rules, and
> > will likely break interoperability with all sorts of fully conforming
> > XML processing tools.
> > 
> > If this was my product, this would be a "Stop Ship" bug. 
> > While I am only
> > one voice, I will advise my company's OASIS voting member to vote
> > against the WSS spec at the OASIS level unless this is fixed.
> > 
> >  - irving -
> >  
> > 
> > > -----Original Message-----
> > > From: Scott Cantor [mailto:cantor.2@osu.edu] 
> > > Sent: January 28, 2004 15:12
> > > To: wss-comment@lists.oasis-open.org
> > > Subject: [wss-comment] Enumerations of QName fault codes
> > > 
> > > 
> > > Hello,
> > > 
> > > Commenting on the recently released committee draft schema, 
> > > I'd note that it
> > > seems like a bad idea to enumerate QName fault codes in the 
> > > schema. This has
> > > the unfortunate side effect of mandating a specific namespace 
> > > prefix on
> > > faults that appear in document instances, which is nice in 
> > > theory if you
> > > could get away with it, but is not really in the spirit of 
> > XML, IMHO.
> > > 
> > > I pushed for the elimination of that approach in SAML 1.x to avoid
> > > hardcoding the prefix in the schema and just enumerating 
> > the "logical"
> > > Qnames in the spec. Of course, I think we (SSTC) may want to 
> > > fix that once
> > > and for all by using URIs instead, but obviously SOAP faults 
> > > are Qnames now,
> > > so in that light, my suggestion is to pull the enumeration.
> > > 
> > > Failing that, it's not impossible to declare an enumeration 
> > > of Qnames using
> > > the NOTATION type that are more prefix-agnostic, but I've not 
> > > seen that used
> > > much.
> > > 
> > > Scott C
> > > The Ohio State Univ / Internet2
> > > cantor.2@osu.edu
> 
> To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php.

-- 
-Pete
pdapkus at bea.com