Re: WSDL with attachments

[Tony Opatha <to...@yahoo.com>]

I agree SOAP with (MIME) Attachment is probably more interoperable than DIME.
 
However, keep in mind that WS-I BP 1.1 has a SOAP Attachment Profile 1.0
finalized since last year. 
 
I believe currently WS-BP 1.1 is being supported by some commercial SOAP vendors with SOAP Attachment Profile 1.0.
 
However, AXIS does not support WS-BP 1.1 nor does it support SOAP 
Attachment Profile; this support will be available in AXIS 2.0.
 
On the other hand, in gSOAP there seem to be some support for WS-BP 1.1.
 
I think it was a mistake for AXIS 1.2 not to have support for WS BP 1.1.
 
AXIS 2 may be months (or who knows may be more than a year) from being released as final release, and having such support AXIS 1.x would have
been a great opportunity towards interoperable web services.
 
 
 
 
-----Original Message-----
From: Agarwal, Naresh [mailto:nagarwal@informatica.com]
Sent: Monday, July 25, 2005 10:39 PM
To: axis-user@ws.apache.org; Thilina Gunarathne
Subject: RE: WSDL with attachments


I need a clarification on this topic - 
 
For SOAP v1.1, there are two standards for attachments - MIME (aka SwA) and DIME. WS-I has recommended MIME.  Is DIME popular among the vendors other than Microsoft? Does SOAP/WebServices vendors (other than Microsoft) supports DIME?
 
For SOAP v1.2, MTOM will be the standard for attachment. Will MTOM replace MIME and DIME in SOAP 1.2?
 
thanks,
Naresh
 
 


---------------------------------
From: Thilina Gunarathne [mailto:csethil@gmail.com] 
Sent: Tuesday, July 26, 2005 9:17 AM
To: axis-user@ws.apache.org; Jeremy Hynoski
Subject: Re: WSDL with attachments



Last week Axis2 MTOM & WSE3.0 July CTP succesfully interop for a simple sample. There were few issues in earlier CTP's with respect to MIME handling, which they have corrected in the July CTP.

~Thilina


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: WSDL with attachments

[Davanum Srinivas <da...@gmail.com>]

Tony,

PLEASE open a bug report ("new feature") for things you need from
Axis. Whether it is 1.X or 2.X.

thanks,
dims

On 7/26/05, Tony Opatha <to...@yahoo.com> wrote:
>  
>  
> I agree SOAP with (MIME) Attachment is probably more interoperable than
> DIME. 
>   
> However, keep in mind that WS-I BP 1.1 has a SOAP Attachment Profile 1.0 
> finalized since last year. 
>   
> I believe currently WS-BP 1.1 is being supported by some commercial SOAP
> vendors with SOAP Attachment Profile 1.0. 
>   
> However, AXIS does not support WS-BP 1.1 nor does it support SOAP 
> Attachment Profile; this support will be available in AXIS 2.0. 
>   
> On the other hand, in gSOAP there seem to be some support for WS-BP 1.1. 
>   
> I think it was a mistake for AXIS 1.2 not to have support for WS BP 1.1. 
>   
> AXIS 2 may be months (or who knows may be more than a year) from being
> released as final release, and having such support AXIS 1.x would have 
> been a great opportunity towards interoperable web services.
>  
>   
>   
>   
>   
> -----Original Message-----
> From: Agarwal, Naresh [mailto:nagarwal@informatica.com]
> Sent: Monday, July 25, 2005 10:39 PM
> To: axis-user@ws.apache.org; Thilina Gunarathne
> Subject: RE: WSDL with attachments
> 
>  
> I need a clarification on this topic - 
>   
> For SOAP v1.1, there are two standards for attachments - MIME (aka SwA) and
> DIME. WS-I has recommended MIME.  Is DIME popular among the vendors other
> than Microsoft? Does SOAP/WebServices vendors (other than Microsoft)
> supports DIME? 
>   
> For SOAP v1.2, MTOM will be the standard for attachment. Will MTOM replace
> MIME and DIME in SOAP 1.2? 
>   
> thanks, 
> Naresh 
>   
>  
>  
>  ________________________________
>  From: Thilina Gunarathne [mailto:csethil@gmail.com] 
> Sent: Tuesday, July 26, 2005 9:17 AM
> To: axis-user@ws.apache.org; Jeremy Hynoski
> Subject: Re: WSDL with attachments
> 
>  
> Last week Axis2 MTOM & WSE3.0 July CTP succesfully interop for a simple
> sample. There were few issues in earlier CTP's with respect to MIME
> handling, which they have corrected in the July CTP.
> 
> ~Thilina
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 


-- 
Davanum Srinivas -http://blogs.cocoondev.org/dims/

Re: WSDL with attachments

[Anne Thomas Manes <at...@gmail.com>]

Ah.. but that would require a significant update to XML Signature.
Would you like to call NIST about it or should I? <grin>

Anne

On 7/29/05, Dennis Sosnoski <dm...@sosnoski.com> wrote:
> These are complex topics that are straying away from Axis issues, since
> WS-Security is a given that we all need to work with. I'll just point
> out, though, that XML Canonicalization is only required because of the
> decision to base XML Signature on the *text* of the document, rather
> than the *content* of the document. It would have allowed for much more
> efficient implementation if Signature had been based on the Infoset, for
> instance. As it is, the reliance on the particular sequence of
> characters in the text format has repeatedly caused problems in Axis due
> to issues such as namespace prefixes which have absolutely nothing to do
> with the content of the document.
> 
>   - Dennis
> 
> Anne Thomas Manes wrote:
> 
> >I agree with you that the XML gateway appliance vendors will benefit
> >from widespread adoption of WS-Security. <grin>
> >
> >I'm not an expert in security, although I do know enough to know that
> >it's a remarkably complex topic. The security gods have reached the
> >conclusion that the best way to ensure end-to-end security and to
> >reduce security vulnerabilities when dealing with attachments is to
> >make them part of the SOAP message infoset. The documents I cited can
> >tell you why -- but you need a pretty deep understanding of security
> >threats and countermeasures to truly understand them. (I'm definitely
> >on shaky ground when reading them.)
> >
> >XML Signature requires XML Canonicalization because you absolutely
> >need to make sure that not one bit in the message changes to replicate
> >and validate a signature. That's just the way it is. The message may
> >get compressed or chunked or whatever in transit, so you have to be
> >able to reconstruct it exactly. Only canonicalization can ensure
> >perfect reconstruction.
> >
> >Anne
> >
> >On 7/28/05, Dennis Sosnoski <dm...@sosnoski.com> wrote:
> >
> >
> >>Thanks for the pointers, Anne, I'll check out the documents.
> >>
> >>As to the issue of attachments not being part of the Infoset - honestly,
> >>that seems a much cleaner approach to me than making them look like
> >>base64 encoding, as done by MTOM. WS-Security (which in turn builds on
> >>XML Signature, which uses XML Canonicalization) is one of the most Rube
> >>Goldberg-ish contraptions in the history of technology. It's the
> >>equivalent of writing your data out in longhand on a whiteboard, taking
> >>a Polaroid of the whiteboard, signing that, and enclosing it with the
> >>transmission. The main beneficiaries of WS-Security would seem to be the
> >>manufacturers of XML appliances, which suddenly have a huge potential
> >>market.
> >>
> >>IMHO there's no reason why WS-Security couldn't have been designed with
> >>attachments in mind, and implemented the sensible approach of just
> >>encrypting or signing the binary format directly.
> >>
> >>  - Dennis
> >>
>

Re: WSDL with attachments

[Dennis Sosnoski <dm...@sosnoski.com>]

These are complex topics that are straying away from Axis issues, since 
WS-Security is a given that we all need to work with. I'll just point 
out, though, that XML Canonicalization is only required because of the 
decision to base XML Signature on the *text* of the document, rather 
than the *content* of the document. It would have allowed for much more 
efficient implementation if Signature had been based on the Infoset, for 
instance. As it is, the reliance on the particular sequence of 
characters in the text format has repeatedly caused problems in Axis due 
to issues such as namespace prefixes which have absolutely nothing to do 
with the content of the document.

  - Dennis

Anne Thomas Manes wrote:

>I agree with you that the XML gateway appliance vendors will benefit
>from widespread adoption of WS-Security. <grin>
>
>I'm not an expert in security, although I do know enough to know that
>it's a remarkably complex topic. The security gods have reached the
>conclusion that the best way to ensure end-to-end security and to
>reduce security vulnerabilities when dealing with attachments is to
>make them part of the SOAP message infoset. The documents I cited can
>tell you why -- but you need a pretty deep understanding of security
>threats and countermeasures to truly understand them. (I'm definitely
>on shaky ground when reading them.)
>
>XML Signature requires XML Canonicalization because you absolutely
>need to make sure that not one bit in the message changes to replicate
>and validate a signature. That's just the way it is. The message may
>get compressed or chunked or whatever in transit, so you have to be
>able to reconstruct it exactly. Only canonicalization can ensure
>perfect reconstruction.
>
>Anne 
>
>On 7/28/05, Dennis Sosnoski <dm...@sosnoski.com> wrote:
>  
>
>>Thanks for the pointers, Anne, I'll check out the documents.
>>
>>As to the issue of attachments not being part of the Infoset - honestly,
>>that seems a much cleaner approach to me than making them look like
>>base64 encoding, as done by MTOM. WS-Security (which in turn builds on
>>XML Signature, which uses XML Canonicalization) is one of the most Rube
>>Goldberg-ish contraptions in the history of technology. It's the
>>equivalent of writing your data out in longhand on a whiteboard, taking
>>a Polaroid of the whiteboard, signing that, and enclosing it with the
>>transmission. The main beneficiaries of WS-Security would seem to be the
>>manufacturers of XML appliances, which suddenly have a huge potential
>>market.
>>
>>IMHO there's no reason why WS-Security couldn't have been designed with
>>attachments in mind, and implemented the sensible approach of just
>>encrypting or signing the binary format directly.
>>
>>  - Dennis
>>

Re: WSDL with attachments

[Anne Thomas Manes <at...@gmail.com>]

I agree with you that the XML gateway appliance vendors will benefit
from widespread adoption of WS-Security. <grin>

I'm not an expert in security, although I do know enough to know that
it's a remarkably complex topic. The security gods have reached the
conclusion that the best way to ensure end-to-end security and to
reduce security vulnerabilities when dealing with attachments is to
make them part of the SOAP message infoset. The documents I cited can
tell you why -- but you need a pretty deep understanding of security
threats and countermeasures to truly understand them. (I'm definitely
on shaky ground when reading them.)

XML Signature requires XML Canonicalization because you absolutely
need to make sure that not one bit in the message changes to replicate
and validate a signature. That's just the way it is. The message may
get compressed or chunked or whatever in transit, so you have to be
able to reconstruct it exactly. Only canonicalization can ensure
perfect reconstruction.

Anne 

On 7/28/05, Dennis Sosnoski <dm...@sosnoski.com> wrote:
> Thanks for the pointers, Anne, I'll check out the documents.
> 
> As to the issue of attachments not being part of the Infoset - honestly,
> that seems a much cleaner approach to me than making them look like
> base64 encoding, as done by MTOM. WS-Security (which in turn builds on
> XML Signature, which uses XML Canonicalization) is one of the most Rube
> Goldberg-ish contraptions in the history of technology. It's the
> equivalent of writing your data out in longhand on a whiteboard, taking
> a Polaroid of the whiteboard, signing that, and enclosing it with the
> transmission. The main beneficiaries of WS-Security would seem to be the
> manufacturers of XML appliances, which suddenly have a huge potential
> market.
> 
> IMHO there's no reason why WS-Security couldn't have been designed with
> attachments in mind, and implemented the sensible approach of just
> encrypting or signing the binary format directly.
> 
>   - Dennis
> 
> Anne Thomas Manes wrote:
> 
> >I believe that the vulnerabilities are outlined in the WS-I Security
> >Challenges, Threats and Countermeasures document
> >(http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.pdf).
> >You might also check the OASIS WS-Security Attachment Profile draft.
> >
> >The same security vulnerabilities apply to WS-Attachments and DIME.
> >The gist of the problem is that SwA and WS-Attachment attachments
> >aren't part of the SOAP Infoset and therefore aren't protected by
> >WS-Security. MIME is slightly more vulnerable because you can't secure
> >the MIME headers except via SSL/TLS.
> >
> >I think Microsoft's point, though, is that there's no incentive to
> >implement support for SwA because it is being superceded by MTOM.
> >
> >Anne
> >
> >On 7/28/05, Dennis Sosnoski <dm...@sosnoski.com> wrote:
> >
> >
> >>Anne Thomas Manes wrote:
> >>
> >>
> >>
> >>>Unfortunately, Microsoft does not and will not support SwA, therefore
> >>>Microsoft does not and will not support the WS-I Attachment Profile
> >>>1.0. (SwA has some inherent security vulnerabilities, so I understand
> >>>Microsoft's position on this point.)
> >>>
> >>>
> >>>
> >>Can you supply any pointers on the SwA security vulnerabilities, Anne? I
> >>didn't find anything in a quick search.
> >>
> >>  - Dennis
> >>
> >>
> >>
> >
> >
> >
>

Re: WSDL with attachments

[Dennis Sosnoski <dm...@sosnoski.com>]

Thanks for the pointers, Anne, I'll check out the documents.

As to the issue of attachments not being part of the Infoset - honestly, 
that seems a much cleaner approach to me than making them look like 
base64 encoding, as done by MTOM. WS-Security (which in turn builds on 
XML Signature, which uses XML Canonicalization) is one of the most Rube 
Goldberg-ish contraptions in the history of technology. It's the 
equivalent of writing your data out in longhand on a whiteboard, taking 
a Polaroid of the whiteboard, signing that, and enclosing it with the 
transmission. The main beneficiaries of WS-Security would seem to be the 
manufacturers of XML appliances, which suddenly have a huge potential 
market.

IMHO there's no reason why WS-Security couldn't have been designed with 
attachments in mind, and implemented the sensible approach of just 
encrypting or signing the binary format directly.

  - Dennis

Anne Thomas Manes wrote:

>I believe that the vulnerabilities are outlined in the WS-I Security
>Challenges, Threats and Countermeasures document
>(http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.pdf).
>You might also check the OASIS WS-Security Attachment Profile draft.
>
>The same security vulnerabilities apply to WS-Attachments and DIME.
>The gist of the problem is that SwA and WS-Attachment attachments
>aren't part of the SOAP Infoset and therefore aren't protected by
>WS-Security. MIME is slightly more vulnerable because you can't secure
>the MIME headers except via SSL/TLS.
>
>I think Microsoft's point, though, is that there's no incentive to
>implement support for SwA because it is being superceded by MTOM.
>
>Anne
>
>On 7/28/05, Dennis Sosnoski <dm...@sosnoski.com> wrote:
>  
>
>>Anne Thomas Manes wrote:
>>
>>    
>>
>>>Unfortunately, Microsoft does not and will not support SwA, therefore
>>>Microsoft does not and will not support the WS-I Attachment Profile
>>>1.0. (SwA has some inherent security vulnerabilities, so I understand
>>>Microsoft's position on this point.)
>>>
>>>      
>>>
>>Can you supply any pointers on the SwA security vulnerabilities, Anne? I
>>didn't find anything in a quick search.
>>
>>  - Dennis
>>
>>    
>>
>
>  
>

Re: WSDL with attachments

[Anne Thomas Manes <at...@gmail.com>]

I believe that the vulnerabilities are outlined in the WS-I Security
Challenges, Threats and Countermeasures document
(http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.pdf).
You might also check the OASIS WS-Security Attachment Profile draft.

The same security vulnerabilities apply to WS-Attachments and DIME.
The gist of the problem is that SwA and WS-Attachment attachments
aren't part of the SOAP Infoset and therefore aren't protected by
WS-Security. MIME is slightly more vulnerable because you can't secure
the MIME headers except via SSL/TLS.

I think Microsoft's point, though, is that there's no incentive to
implement support for SwA because it is being superceded by MTOM.

Anne

On 7/28/05, Dennis Sosnoski <dm...@sosnoski.com> wrote:
> Anne Thomas Manes wrote:
> 
> >Unfortunately, Microsoft does not and will not support SwA, therefore
> >Microsoft does not and will not support the WS-I Attachment Profile
> >1.0. (SwA has some inherent security vulnerabilities, so I understand
> >Microsoft's position on this point.)
> >
> Can you supply any pointers on the SwA security vulnerabilities, Anne? I
> didn't find anything in a quick search.
> 
>   - Dennis
>

Re: WSDL with attachments

[Dennis Sosnoski <dm...@sosnoski.com>]

Anne Thomas Manes wrote:

>Unfortunately, Microsoft does not and will not support SwA, therefore
>Microsoft does not and will not support the WS-I Attachment Profile
>1.0. (SwA has some inherent security vulnerabilities, so I understand
>Microsoft's position on this point.) 
>
Can you supply any pointers on the SwA security vulnerabilities, Anne? I 
didn't find anything in a quick search.

  - Dennis

Re: WSDL with attachments

[Anne Thomas Manes <at...@gmail.com>]

Just to clarify:

WS-I Attachment Profile 1.0 describes how to send attachments with
SOAP 1.1 messages  based on the SOAP with Attachments (SwA)
specification using MIME packaging. WS-I endorsed SwA because it is
more broadly implemented than any other attachment mechanism. Keep in
mind that SwA is not a "standard". It has not been ratified by a
standards group. The specification also does not define a WSDL
extension, therefore there was no specification for how to define
attachments in WSDL until WS-I defined the profile. Adoption of the
WS-I Attachments profile has been somewhat slow.

Unfortunately, Microsoft does not and will not support SwA, therefore
Microsoft does not and will not support the WS-I Attachment Profile
1.0. (SwA has some inherent security vulnerabilities, so I understand
Microsoft's position on this point.) Microsoft WSE 2.0 supports
attachments in SOAP 1.1 using WS-Attachments and DIME packaging.
(WS-attachments is also not a "standard".) WSE 3.0 supports SOAP 1.1
attachments using WS-Attachments/DIME and SOAP 1.2 attachments using
MTOM/MIME.

Unlike SwA and WS-Attachments, MTOM is a standard -- it is a W3C
Recommendation. But MTOM is specified to work with SOAP 1.2. That
kinda leaves us at an impasse for SOAP 1.1 attachments. As I said at
the beginning of this thread, my recommendation is "don't use
attachments".

Anne

On 7/26/05, Steve Loughran <st...@apache.org> wrote:
> Tony Opatha wrote:
> >     I agree SOAP with (MIME) Attachment is probably more interoperable
> >     than DIME.
> >
> >     However, keep in mind that WS-I BP 1.1 has a SOAP Attachment Profile 1.0
> >     finalized since last year.
> >
> >     I believe currently WS-BP 1.1 is being supported by some commercial
> >     SOAP vendors with SOAP Attachment Profile 1.0.
> >
> >     However, AXIS does not support WS-BP 1.1 nor does it support SOAP
> >     Attachment Profile; this support will be available in AXIS 2.0.
> >
> >     On the other hand, in gSOAP there seem to be some support for WS-BP 1.1.
> >
> >     I think it was a mistake for AXIS 1.2 not to have support for WS BP 1.1.
> >
> >     AXIS 2 may be months (or who knows may be more than a year) from
> >     being released as final release, and having such support AXIS 1.x
> >     would have
> >     been a great opportunity towards interoperable web services.
> >
> >
> 
> Tony,
> 
> Remember that Axis is a community project. You are free to add missing
> features, and contribute them back. without such contributions, yes,
> Axis will lack things you need.
> 
> On an unrelated note, I WS BP1.1 is not a cure for interop problems. It
> avoided taking any stance on which subset of XSD to use, and by
> mandating how to do attachments (MTOM) that was not in any
> implementation, rendered it impossible for full compliance to be possible.
> 
> -stefve
>

Re: WSDL with attachments

[Steve Loughran <st...@apache.org>]

Tony Opatha wrote:
>     I agree SOAP with (MIME) Attachment is probably more interoperable
>     than DIME.
>      
>     However, keep in mind that WS-I BP 1.1 has a SOAP Attachment Profile 1.0
>     finalized since last year.
>      
>     I believe currently WS-BP 1.1 is being supported by some commercial
>     SOAP vendors with SOAP Attachment Profile 1.0.
>      
>     However, AXIS does not support WS-BP 1.1 nor does it support SOAP
>     Attachment Profile; this support will be available in AXIS 2.0.
>      
>     On the other hand, in gSOAP there seem to be some support for WS-BP 1.1.
>      
>     I think it was a mistake for AXIS 1.2 not to have support for WS BP 1.1.
>      
>     AXIS 2 may be months (or who knows may be more than a year) from
>     being released as final release, and having such support AXIS 1.x
>     would have
>     been a great opportunity towards interoperable web services.
>      
>      

Tony,

Remember that Axis is a community project. You are free to add missing 
features, and contribute them back. without such contributions, yes, 
Axis will lack things you need.

On an unrelated note, I WS BP1.1 is not a cure for interop problems. It 
avoided taking any stance on which subset of XSD to use, and by 
mandating how to do attachments (MTOM) that was not in any 
implementation, rendered it impossible for full compliance to be possible.

-stefve