You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by COURTAULT Francois <Fr...@gemalto.com> on 2012/10/10 15:41:37 UTC
RE: Regression with UT over HTTPS on 2.6.1
Hello,
It is an old topic but Company X people claims that are right (meaning that they are compliant to the spec).
They said if you look at WSS security schema located at: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsd
- At one point, we have:
<xs:element name="HttpsToken" type="tns:TokenAssertionType">
<xs:annotation>
<xs:documentation xml:lang="en">5.4.10 HttpsToken Assertion</xs:documentation>
</xs:annotation>
</xs:element>
- At another location, we have:
<xs:complexType name="TokenAssertionType">
<xs:sequence>
<xs:choice minOccurs="0">
<xs:element name="Issuer" type="wsa:EndpointReferenceType"/>
<xs:element name="IssuerName" type="xs:anyURI"/>
</xs:choice>
<!--
Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
<xs:element ref="wsp:Policy" minOccurs="0" />
-->
<xs:any minOccurs="0" maxOccurs="unbounded" namespace="##other" processContents="lax"/>
</xs:sequence>
<xs:attribute ref="tns:IncludeToken" use="optional"/>
<xs:anyAttribute namespace="##any" processContents="lax"/>
</xs:complexType>
According to the comment above <xs:element ref="wsp:Policy" minOccurs="0" />, they said that:
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken/>
</wsp:Policy>
</sp:TransportToken>
is valid and compliant to the ws security policy schema !
What should I believe ? The spec ? The schema ? Who is wrong ?
Best Regards.
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: mercredi 30 mai 2012 09:56
To: users@cxf.apache.org
Subject: Re: Regression with UT over HTTPS on 2.6.1
Yes that looks right.
Colm.
On Wed, May 30, 2012 at 8:12 AM, COURTAULT Francois < Francois.COURTAULT@gemalto.com> wrote:
> Hello everyone,
>
> You are right, I made a mistake in the extract policy I have sent.
> So could you confirm that the right section is:
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken>
> <wsp:Policy/>
> </sp:HttpsToken>
> </wsp:Policy>
> </sp:TransportToken>
>
> Instead of:
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken/>
> </wsp:Policy>
> </sp:TransportToken>
> ?
>
> Best Regards.
>
> -----Original Message-----
> From: Glen Mazza [mailto:gmazza@talend.com]
> Sent: mardi 29 mai 2012 20:33
> To: users@cxf.apache.org
> Subject: Re: Regression with UT over HTTPS on 2.6.1
>
> No, I believe Colm was rather clear that a new ws:Policy element needs
> to be added as a child element of the sp:HttpsToken (if you break it
> up into two parts: <sp:HttpsToken> and </sp:HttpsToken> it might be clearer
> for you.) Not as a sibling element to the <sp:HttpsToken/> as you have
> it below.
>
> Glen
>
>
> On 05/29/2012 12:46 PM, COURTAULT Francois wrote:
> > Resending ...
> >
> > -----Original Message-----
> > From: COURTAULT Francois [mailto:Francois.COURTAULT@gemalto.com]
> > Sent: lundi 28 mai 2012 19:36
> > To: coheigea@apache.org
> > Cc: users@cxf.apache.org
> > Subject: RE: Regression with UT over HTTPS on 2.6.1
> >
> > Hello,
> >
> > Sorry, you mean that in the policy file, I should have
> > <sp:TransportToken>
> > <wsp:Policy>
> > <sp:HttpsToken/>
> > <wsp:Policy/>
> > </wsp:Policy>
> > </sp:TransportToken>
> >
> > Instead of:
> > <sp:TransportToken>
> > <wsp:Policy>
> > <sp:HttpsToken/>
> > </wsp:Policy>
> > </sp:TransportToken>
> >
> > Right ?
> >
> > Best Regards.
> >
> > From: COURTAULT Francois
> > Sent: lundi 28 mai 2012 17:25
> > To: 'coheigea@apache.org'
> > Cc: users@cxf.apache.org
> > Subject: RE: Regression with UT over HTTPS on 2.6.1
> >
> > Hello,
> >
> > But there is one in the policy I have sent to you.
> > Extract:
> > <sp:TransportToken>
> > <wsp:Policy>
> > <sp:HttpsToken/>
> > </wsp:Policy>
> > </sp:TransportToken>
> >
> > So what's wrong ?
> >
> > Best Regards.
> >
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > Sent: lundi 28 mai 2012 17:19
> > To: COURTAULT Francois
> > Cc: users@cxf.apache.org<ma...@cxf.apache.org>
> > Subject: Re: Regression with UT over HTTPS on 2.6.1
> >
> > wsp:Policy is still required by the following fragment:
> >
> > <wsp:Policy xmlns:wsp="...">
> > (
> > <sp:HttpBasicAuthentication /> |
> > <sp:HttpDigestAuthentication /> |
> > <sp:RequireClientCertificate /> |
> > ...
> > )?
> >
> > the "?" refers to the children of the Policy. So HttpsToken must
> > still
> have a<wsp:Policy> child element, the fact that the children are all
> optional is irrelevant.
> >
> > Colm.
> > On Mon, May 28, 2012 at 3:32 PM, COURTAULT Francois<
> Francois.COURTAULT@gemalto.com<ma...@gemalto.com>>
> wrote:
> > Hello,
> >
> > I don't read the spec the same way than you, sorry.
> >
> > The spec says:
> > <sp:HttpsToken xmlns:sp="..." ...>
> > (
> >
> > <sp:Issuer>wsa:EndpointReferenceType</sp:Issuer> |
> >
> > <sp:IssuerName>xs:anyURI</sp:IssuerName>
> >
> > ) ?
> >
> > <wst:Claims Dialect="..."> ...</wst:Claims> ?
> >
> > <wsp:Policy xmlns:wsp="...">
> > (
> > <sp:HttpBasicAuthentication /> |
> > <sp:HttpDigestAuthentication /> |
> > <sp:RequireClientCertificate /> |
> > ...
> > )?
> > ...
> > </wsp:Policy>
> > ...
> > </sp:HttpsToken>
> >
> > And "?" means 0 or 1
> > So, according to me, you can have<sp:HttpsToken.... with an
> empty<wsp:Policy /> policy.
> > More, the spec that:
> > - /sp:HttpsToken/wsp:Policy/sp:HttpBasicAuthentication is OPTIONAL
> > - /sp:HttpsToken/wsp:Policy/sp:HttpDigestAuthentication is OPTIONAL
> > - /sp:HttpsToken/wsp:Policy/sp:RequireClientCertificate is
> > OPTIONAL
> Which is coherent with the ?
> >
> > So ??????
> >
> > Best Regards.
> >
> > -----Original Message-----
> > From: Colm O hEigeartaigh
> > [mailto:coheigea@apache.org<ma...@apache.org>]
> > Sent: lundi 28 mai 2012 15:39
> > To: COURTAULT Francois
> > Cc: users@cxf.apache.org<ma...@cxf.apache.org>
> > Subject: Re: Regression with UT over HTTPS on 2.6.1
> >
> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-securi
> > ty
> > policy-1.3-spec-os.html
> >
> > "sp:HttpsToken/wsp:Policy
> >
> > This REQUIRED element identifies additional requirements for use of
> > the
> sp:HttpsToken assertion."
> >
> > Colm.
> >
> >
> > On Mon, May 28, 2012 at 2:33 PM, COURTAULT Francois<
> Francois.COURTAULT@gemalto.com<ma...@gemalto.com>>
> wrote:
> >
> >> Hello,
> >>
> >> This means that the policy I have attached is not compliant: right?
> >> Could you give me please a pointer or the spec paragraph which
> >> specifies this ?
> >>
> >> Best Regards.
> >>
> >> -----Original Message-----
> >> From: Colm O hEigeartaigh
> >> [mailto:coheigea@apache.org<ma...@apache.org>]
> >> Sent: lundi 28 mai 2012 15:18
> >> To: users@cxf.apache.org<ma...@cxf.apache.org>
> >> Subject: Re: Regression with UT over HTTPS on 2.6.1
> >>
> >> It's not a regression, but a stricter enforcement of the
> >> WS-SecurityPolicy spec. You need to add a "<wsp:Policy/>" child to
> >> the sp:HttpsToken element to be compliant.
> >>
> >> Colm.
> >>
> >> On Mon, May 28, 2012 at 1:12 PM, COURTAULT Francois<
> >> Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.co
> >> m>>
> wrote:
> >>
> >>> Hello,****
> >>>
> >>> ** **
> >>>
> >>> With the same WSS policy used, attached, at server side, I got
> >>> this
> >> error:
> >>> ****
> >>>
> >>> 28 mai 2012 14:08:43
> >>> org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyP
> >>> ro
> >>> vi
> >>> der
> >>> getElementPolicy****
> >>>
> >>> ATTENTION: Failed to build the policy
> >>> 'Wssp1.2-2007-Https-UsernameToken-Plain.xml':sp:HttpsToken/wsp:Pol
> >>> ic
> >>> y
> >>> must have a value****
> >>>
> >>> Exception in thread "main" *javax.xml.ws.soap.SOAPFaultException*:
> >>> sp:HttpsToken/wsp:Policy must have a value****
> >>>
> >>> whereas I didn't get any error on 2.5.4.****
> >>>
> >>> ** **
> >>>
> >>> Do I have to enter an issue in CXF 2.6.1 ?****
> >>>
> >>> ** **
> >>>
> >>> Best Regards.****
> >>>
> >>
> >>
> >> --
> >> Colm O hEigeartaigh
> >>
> >> Talend Community Coder
> >> http://coders.talend.com
> >>
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
>
>
> --
> Glen Mazza
> Talend Community Coders
> coders.talend.com
> blog: www.jroller.com/gmazza
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Regression with UT over HTTPS on 2.6.1
Posted by Colm O hEigeartaigh <co...@apache.org>.
It's fixed here: https://issues.apache.org/jira/browse/CXF-4558
Colm.
On Fri, Oct 12, 2012 at 8:51 AM, COURTAULT Francois <
Francois.COURTAULT@gemalto.com> wrote:
> Hello,
>
> So what will be the final decision ?
> I suppose that if CXF will relax on this topic, it will be included in the
> next CXF version: right ?
>
> Can someone confirm me that please ?
>
> Best Regards.
>
> -----Original Message-----
> From: Daniel Kulp [mailto:dkulp@apache.org]
> Sent: jeudi 11 octobre 2012 21:07
> To: users@cxf.apache.org; COURTAULT Francois
> Subject: Re: Regression with UT over HTTPS on 2.6.1
>
>
> On Oct 11, 2012, at 5:27 AM, COURTAULT Francois <
> Francois.COURTAULT@gemalto.com> wrote:
>
> > Hello,
> >
> > Any answer regarding this topic ?
>
> IMO: in general, I consider the written text of the spec to be the
> definitive answer and thus the HttpsToken should have Policy child element
> in it for it to be a valid policy. Any tooling and such that we provide
> (not that we do, but if we did) should definitely be generating the child
> Policy element.
>
> However, the more pragmatic side of me says that if the schema doesn't
> mandate it and there is another product that specifically isn't generating
> it, we should likely relax the check a bit, possibly down to a
> Log.warn(...), to allow the interoperability.
>
> That's my opinion though.
>
> Dan
>
>
>
> >
> > Best Regards.
> >
> > -----Original Message-----
> > From: COURTAULT Francois [mailto:Francois.COURTAULT@gemalto.com]
> > Sent: mercredi 10 octobre 2012 17:20
> > To: users@cxf.apache.org; coheigea@apache.org
> > Subject: RE: Regression with UT over HTTPS on 2.6.1
> >
> > Hello,
> >
> > Regarding the spec errata, this is also my understanding (eg the
> HttpsToken must have a Policy child).
> > But what about the ws security policy schema ? Is this schema compliant
> to the spec ?
> > One simple test is to see if to check if the policy which causes the
> issue with CXF 2.6.1 is valid against this schema: what do you think ?
> > In fact, I have checked with Eclipse. It seems that the policy file with
> the following section:
> > <sp:TransportBinding>
> > <wsp:Policy>
> > <sp:TransportToken>
> > <wsp:Policy>
> > <sp:HttpsToken/>
> > </wsp:Policy>
> > </sp:TransportToken>
> > <sp:AlgorithmSuite>
> > <wsp:Policy>
> > <sp:Basic256/>
> > </wsp:Policy>
> > </sp:AlgorithmSuite>
> > <sp:Layout>
> > <wsp:Policy>
> > <sp:Lax/>
> > </wsp:Policy>
> > </sp:Layout>
> > <sp:IncludeTimestamp/>
> > </wsp:Policy>
> > </sp:TransportBinding>
> >
> > is well formed and valid against the ws security policy schema available
> at
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsdwhich seems to be in contradiction with the spec :-( ????? BUG in the
> schema ?
> >
> > Regarding the interop topic, this an issue between an application server
> using Metro and a CXF client (2.6.1).
> >
> > Best Regards.
> >
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > Sent: mercredi 10 octobre 2012 16:01
> > To: COURTAULT Francois
> > Cc: users@cxf.apache.org
> > Subject: Re: Regression with UT over HTTPS on 2.6.1
> >
> > Hi,
> >
> > My interpretation is that the comment associated with TokenAssertionType
> defined in the schema does not trump the specification requirements. The
> errata for WS-SecurityPolicy 1.2 still requires that a HttpsToken have a
> Policy child:
> >
> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.2/errata01/os/ws
> > -securitypolicy-1.2-errata01-os-complete.pdf
> >
> > Having said that, if this is causing interop problems with WCF I'm
> willing to reconsider. Does anyone else have an opinion on this?
> >
> > Colm.
> >
> > On Wed, Oct 10, 2012 at 2:41 PM, COURTAULT Francois <
> Francois.COURTAULT@gemalto.com> wrote:
> >
> >> Hello,
> >>
> >> It is an old topic but Company X people claims that are right
> >> (meaning that they are compliant to the spec).
> >> They said if you look at WSS security schema located at:
> >>
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsd
> >> - At one point, we have:
> >> <xs:element name="HttpsToken"
> >> type="tns:TokenAssertionType">
> >> <xs:annotation>
> >> <xs:documentation
> >> xml:lang="en">5.4.10 HttpsToken Assertion</xs:documentation>
> >> </xs:annotation>
> >> </xs:element>
> >> - At another location, we have:
> >> <xs:complexType name="TokenAssertionType">
> >> <xs:sequence>
> >> <xs:choice minOccurs="0">
> >> <xs:element name="Issuer"
> >> type="wsa:EndpointReferenceType"/>
> >> <xs:element
> >> name="IssuerName" type="xs:anyURI"/>
> >> </xs:choice>
> >> <!--
> >> Actual content model is non-deterministic,
> >> hence wildcard. The following shows intended content model:
> >> <xs:element ref="wsp:Policy" minOccurs="0" />
> >> -->
> >>
> >> <xs:any minOccurs="0"
> >> maxOccurs="unbounded" namespace="##other" processContents="lax"/>
> >> </xs:sequence>
> >> <xs:attribute ref="tns:IncludeToken"
> >> use="optional"/>
> >> <xs:anyAttribute namespace="##any"
> >> processContents="lax"/>
> >> </xs:complexType>
> >>
> >>
> >> According to the comment above <xs:element ref="wsp:Policy"
> minOccurs="0"
> >> />, they said that:
> >> <sp:TransportToken>
> >> <wsp:Policy>
> >> <sp:HttpsToken/>
> >> </wsp:Policy>
> >> </sp:TransportToken>
> >>
> >> is valid and compliant to the ws security policy schema !
> >>
> >> What should I believe ? The spec ? The schema ? Who is wrong ?
> >>
> >> Best Regards.
> >>
> >> -----Original Message-----
> >> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> >> Sent: mercredi 30 mai 2012 09:56
> >> To: users@cxf.apache.org
> >> Subject: Re: Regression with UT over HTTPS on 2.6.1
> >>
> >> Yes that looks right.
> >>
> >> Colm.
> >>
> >> On Wed, May 30, 2012 at 8:12 AM, COURTAULT Francois <
> >> Francois.COURTAULT@gemalto.com> wrote:
> >>
> >>> Hello everyone,
> >>>
> >>> You are right, I made a mistake in the extract policy I have sent.
> >>> So could you confirm that the right section is:
> >>> <sp:TransportToken>
> >>> <wsp:Policy>
> >>> <sp:HttpsToken>
> >>> <wsp:Policy/>
> >>> </sp:HttpsToken>
> >>> </wsp:Policy>
> >>> </sp:TransportToken>
> >>>
> >>> Instead of:
> >>> <sp:TransportToken>
> >>> <wsp:Policy>
> >>> <sp:HttpsToken/>
> >>> </wsp:Policy>
> >>> </sp:TransportToken>
> >>> ?
> >>>
> >>> Best Regards.
> >>>
> >>> -----Original Message-----
> >>> From: Glen Mazza [mailto:gmazza@talend.com]
> >>> Sent: mardi 29 mai 2012 20:33
> >>> To: users@cxf.apache.org
> >>> Subject: Re: Regression with UT over HTTPS on 2.6.1
> >>>
> >>> No, I believe Colm was rather clear that a new ws:Policy element
> >>> needs to be added as a child element of the sp:HttpsToken (if you
> >>> break it up into two parts: <sp:HttpsToken> and </sp:HttpsToken> it
> >>> might be
> >> clearer
> >>> for you.) Not as a sibling element to the <sp:HttpsToken/> as you
> have
> >>> it below.
> >>>
> >>> Glen
> >>>
> >>>
> >>> On 05/29/2012 12:46 PM, COURTAULT Francois wrote:
> >>>> Resending ...
> >>>>
> >>>> -----Original Message-----
> >>>> From: COURTAULT Francois [mailto:Francois.COURTAULT@gemalto.com]
> >>>> Sent: lundi 28 mai 2012 19:36
> >>>> To: coheigea@apache.org
> >>>> Cc: users@cxf.apache.org
> >>>> Subject: RE: Regression with UT over HTTPS on 2.6.1
> >>>>
> >>>> Hello,
> >>>>
> >>>> Sorry, you mean that in the policy file, I should have
> >>>> <sp:TransportToken>
> >>>> <wsp:Policy>
> >>>> <sp:HttpsToken/>
> >>>> <wsp:Policy/>
> >>>> </wsp:Policy>
> >>>> </sp:TransportToken>
> >>>>
> >>>> Instead of:
> >>>> <sp:TransportToken>
> >>>> <wsp:Policy>
> >>>> <sp:HttpsToken/>
> >>>> </wsp:Policy>
> >>>> </sp:TransportToken>
> >>>>
> >>>> Right ?
> >>>>
> >>>> Best Regards.
> >>>>
> >>>> From: COURTAULT Francois
> >>>> Sent: lundi 28 mai 2012 17:25
> >>>> To: 'coheigea@apache.org'
> >>>> Cc: users@cxf.apache.org
> >>>> Subject: RE: Regression with UT over HTTPS on 2.6.1
> >>>>
> >>>> Hello,
> >>>>
> >>>> But there is one in the policy I have sent to you.
> >>>> Extract:
> >>>> <sp:TransportToken>
> >>>> <wsp:Policy>
> >>>> <sp:HttpsToken/>
> >>>> </wsp:Policy>
> >>>> </sp:TransportToken>
> >>>>
> >>>> So what's wrong ?
> >>>>
> >>>> Best Regards.
> >>>>
> >>>> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> >>>> Sent: lundi 28 mai 2012 17:19
> >>>> To: COURTAULT Francois
> >>>> Cc: users@cxf.apache.org<ma...@cxf.apache.org>
> >>>> Subject: Re: Regression with UT over HTTPS on 2.6.1
> >>>>
> >>>> wsp:Policy is still required by the following fragment:
> >>>>
> >>>> <wsp:Policy xmlns:wsp="...">
> >>>> (
> >>>> <sp:HttpBasicAuthentication /> |
> >>>> <sp:HttpDigestAuthentication /> |
> >>>> <sp:RequireClientCertificate /> |
> >>>> ...
> >>>> )?
> >>>>
> >>>> the "?" refers to the children of the Policy. So HttpsToken must
> >>>> still
> >>> have a<wsp:Policy> child element, the fact that the children are
> >>> all optional is irrelevant.
> >>>>
> >>>> Colm.
> >>>> On Mon, May 28, 2012 at 3:32 PM, COURTAULT Francois<
> >>> Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.com
> >>>>>
> >>> wrote:
> >>>> Hello,
> >>>>
> >>>> I don't read the spec the same way than you, sorry.
> >>>>
> >>>> The spec says:
> >>>> <sp:HttpsToken xmlns:sp="..." ...>
> >>>> (
> >>>>
> >>>> <sp:Issuer>wsa:EndpointReferenceType</sp:Issuer> |
> >>>>
> >>>> <sp:IssuerName>xs:anyURI</sp:IssuerName>
> >>>>
> >>>> ) ?
> >>>>
> >>>> <wst:Claims Dialect="..."> ...</wst:Claims> ?
> >>>>
> >>>> <wsp:Policy xmlns:wsp="...">
> >>>> (
> >>>> <sp:HttpBasicAuthentication /> |
> >>>> <sp:HttpDigestAuthentication /> |
> >>>> <sp:RequireClientCertificate /> |
> >>>> ...
> >>>> )?
> >>>> ...
> >>>> </wsp:Policy>
> >>>> ...
> >>>> </sp:HttpsToken>
> >>>>
> >>>> And "?" means 0 or 1
> >>>> So, according to me, you can have<sp:HttpsToken.... with an
> >>> empty<wsp:Policy /> policy.
> >>>> More, the spec that:
> >>>> - /sp:HttpsToken/wsp:Policy/sp:HttpBasicAuthentication is OPTIONAL
> >>>> - /sp:HttpsToken/wsp:Policy/sp:HttpDigestAuthentication is OPTIONAL
> >>>> - /sp:HttpsToken/wsp:Policy/sp:RequireClientCertificate is
> >>>> OPTIONAL
> >>> Which is coherent with the ?
> >>>>
> >>>> So ??????
> >>>>
> >>>> Best Regards.
> >>>>
> >>>> -----Original Message-----
> >>>> From: Colm O hEigeartaigh
> >>>> [mailto:coheigea@apache.org<ma...@apache.org>]
> >>>> Sent: lundi 28 mai 2012 15:39
> >>>> To: COURTAULT Francois
> >>>> Cc: users@cxf.apache.org<ma...@cxf.apache.org>
> >>>> Subject: Re: Regression with UT over HTTPS on 2.6.1
> >>>>
> >>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-secu
> >>>> ri
> >>>> ty
> >>>> policy-1.3-spec-os.html
> >>>>
> >>>> "sp:HttpsToken/wsp:Policy
> >>>>
> >>>> This REQUIRED element identifies additional requirements for use of
> >>>> the
> >>> sp:HttpsToken assertion."
> >>>>
> >>>> Colm.
> >>>>
> >>>>
> >>>> On Mon, May 28, 2012 at 2:33 PM, COURTAULT Francois<
> >>> Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.com
> >>>>>
> >>> wrote:
> >>>>
> >>>>> Hello,
> >>>>>
> >>>>> This means that the policy I have attached is not compliant: right?
> >>>>> Could you give me please a pointer or the spec paragraph which
> >>>>> specifies this ?
> >>>>>
> >>>>> Best Regards.
> >>>>>
> >>>>> -----Original Message-----
> >>>>> From: Colm O hEigeartaigh
> >>>>> [mailto:coheigea@apache.org<ma...@apache.org>]
> >>>>> Sent: lundi 28 mai 2012 15:18
> >>>>> To: users@cxf.apache.org<ma...@cxf.apache.org>
> >>>>> Subject: Re: Regression with UT over HTTPS on 2.6.1
> >>>>>
> >>>>> It's not a regression, but a stricter enforcement of the
> >>>>> WS-SecurityPolicy spec. You need to add a "<wsp:Policy/>" child to
> >>>>> the sp:HttpsToken element to be compliant.
> >>>>>
> >>>>> Colm.
> >>>>>
> >>>>> On Mon, May 28, 2012 at 1:12 PM, COURTAULT Francois<
> >>>>> Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.
> >>>>> co
> >>>>> m>>
> >>> wrote:
> >>>>>
> >>>>>> Hello,****
> >>>>>>
> >>>>>> ** **
> >>>>>>
> >>>>>> With the same WSS policy used, attached, at server side, I got
> >>>>>> this
> >>>>> error:
> >>>>>> ****
> >>>>>>
> >>>>>> 28 mai 2012 14:08:43
> >>>>>> org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolic
> >>>>>> yP
> >>>>>> ro
> >>>>>> vi
> >>>>>> der
> >>>>>> getElementPolicy****
> >>>>>>
> >>>>>> ATTENTION: Failed to build the policy
> >>>>>> 'Wssp1.2-2007-Https-UsernameToken-Plain.xml':sp:HttpsToken/wsp:P
> >>>>>> ol
> >>>>>> ic
> >>>>>> y
> >>>>>> must have a value****
> >>>>>>
> >>>>>> Exception in thread "main" *javax.xml.ws.soap.SOAPFaultException*:
> >>>>>> sp:HttpsToken/wsp:Policy must have a value****
> >>>>>>
> >>>>>> whereas I didn't get any error on 2.5.4.****
> >>>>>>
> >>>>>> ** **
> >>>>>>
> >>>>>> Do I have to enter an issue in CXF 2.6.1 ?****
> >>>>>>
> >>>>>> ** **
> >>>>>>
> >>>>>> Best Regards.****
> >>>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Colm O hEigeartaigh
> >>>>>
> >>>>> Talend Community Coder
> >>>>> http://coders.talend.com
> >>>>>
> >>>>
> >>>>
> >>>> --
> >>>> Colm O hEigeartaigh
> >>>>
> >>>> Talend Community Coder
> >>>> http://coders.talend.com
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Colm O hEigeartaigh
> >>>>
> >>>> Talend Community Coder
> >>>> http://coders.talend.com
> >>>
> >>>
> >>> --
> >>> Glen Mazza
> >>> Talend Community Coders
> >>> coders.talend.com
> >>> blog: www.jroller.com/gmazza
> >>>
> >>>
> >>
> >>
> >> --
> >> Colm O hEigeartaigh
> >>
> >> Talend Community Coder
> >> http://coders.talend.com
> >>
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
>
> --
> Daniel Kulp
> dkulp@apache.org - http://dankulp.com/blog Talend Community Coder -
> http://coders.talend.com
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: Regression with UT over HTTPS on 2.6.1
Posted by COURTAULT Francois <Fr...@gemalto.com>.
Hello,
So what will be the final decision ?
I suppose that if CXF will relax on this topic, it will be included in the next CXF version: right ?
Can someone confirm me that please ?
Best Regards.
-----Original Message-----
From: Daniel Kulp [mailto:dkulp@apache.org]
Sent: jeudi 11 octobre 2012 21:07
To: users@cxf.apache.org; COURTAULT Francois
Subject: Re: Regression with UT over HTTPS on 2.6.1
On Oct 11, 2012, at 5:27 AM, COURTAULT Francois <Fr...@gemalto.com> wrote:
> Hello,
>
> Any answer regarding this topic ?
IMO: in general, I consider the written text of the spec to be the definitive answer and thus the HttpsToken should have Policy child element in it for it to be a valid policy. Any tooling and such that we provide (not that we do, but if we did) should definitely be generating the child Policy element.
However, the more pragmatic side of me says that if the schema doesn't mandate it and there is another product that specifically isn't generating it, we should likely relax the check a bit, possibly down to a Log.warn(...), to allow the interoperability.
That's my opinion though.
Dan
>
> Best Regards.
>
> -----Original Message-----
> From: COURTAULT Francois [mailto:Francois.COURTAULT@gemalto.com]
> Sent: mercredi 10 octobre 2012 17:20
> To: users@cxf.apache.org; coheigea@apache.org
> Subject: RE: Regression with UT over HTTPS on 2.6.1
>
> Hello,
>
> Regarding the spec errata, this is also my understanding (eg the HttpsToken must have a Policy child).
> But what about the ws security policy schema ? Is this schema compliant to the spec ?
> One simple test is to see if to check if the policy which causes the issue with CXF 2.6.1 is valid against this schema: what do you think ?
> In fact, I have checked with Eclipse. It seems that the policy file with the following section:
> <sp:TransportBinding>
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken/>
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> </wsp:Policy>
> </sp:TransportBinding>
>
> is well formed and valid against the ws security policy schema available at http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsd which seems to be in contradiction with the spec :-( ????? BUG in the schema ?
>
> Regarding the interop topic, this an issue between an application server using Metro and a CXF client (2.6.1).
>
> Best Regards.
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: mercredi 10 octobre 2012 16:01
> To: COURTAULT Francois
> Cc: users@cxf.apache.org
> Subject: Re: Regression with UT over HTTPS on 2.6.1
>
> Hi,
>
> My interpretation is that the comment associated with TokenAssertionType defined in the schema does not trump the specification requirements. The errata for WS-SecurityPolicy 1.2 still requires that a HttpsToken have a Policy child:
>
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.2/errata01/os/ws
> -securitypolicy-1.2-errata01-os-complete.pdf
>
> Having said that, if this is causing interop problems with WCF I'm willing to reconsider. Does anyone else have an opinion on this?
>
> Colm.
>
> On Wed, Oct 10, 2012 at 2:41 PM, COURTAULT Francois < Francois.COURTAULT@gemalto.com> wrote:
>
>> Hello,
>>
>> It is an old topic but Company X people claims that are right
>> (meaning that they are compliant to the spec).
>> They said if you look at WSS security schema located at:
>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsd
>> - At one point, we have:
>> <xs:element name="HttpsToken"
>> type="tns:TokenAssertionType">
>> <xs:annotation>
>> <xs:documentation
>> xml:lang="en">5.4.10 HttpsToken Assertion</xs:documentation>
>> </xs:annotation>
>> </xs:element>
>> - At another location, we have:
>> <xs:complexType name="TokenAssertionType">
>> <xs:sequence>
>> <xs:choice minOccurs="0">
>> <xs:element name="Issuer"
>> type="wsa:EndpointReferenceType"/>
>> <xs:element
>> name="IssuerName" type="xs:anyURI"/>
>> </xs:choice>
>> <!--
>> Actual content model is non-deterministic,
>> hence wildcard. The following shows intended content model:
>> <xs:element ref="wsp:Policy" minOccurs="0" />
>> -->
>>
>> <xs:any minOccurs="0"
>> maxOccurs="unbounded" namespace="##other" processContents="lax"/>
>> </xs:sequence>
>> <xs:attribute ref="tns:IncludeToken"
>> use="optional"/>
>> <xs:anyAttribute namespace="##any"
>> processContents="lax"/>
>> </xs:complexType>
>>
>>
>> According to the comment above <xs:element ref="wsp:Policy" minOccurs="0"
>> />, they said that:
>> <sp:TransportToken>
>> <wsp:Policy>
>> <sp:HttpsToken/>
>> </wsp:Policy>
>> </sp:TransportToken>
>>
>> is valid and compliant to the ws security policy schema !
>>
>> What should I believe ? The spec ? The schema ? Who is wrong ?
>>
>> Best Regards.
>>
>> -----Original Message-----
>> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
>> Sent: mercredi 30 mai 2012 09:56
>> To: users@cxf.apache.org
>> Subject: Re: Regression with UT over HTTPS on 2.6.1
>>
>> Yes that looks right.
>>
>> Colm.
>>
>> On Wed, May 30, 2012 at 8:12 AM, COURTAULT Francois <
>> Francois.COURTAULT@gemalto.com> wrote:
>>
>>> Hello everyone,
>>>
>>> You are right, I made a mistake in the extract policy I have sent.
>>> So could you confirm that the right section is:
>>> <sp:TransportToken>
>>> <wsp:Policy>
>>> <sp:HttpsToken>
>>> <wsp:Policy/>
>>> </sp:HttpsToken>
>>> </wsp:Policy>
>>> </sp:TransportToken>
>>>
>>> Instead of:
>>> <sp:TransportToken>
>>> <wsp:Policy>
>>> <sp:HttpsToken/>
>>> </wsp:Policy>
>>> </sp:TransportToken>
>>> ?
>>>
>>> Best Regards.
>>>
>>> -----Original Message-----
>>> From: Glen Mazza [mailto:gmazza@talend.com]
>>> Sent: mardi 29 mai 2012 20:33
>>> To: users@cxf.apache.org
>>> Subject: Re: Regression with UT over HTTPS on 2.6.1
>>>
>>> No, I believe Colm was rather clear that a new ws:Policy element
>>> needs to be added as a child element of the sp:HttpsToken (if you
>>> break it up into two parts: <sp:HttpsToken> and </sp:HttpsToken> it
>>> might be
>> clearer
>>> for you.) Not as a sibling element to the <sp:HttpsToken/> as you have
>>> it below.
>>>
>>> Glen
>>>
>>>
>>> On 05/29/2012 12:46 PM, COURTAULT Francois wrote:
>>>> Resending ...
>>>>
>>>> -----Original Message-----
>>>> From: COURTAULT Francois [mailto:Francois.COURTAULT@gemalto.com]
>>>> Sent: lundi 28 mai 2012 19:36
>>>> To: coheigea@apache.org
>>>> Cc: users@cxf.apache.org
>>>> Subject: RE: Regression with UT over HTTPS on 2.6.1
>>>>
>>>> Hello,
>>>>
>>>> Sorry, you mean that in the policy file, I should have
>>>> <sp:TransportToken>
>>>> <wsp:Policy>
>>>> <sp:HttpsToken/>
>>>> <wsp:Policy/>
>>>> </wsp:Policy>
>>>> </sp:TransportToken>
>>>>
>>>> Instead of:
>>>> <sp:TransportToken>
>>>> <wsp:Policy>
>>>> <sp:HttpsToken/>
>>>> </wsp:Policy>
>>>> </sp:TransportToken>
>>>>
>>>> Right ?
>>>>
>>>> Best Regards.
>>>>
>>>> From: COURTAULT Francois
>>>> Sent: lundi 28 mai 2012 17:25
>>>> To: 'coheigea@apache.org'
>>>> Cc: users@cxf.apache.org
>>>> Subject: RE: Regression with UT over HTTPS on 2.6.1
>>>>
>>>> Hello,
>>>>
>>>> But there is one in the policy I have sent to you.
>>>> Extract:
>>>> <sp:TransportToken>
>>>> <wsp:Policy>
>>>> <sp:HttpsToken/>
>>>> </wsp:Policy>
>>>> </sp:TransportToken>
>>>>
>>>> So what's wrong ?
>>>>
>>>> Best Regards.
>>>>
>>>> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
>>>> Sent: lundi 28 mai 2012 17:19
>>>> To: COURTAULT Francois
>>>> Cc: users@cxf.apache.org<ma...@cxf.apache.org>
>>>> Subject: Re: Regression with UT over HTTPS on 2.6.1
>>>>
>>>> wsp:Policy is still required by the following fragment:
>>>>
>>>> <wsp:Policy xmlns:wsp="...">
>>>> (
>>>> <sp:HttpBasicAuthentication /> |
>>>> <sp:HttpDigestAuthentication /> |
>>>> <sp:RequireClientCertificate /> |
>>>> ...
>>>> )?
>>>>
>>>> the "?" refers to the children of the Policy. So HttpsToken must
>>>> still
>>> have a<wsp:Policy> child element, the fact that the children are
>>> all optional is irrelevant.
>>>>
>>>> Colm.
>>>> On Mon, May 28, 2012 at 3:32 PM, COURTAULT Francois<
>>> Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.com
>>>>>
>>> wrote:
>>>> Hello,
>>>>
>>>> I don't read the spec the same way than you, sorry.
>>>>
>>>> The spec says:
>>>> <sp:HttpsToken xmlns:sp="..." ...>
>>>> (
>>>>
>>>> <sp:Issuer>wsa:EndpointReferenceType</sp:Issuer> |
>>>>
>>>> <sp:IssuerName>xs:anyURI</sp:IssuerName>
>>>>
>>>> ) ?
>>>>
>>>> <wst:Claims Dialect="..."> ...</wst:Claims> ?
>>>>
>>>> <wsp:Policy xmlns:wsp="...">
>>>> (
>>>> <sp:HttpBasicAuthentication /> |
>>>> <sp:HttpDigestAuthentication /> |
>>>> <sp:RequireClientCertificate /> |
>>>> ...
>>>> )?
>>>> ...
>>>> </wsp:Policy>
>>>> ...
>>>> </sp:HttpsToken>
>>>>
>>>> And "?" means 0 or 1
>>>> So, according to me, you can have<sp:HttpsToken.... with an
>>> empty<wsp:Policy /> policy.
>>>> More, the spec that:
>>>> - /sp:HttpsToken/wsp:Policy/sp:HttpBasicAuthentication is OPTIONAL
>>>> - /sp:HttpsToken/wsp:Policy/sp:HttpDigestAuthentication is OPTIONAL
>>>> - /sp:HttpsToken/wsp:Policy/sp:RequireClientCertificate is
>>>> OPTIONAL
>>> Which is coherent with the ?
>>>>
>>>> So ??????
>>>>
>>>> Best Regards.
>>>>
>>>> -----Original Message-----
>>>> From: Colm O hEigeartaigh
>>>> [mailto:coheigea@apache.org<ma...@apache.org>]
>>>> Sent: lundi 28 mai 2012 15:39
>>>> To: COURTAULT Francois
>>>> Cc: users@cxf.apache.org<ma...@cxf.apache.org>
>>>> Subject: Re: Regression with UT over HTTPS on 2.6.1
>>>>
>>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-secu
>>>> ri
>>>> ty
>>>> policy-1.3-spec-os.html
>>>>
>>>> "sp:HttpsToken/wsp:Policy
>>>>
>>>> This REQUIRED element identifies additional requirements for use of
>>>> the
>>> sp:HttpsToken assertion."
>>>>
>>>> Colm.
>>>>
>>>>
>>>> On Mon, May 28, 2012 at 2:33 PM, COURTAULT Francois<
>>> Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.com
>>>>>
>>> wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> This means that the policy I have attached is not compliant: right?
>>>>> Could you give me please a pointer or the spec paragraph which
>>>>> specifies this ?
>>>>>
>>>>> Best Regards.
>>>>>
>>>>> -----Original Message-----
>>>>> From: Colm O hEigeartaigh
>>>>> [mailto:coheigea@apache.org<ma...@apache.org>]
>>>>> Sent: lundi 28 mai 2012 15:18
>>>>> To: users@cxf.apache.org<ma...@cxf.apache.org>
>>>>> Subject: Re: Regression with UT over HTTPS on 2.6.1
>>>>>
>>>>> It's not a regression, but a stricter enforcement of the
>>>>> WS-SecurityPolicy spec. You need to add a "<wsp:Policy/>" child to
>>>>> the sp:HttpsToken element to be compliant.
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Mon, May 28, 2012 at 1:12 PM, COURTAULT Francois<
>>>>> Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.
>>>>> co
>>>>> m>>
>>> wrote:
>>>>>
>>>>>> Hello,****
>>>>>>
>>>>>> ** **
>>>>>>
>>>>>> With the same WSS policy used, attached, at server side, I got
>>>>>> this
>>>>> error:
>>>>>> ****
>>>>>>
>>>>>> 28 mai 2012 14:08:43
>>>>>> org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolic
>>>>>> yP
>>>>>> ro
>>>>>> vi
>>>>>> der
>>>>>> getElementPolicy****
>>>>>>
>>>>>> ATTENTION: Failed to build the policy
>>>>>> 'Wssp1.2-2007-Https-UsernameToken-Plain.xml':sp:HttpsToken/wsp:P
>>>>>> ol
>>>>>> ic
>>>>>> y
>>>>>> must have a value****
>>>>>>
>>>>>> Exception in thread "main" *javax.xml.ws.soap.SOAPFaultException*:
>>>>>> sp:HttpsToken/wsp:Policy must have a value****
>>>>>>
>>>>>> whereas I didn't get any error on 2.5.4.****
>>>>>>
>>>>>> ** **
>>>>>>
>>>>>> Do I have to enter an issue in CXF 2.6.1 ?****
>>>>>>
>>>>>> ** **
>>>>>>
>>>>>> Best Regards.****
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Colm O hEigeartaigh
>>>>>
>>>>> Talend Community Coder
>>>>> http://coders.talend.com
>>>>>
>>>>
>>>>
>>>> --
>>>> Colm O hEigeartaigh
>>>>
>>>> Talend Community Coder
>>>> http://coders.talend.com
>>>>
>>>>
>>>>
>>>> --
>>>> Colm O hEigeartaigh
>>>>
>>>> Talend Community Coder
>>>> http://coders.talend.com
>>>
>>>
>>> --
>>> Glen Mazza
>>> Talend Community Coders
>>> coders.talend.com
>>> blog: www.jroller.com/gmazza
>>>
>>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
--
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog Talend Community Coder - http://coders.talend.com
Re: Regression with UT over HTTPS on 2.6.1
Posted by Daniel Kulp <dk...@apache.org>.
On Oct 11, 2012, at 5:27 AM, COURTAULT Francois <Fr...@gemalto.com> wrote:
> Hello,
>
> Any answer regarding this topic ?
IMO: in general, I consider the written text of the spec to be the definitive answer and thus the HttpsToken should have Policy child element in it for it to be a valid policy. Any tooling and such that we provide (not that we do, but if we did) should definitely be generating the child Policy element.
However, the more pragmatic side of me says that if the schema doesn't mandate it and there is another product that specifically isn't generating it, we should likely relax the check a bit, possibly down to a Log.warn(…), to allow the interoperability.
That's my opinion though.
Dan
>
> Best Regards.
>
> -----Original Message-----
> From: COURTAULT Francois [mailto:Francois.COURTAULT@gemalto.com]
> Sent: mercredi 10 octobre 2012 17:20
> To: users@cxf.apache.org; coheigea@apache.org
> Subject: RE: Regression with UT over HTTPS on 2.6.1
>
> Hello,
>
> Regarding the spec errata, this is also my understanding (eg the HttpsToken must have a Policy child).
> But what about the ws security policy schema ? Is this schema compliant to the spec ?
> One simple test is to see if to check if the policy which causes the issue with CXF 2.6.1 is valid against this schema: what do you think ?
> In fact, I have checked with Eclipse. It seems that the policy file with the following section:
> <sp:TransportBinding>
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken/>
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> </wsp:Policy>
> </sp:TransportBinding>
>
> is well formed and valid against the ws security policy schema available at http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsd which seems to be in contradiction with the spec :-( ????? BUG in the schema ?
>
> Regarding the interop topic, this an issue between an application server using Metro and a CXF client (2.6.1).
>
> Best Regards.
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: mercredi 10 octobre 2012 16:01
> To: COURTAULT Francois
> Cc: users@cxf.apache.org
> Subject: Re: Regression with UT over HTTPS on 2.6.1
>
> Hi,
>
> My interpretation is that the comment associated with TokenAssertionType defined in the schema does not trump the specification requirements. The errata for WS-SecurityPolicy 1.2 still requires that a HttpsToken have a Policy child:
>
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.2/errata01/os/ws-securitypolicy-1.2-errata01-os-complete.pdf
>
> Having said that, if this is causing interop problems with WCF I'm willing to reconsider. Does anyone else have an opinion on this?
>
> Colm.
>
> On Wed, Oct 10, 2012 at 2:41 PM, COURTAULT Francois < Francois.COURTAULT@gemalto.com> wrote:
>
>> Hello,
>>
>> It is an old topic but Company X people claims that are right (meaning
>> that they are compliant to the spec).
>> They said if you look at WSS security schema located at:
>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsd
>> - At one point, we have:
>> <xs:element name="HttpsToken"
>> type="tns:TokenAssertionType">
>> <xs:annotation>
>> <xs:documentation
>> xml:lang="en">5.4.10 HttpsToken Assertion</xs:documentation>
>> </xs:annotation>
>> </xs:element>
>> - At another location, we have:
>> <xs:complexType name="TokenAssertionType">
>> <xs:sequence>
>> <xs:choice minOccurs="0">
>> <xs:element name="Issuer"
>> type="wsa:EndpointReferenceType"/>
>> <xs:element
>> name="IssuerName" type="xs:anyURI"/>
>> </xs:choice>
>> <!--
>> Actual content model is non-deterministic,
>> hence wildcard. The following shows intended content model:
>> <xs:element ref="wsp:Policy" minOccurs="0" />
>> -->
>>
>> <xs:any minOccurs="0"
>> maxOccurs="unbounded" namespace="##other" processContents="lax"/>
>> </xs:sequence>
>> <xs:attribute ref="tns:IncludeToken"
>> use="optional"/>
>> <xs:anyAttribute namespace="##any"
>> processContents="lax"/>
>> </xs:complexType>
>>
>>
>> According to the comment above <xs:element ref="wsp:Policy" minOccurs="0"
>> />, they said that:
>> <sp:TransportToken>
>> <wsp:Policy>
>> <sp:HttpsToken/>
>> </wsp:Policy>
>> </sp:TransportToken>
>>
>> is valid and compliant to the ws security policy schema !
>>
>> What should I believe ? The spec ? The schema ? Who is wrong ?
>>
>> Best Regards.
>>
>> -----Original Message-----
>> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
>> Sent: mercredi 30 mai 2012 09:56
>> To: users@cxf.apache.org
>> Subject: Re: Regression with UT over HTTPS on 2.6.1
>>
>> Yes that looks right.
>>
>> Colm.
>>
>> On Wed, May 30, 2012 at 8:12 AM, COURTAULT Francois <
>> Francois.COURTAULT@gemalto.com> wrote:
>>
>>> Hello everyone,
>>>
>>> You are right, I made a mistake in the extract policy I have sent.
>>> So could you confirm that the right section is:
>>> <sp:TransportToken>
>>> <wsp:Policy>
>>> <sp:HttpsToken>
>>> <wsp:Policy/>
>>> </sp:HttpsToken>
>>> </wsp:Policy>
>>> </sp:TransportToken>
>>>
>>> Instead of:
>>> <sp:TransportToken>
>>> <wsp:Policy>
>>> <sp:HttpsToken/>
>>> </wsp:Policy>
>>> </sp:TransportToken>
>>> ?
>>>
>>> Best Regards.
>>>
>>> -----Original Message-----
>>> From: Glen Mazza [mailto:gmazza@talend.com]
>>> Sent: mardi 29 mai 2012 20:33
>>> To: users@cxf.apache.org
>>> Subject: Re: Regression with UT over HTTPS on 2.6.1
>>>
>>> No, I believe Colm was rather clear that a new ws:Policy element
>>> needs to be added as a child element of the sp:HttpsToken (if you
>>> break it up into two parts: <sp:HttpsToken> and </sp:HttpsToken> it
>>> might be
>> clearer
>>> for you.) Not as a sibling element to the <sp:HttpsToken/> as you have
>>> it below.
>>>
>>> Glen
>>>
>>>
>>> On 05/29/2012 12:46 PM, COURTAULT Francois wrote:
>>>> Resending ...
>>>>
>>>> -----Original Message-----
>>>> From: COURTAULT Francois [mailto:Francois.COURTAULT@gemalto.com]
>>>> Sent: lundi 28 mai 2012 19:36
>>>> To: coheigea@apache.org
>>>> Cc: users@cxf.apache.org
>>>> Subject: RE: Regression with UT over HTTPS on 2.6.1
>>>>
>>>> Hello,
>>>>
>>>> Sorry, you mean that in the policy file, I should have
>>>> <sp:TransportToken>
>>>> <wsp:Policy>
>>>> <sp:HttpsToken/>
>>>> <wsp:Policy/>
>>>> </wsp:Policy>
>>>> </sp:TransportToken>
>>>>
>>>> Instead of:
>>>> <sp:TransportToken>
>>>> <wsp:Policy>
>>>> <sp:HttpsToken/>
>>>> </wsp:Policy>
>>>> </sp:TransportToken>
>>>>
>>>> Right ?
>>>>
>>>> Best Regards.
>>>>
>>>> From: COURTAULT Francois
>>>> Sent: lundi 28 mai 2012 17:25
>>>> To: 'coheigea@apache.org'
>>>> Cc: users@cxf.apache.org
>>>> Subject: RE: Regression with UT over HTTPS on 2.6.1
>>>>
>>>> Hello,
>>>>
>>>> But there is one in the policy I have sent to you.
>>>> Extract:
>>>> <sp:TransportToken>
>>>> <wsp:Policy>
>>>> <sp:HttpsToken/>
>>>> </wsp:Policy>
>>>> </sp:TransportToken>
>>>>
>>>> So what's wrong ?
>>>>
>>>> Best Regards.
>>>>
>>>> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
>>>> Sent: lundi 28 mai 2012 17:19
>>>> To: COURTAULT Francois
>>>> Cc: users@cxf.apache.org<ma...@cxf.apache.org>
>>>> Subject: Re: Regression with UT over HTTPS on 2.6.1
>>>>
>>>> wsp:Policy is still required by the following fragment:
>>>>
>>>> <wsp:Policy xmlns:wsp="...">
>>>> (
>>>> <sp:HttpBasicAuthentication /> |
>>>> <sp:HttpDigestAuthentication /> |
>>>> <sp:RequireClientCertificate /> |
>>>> ...
>>>> )?
>>>>
>>>> the "?" refers to the children of the Policy. So HttpsToken must
>>>> still
>>> have a<wsp:Policy> child element, the fact that the children are
>>> all optional is irrelevant.
>>>>
>>>> Colm.
>>>> On Mon, May 28, 2012 at 3:32 PM, COURTAULT Francois<
>>> Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.com
>>>>>
>>> wrote:
>>>> Hello,
>>>>
>>>> I don't read the spec the same way than you, sorry.
>>>>
>>>> The spec says:
>>>> <sp:HttpsToken xmlns:sp="..." ...>
>>>> (
>>>>
>>>> <sp:Issuer>wsa:EndpointReferenceType</sp:Issuer> |
>>>>
>>>> <sp:IssuerName>xs:anyURI</sp:IssuerName>
>>>>
>>>> ) ?
>>>>
>>>> <wst:Claims Dialect="..."> ...</wst:Claims> ?
>>>>
>>>> <wsp:Policy xmlns:wsp="...">
>>>> (
>>>> <sp:HttpBasicAuthentication /> |
>>>> <sp:HttpDigestAuthentication /> |
>>>> <sp:RequireClientCertificate /> |
>>>> ...
>>>> )?
>>>> ...
>>>> </wsp:Policy>
>>>> ...
>>>> </sp:HttpsToken>
>>>>
>>>> And "?" means 0 or 1
>>>> So, according to me, you can have<sp:HttpsToken.... with an
>>> empty<wsp:Policy /> policy.
>>>> More, the spec that:
>>>> - /sp:HttpsToken/wsp:Policy/sp:HttpBasicAuthentication is OPTIONAL
>>>> - /sp:HttpsToken/wsp:Policy/sp:HttpDigestAuthentication is OPTIONAL
>>>> - /sp:HttpsToken/wsp:Policy/sp:RequireClientCertificate is
>>>> OPTIONAL
>>> Which is coherent with the ?
>>>>
>>>> So ??????
>>>>
>>>> Best Regards.
>>>>
>>>> -----Original Message-----
>>>> From: Colm O hEigeartaigh
>>>> [mailto:coheigea@apache.org<ma...@apache.org>]
>>>> Sent: lundi 28 mai 2012 15:39
>>>> To: COURTAULT Francois
>>>> Cc: users@cxf.apache.org<ma...@cxf.apache.org>
>>>> Subject: Re: Regression with UT over HTTPS on 2.6.1
>>>>
>>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-secu
>>>> ri
>>>> ty
>>>> policy-1.3-spec-os.html
>>>>
>>>> "sp:HttpsToken/wsp:Policy
>>>>
>>>> This REQUIRED element identifies additional requirements for use
>>>> of the
>>> sp:HttpsToken assertion."
>>>>
>>>> Colm.
>>>>
>>>>
>>>> On Mon, May 28, 2012 at 2:33 PM, COURTAULT Francois<
>>> Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.com
>>>>>
>>> wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> This means that the policy I have attached is not compliant: right?
>>>>> Could you give me please a pointer or the spec paragraph which
>>>>> specifies this ?
>>>>>
>>>>> Best Regards.
>>>>>
>>>>> -----Original Message-----
>>>>> From: Colm O hEigeartaigh
>>>>> [mailto:coheigea@apache.org<ma...@apache.org>]
>>>>> Sent: lundi 28 mai 2012 15:18
>>>>> To: users@cxf.apache.org<ma...@cxf.apache.org>
>>>>> Subject: Re: Regression with UT over HTTPS on 2.6.1
>>>>>
>>>>> It's not a regression, but a stricter enforcement of the
>>>>> WS-SecurityPolicy spec. You need to add a "<wsp:Policy/>" child
>>>>> to the sp:HttpsToken element to be compliant.
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Mon, May 28, 2012 at 1:12 PM, COURTAULT Francois<
>>>>> Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.
>>>>> co
>>>>> m>>
>>> wrote:
>>>>>
>>>>>> Hello,****
>>>>>>
>>>>>> ** **
>>>>>>
>>>>>> With the same WSS policy used, attached, at server side, I got
>>>>>> this
>>>>> error:
>>>>>> ****
>>>>>>
>>>>>> 28 mai 2012 14:08:43
>>>>>> org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolic
>>>>>> yP
>>>>>> ro
>>>>>> vi
>>>>>> der
>>>>>> getElementPolicy****
>>>>>>
>>>>>> ATTENTION: Failed to build the policy
>>>>>> 'Wssp1.2-2007-Https-UsernameToken-Plain.xml':sp:HttpsToken/wsp:P
>>>>>> ol
>>>>>> ic
>>>>>> y
>>>>>> must have a value****
>>>>>>
>>>>>> Exception in thread "main" *javax.xml.ws.soap.SOAPFaultException*:
>>>>>> sp:HttpsToken/wsp:Policy must have a value****
>>>>>>
>>>>>> whereas I didn't get any error on 2.5.4.****
>>>>>>
>>>>>> ** **
>>>>>>
>>>>>> Do I have to enter an issue in CXF 2.6.1 ?****
>>>>>>
>>>>>> ** **
>>>>>>
>>>>>> Best Regards.****
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Colm O hEigeartaigh
>>>>>
>>>>> Talend Community Coder
>>>>> http://coders.talend.com
>>>>>
>>>>
>>>>
>>>> --
>>>> Colm O hEigeartaigh
>>>>
>>>> Talend Community Coder
>>>> http://coders.talend.com
>>>>
>>>>
>>>>
>>>> --
>>>> Colm O hEigeartaigh
>>>>
>>>> Talend Community Coder
>>>> http://coders.talend.com
>>>
>>>
>>> --
>>> Glen Mazza
>>> Talend Community Coders
>>> coders.talend.com
>>> blog: www.jroller.com/gmazza
>>>
>>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
--
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com
RE: Regression with UT over HTTPS on 2.6.1
Posted by COURTAULT Francois <Fr...@gemalto.com>.
Hello,
Any answer regarding this topic ?
Best Regards.
-----Original Message-----
From: COURTAULT Francois [mailto:Francois.COURTAULT@gemalto.com]
Sent: mercredi 10 octobre 2012 17:20
To: users@cxf.apache.org; coheigea@apache.org
Subject: RE: Regression with UT over HTTPS on 2.6.1
Hello,
Regarding the spec errata, this is also my understanding (eg the HttpsToken must have a Policy child).
But what about the ws security policy schema ? Is this schema compliant to the spec ?
One simple test is to see if to check if the policy which causes the issue with CXF 2.6.1 is valid against this schema: what do you think ?
In fact, I have checked with Eclipse. It seems that the policy file with the following section:
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
is well formed and valid against the ws security policy schema available at http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsd which seems to be in contradiction with the spec :-( ????? BUG in the schema ?
Regarding the interop topic, this an issue between an application server using Metro and a CXF client (2.6.1).
Best Regards.
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: mercredi 10 octobre 2012 16:01
To: COURTAULT Francois
Cc: users@cxf.apache.org
Subject: Re: Regression with UT over HTTPS on 2.6.1
Hi,
My interpretation is that the comment associated with TokenAssertionType defined in the schema does not trump the specification requirements. The errata for WS-SecurityPolicy 1.2 still requires that a HttpsToken have a Policy child:
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.2/errata01/os/ws-securitypolicy-1.2-errata01-os-complete.pdf
Having said that, if this is causing interop problems with WCF I'm willing to reconsider. Does anyone else have an opinion on this?
Colm.
On Wed, Oct 10, 2012 at 2:41 PM, COURTAULT Francois < Francois.COURTAULT@gemalto.com> wrote:
> Hello,
>
> It is an old topic but Company X people claims that are right (meaning
> that they are compliant to the spec).
> They said if you look at WSS security schema located at:
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsd
> - At one point, we have:
> <xs:element name="HttpsToken"
> type="tns:TokenAssertionType">
> <xs:annotation>
> <xs:documentation
> xml:lang="en">5.4.10 HttpsToken Assertion</xs:documentation>
> </xs:annotation>
> </xs:element>
> - At another location, we have:
> <xs:complexType name="TokenAssertionType">
> <xs:sequence>
> <xs:choice minOccurs="0">
> <xs:element name="Issuer"
> type="wsa:EndpointReferenceType"/>
> <xs:element
> name="IssuerName" type="xs:anyURI"/>
> </xs:choice>
> <!--
> Actual content model is non-deterministic,
> hence wildcard. The following shows intended content model:
> <xs:element ref="wsp:Policy" minOccurs="0" />
> -->
>
> <xs:any minOccurs="0"
> maxOccurs="unbounded" namespace="##other" processContents="lax"/>
> </xs:sequence>
> <xs:attribute ref="tns:IncludeToken"
> use="optional"/>
> <xs:anyAttribute namespace="##any"
> processContents="lax"/>
> </xs:complexType>
>
>
> According to the comment above <xs:element ref="wsp:Policy" minOccurs="0"
> />, they said that:
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken/>
> </wsp:Policy>
> </sp:TransportToken>
>
> is valid and compliant to the ws security policy schema !
>
> What should I believe ? The spec ? The schema ? Who is wrong ?
>
> Best Regards.
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: mercredi 30 mai 2012 09:56
> To: users@cxf.apache.org
> Subject: Re: Regression with UT over HTTPS on 2.6.1
>
> Yes that looks right.
>
> Colm.
>
> On Wed, May 30, 2012 at 8:12 AM, COURTAULT Francois <
> Francois.COURTAULT@gemalto.com> wrote:
>
> > Hello everyone,
> >
> > You are right, I made a mistake in the extract policy I have sent.
> > So could you confirm that the right section is:
> > <sp:TransportToken>
> > <wsp:Policy>
> > <sp:HttpsToken>
> > <wsp:Policy/>
> > </sp:HttpsToken>
> > </wsp:Policy>
> > </sp:TransportToken>
> >
> > Instead of:
> > <sp:TransportToken>
> > <wsp:Policy>
> > <sp:HttpsToken/>
> > </wsp:Policy>
> > </sp:TransportToken>
> > ?
> >
> > Best Regards.
> >
> > -----Original Message-----
> > From: Glen Mazza [mailto:gmazza@talend.com]
> > Sent: mardi 29 mai 2012 20:33
> > To: users@cxf.apache.org
> > Subject: Re: Regression with UT over HTTPS on 2.6.1
> >
> > No, I believe Colm was rather clear that a new ws:Policy element
> > needs to be added as a child element of the sp:HttpsToken (if you
> > break it up into two parts: <sp:HttpsToken> and </sp:HttpsToken> it
> > might be
> clearer
> > for you.) Not as a sibling element to the <sp:HttpsToken/> as you have
> > it below.
> >
> > Glen
> >
> >
> > On 05/29/2012 12:46 PM, COURTAULT Francois wrote:
> > > Resending ...
> > >
> > > -----Original Message-----
> > > From: COURTAULT Francois [mailto:Francois.COURTAULT@gemalto.com]
> > > Sent: lundi 28 mai 2012 19:36
> > > To: coheigea@apache.org
> > > Cc: users@cxf.apache.org
> > > Subject: RE: Regression with UT over HTTPS on 2.6.1
> > >
> > > Hello,
> > >
> > > Sorry, you mean that in the policy file, I should have
> > > <sp:TransportToken>
> > > <wsp:Policy>
> > > <sp:HttpsToken/>
> > > <wsp:Policy/>
> > > </wsp:Policy>
> > > </sp:TransportToken>
> > >
> > > Instead of:
> > > <sp:TransportToken>
> > > <wsp:Policy>
> > > <sp:HttpsToken/>
> > > </wsp:Policy>
> > > </sp:TransportToken>
> > >
> > > Right ?
> > >
> > > Best Regards.
> > >
> > > From: COURTAULT Francois
> > > Sent: lundi 28 mai 2012 17:25
> > > To: 'coheigea@apache.org'
> > > Cc: users@cxf.apache.org
> > > Subject: RE: Regression with UT over HTTPS on 2.6.1
> > >
> > > Hello,
> > >
> > > But there is one in the policy I have sent to you.
> > > Extract:
> > > <sp:TransportToken>
> > > <wsp:Policy>
> > > <sp:HttpsToken/>
> > > </wsp:Policy>
> > > </sp:TransportToken>
> > >
> > > So what's wrong ?
> > >
> > > Best Regards.
> > >
> > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > > Sent: lundi 28 mai 2012 17:19
> > > To: COURTAULT Francois
> > > Cc: users@cxf.apache.org<ma...@cxf.apache.org>
> > > Subject: Re: Regression with UT over HTTPS on 2.6.1
> > >
> > > wsp:Policy is still required by the following fragment:
> > >
> > > <wsp:Policy xmlns:wsp="...">
> > > (
> > > <sp:HttpBasicAuthentication /> |
> > > <sp:HttpDigestAuthentication /> |
> > > <sp:RequireClientCertificate /> |
> > > ...
> > > )?
> > >
> > > the "?" refers to the children of the Policy. So HttpsToken must
> > > still
> > have a<wsp:Policy> child element, the fact that the children are
> > all optional is irrelevant.
> > >
> > > Colm.
> > > On Mon, May 28, 2012 at 3:32 PM, COURTAULT Francois<
> > Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.com
> > >>
> > wrote:
> > > Hello,
> > >
> > > I don't read the spec the same way than you, sorry.
> > >
> > > The spec says:
> > > <sp:HttpsToken xmlns:sp="..." ...>
> > > (
> > >
> > > <sp:Issuer>wsa:EndpointReferenceType</sp:Issuer> |
> > >
> > > <sp:IssuerName>xs:anyURI</sp:IssuerName>
> > >
> > > ) ?
> > >
> > > <wst:Claims Dialect="..."> ...</wst:Claims> ?
> > >
> > > <wsp:Policy xmlns:wsp="...">
> > > (
> > > <sp:HttpBasicAuthentication /> |
> > > <sp:HttpDigestAuthentication /> |
> > > <sp:RequireClientCertificate /> |
> > > ...
> > > )?
> > > ...
> > > </wsp:Policy>
> > > ...
> > > </sp:HttpsToken>
> > >
> > > And "?" means 0 or 1
> > > So, according to me, you can have<sp:HttpsToken.... with an
> > empty<wsp:Policy /> policy.
> > > More, the spec that:
> > > - /sp:HttpsToken/wsp:Policy/sp:HttpBasicAuthentication is OPTIONAL
> > > - /sp:HttpsToken/wsp:Policy/sp:HttpDigestAuthentication is OPTIONAL
> > > - /sp:HttpsToken/wsp:Policy/sp:RequireClientCertificate is
> > > OPTIONAL
> > Which is coherent with the ?
> > >
> > > So ??????
> > >
> > > Best Regards.
> > >
> > > -----Original Message-----
> > > From: Colm O hEigeartaigh
> > > [mailto:coheigea@apache.org<ma...@apache.org>]
> > > Sent: lundi 28 mai 2012 15:39
> > > To: COURTAULT Francois
> > > Cc: users@cxf.apache.org<ma...@cxf.apache.org>
> > > Subject: Re: Regression with UT over HTTPS on 2.6.1
> > >
> > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-secu
> > > ri
> > > ty
> > > policy-1.3-spec-os.html
> > >
> > > "sp:HttpsToken/wsp:Policy
> > >
> > > This REQUIRED element identifies additional requirements for use
> > > of the
> > sp:HttpsToken assertion."
> > >
> > > Colm.
> > >
> > >
> > > On Mon, May 28, 2012 at 2:33 PM, COURTAULT Francois<
> > Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.com
> > >>
> > wrote:
> > >
> > >> Hello,
> > >>
> > >> This means that the policy I have attached is not compliant: right?
> > >> Could you give me please a pointer or the spec paragraph which
> > >> specifies this ?
> > >>
> > >> Best Regards.
> > >>
> > >> -----Original Message-----
> > >> From: Colm O hEigeartaigh
> > >> [mailto:coheigea@apache.org<ma...@apache.org>]
> > >> Sent: lundi 28 mai 2012 15:18
> > >> To: users@cxf.apache.org<ma...@cxf.apache.org>
> > >> Subject: Re: Regression with UT over HTTPS on 2.6.1
> > >>
> > >> It's not a regression, but a stricter enforcement of the
> > >> WS-SecurityPolicy spec. You need to add a "<wsp:Policy/>" child
> > >> to the sp:HttpsToken element to be compliant.
> > >>
> > >> Colm.
> > >>
> > >> On Mon, May 28, 2012 at 1:12 PM, COURTAULT Francois<
> > >> Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.
> > >> co
> > >> m>>
> > wrote:
> > >>
> > >>> Hello,****
> > >>>
> > >>> ** **
> > >>>
> > >>> With the same WSS policy used, attached, at server side, I got
> > >>> this
> > >> error:
> > >>> ****
> > >>>
> > >>> 28 mai 2012 14:08:43
> > >>> org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolic
> > >>> yP
> > >>> ro
> > >>> vi
> > >>> der
> > >>> getElementPolicy****
> > >>>
> > >>> ATTENTION: Failed to build the policy
> > >>> 'Wssp1.2-2007-Https-UsernameToken-Plain.xml':sp:HttpsToken/wsp:P
> > >>> ol
> > >>> ic
> > >>> y
> > >>> must have a value****
> > >>>
> > >>> Exception in thread "main" *javax.xml.ws.soap.SOAPFaultException*:
> > >>> sp:HttpsToken/wsp:Policy must have a value****
> > >>>
> > >>> whereas I didn't get any error on 2.5.4.****
> > >>>
> > >>> ** **
> > >>>
> > >>> Do I have to enter an issue in CXF 2.6.1 ?****
> > >>>
> > >>> ** **
> > >>>
> > >>> Best Regards.****
> > >>>
> > >>
> > >>
> > >> --
> > >> Colm O hEigeartaigh
> > >>
> > >> Talend Community Coder
> > >> http://coders.talend.com
> > >>
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> >
> >
> > --
> > Glen Mazza
> > Talend Community Coders
> > coders.talend.com
> > blog: www.jroller.com/gmazza
> >
> >
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: Regression with UT over HTTPS on 2.6.1
Posted by COURTAULT Francois <Fr...@gemalto.com>.
Hello,
Regarding the spec errata, this is also my understanding (eg the HttpsToken must have a Policy child).
But what about the ws security policy schema ? Is this schema compliant to the spec ?
One simple test is to see if to check if the policy which causes the issue with CXF 2.6.1 is valid against this schema: what do you think ?
In fact, I have checked with Eclipse. It seems that the policy file with the following section:
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
is well formed and valid against the ws security policy schema available at http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsd which seems to be in contradiction with the spec :-( ????? BUG in the schema ?
Regarding the interop topic, this an issue between an application server using Metro and a CXF client (2.6.1).
Best Regards.
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: mercredi 10 octobre 2012 16:01
To: COURTAULT Francois
Cc: users@cxf.apache.org
Subject: Re: Regression with UT over HTTPS on 2.6.1
Hi,
My interpretation is that the comment associated with TokenAssertionType defined in the schema does not trump the specification requirements. The errata for WS-SecurityPolicy 1.2 still requires that a HttpsToken have a Policy child:
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.2/errata01/os/ws-securitypolicy-1.2-errata01-os-complete.pdf
Having said that, if this is causing interop problems with WCF I'm willing to reconsider. Does anyone else have an opinion on this?
Colm.
On Wed, Oct 10, 2012 at 2:41 PM, COURTAULT Francois < Francois.COURTAULT@gemalto.com> wrote:
> Hello,
>
> It is an old topic but Company X people claims that are right (meaning
> that they are compliant to the spec).
> They said if you look at WSS security schema located at:
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsd
> - At one point, we have:
> <xs:element name="HttpsToken"
> type="tns:TokenAssertionType">
> <xs:annotation>
> <xs:documentation
> xml:lang="en">5.4.10 HttpsToken Assertion</xs:documentation>
> </xs:annotation>
> </xs:element>
> - At another location, we have:
> <xs:complexType name="TokenAssertionType">
> <xs:sequence>
> <xs:choice minOccurs="0">
> <xs:element name="Issuer"
> type="wsa:EndpointReferenceType"/>
> <xs:element
> name="IssuerName" type="xs:anyURI"/>
> </xs:choice>
> <!--
> Actual content model is non-deterministic,
> hence wildcard. The following shows intended content model:
> <xs:element ref="wsp:Policy" minOccurs="0" />
> -->
>
> <xs:any minOccurs="0"
> maxOccurs="unbounded" namespace="##other" processContents="lax"/>
> </xs:sequence>
> <xs:attribute ref="tns:IncludeToken"
> use="optional"/>
> <xs:anyAttribute namespace="##any"
> processContents="lax"/>
> </xs:complexType>
>
>
> According to the comment above <xs:element ref="wsp:Policy" minOccurs="0"
> />, they said that:
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken/>
> </wsp:Policy>
> </sp:TransportToken>
>
> is valid and compliant to the ws security policy schema !
>
> What should I believe ? The spec ? The schema ? Who is wrong ?
>
> Best Regards.
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: mercredi 30 mai 2012 09:56
> To: users@cxf.apache.org
> Subject: Re: Regression with UT over HTTPS on 2.6.1
>
> Yes that looks right.
>
> Colm.
>
> On Wed, May 30, 2012 at 8:12 AM, COURTAULT Francois <
> Francois.COURTAULT@gemalto.com> wrote:
>
> > Hello everyone,
> >
> > You are right, I made a mistake in the extract policy I have sent.
> > So could you confirm that the right section is:
> > <sp:TransportToken>
> > <wsp:Policy>
> > <sp:HttpsToken>
> > <wsp:Policy/>
> > </sp:HttpsToken>
> > </wsp:Policy>
> > </sp:TransportToken>
> >
> > Instead of:
> > <sp:TransportToken>
> > <wsp:Policy>
> > <sp:HttpsToken/>
> > </wsp:Policy>
> > </sp:TransportToken>
> > ?
> >
> > Best Regards.
> >
> > -----Original Message-----
> > From: Glen Mazza [mailto:gmazza@talend.com]
> > Sent: mardi 29 mai 2012 20:33
> > To: users@cxf.apache.org
> > Subject: Re: Regression with UT over HTTPS on 2.6.1
> >
> > No, I believe Colm was rather clear that a new ws:Policy element
> > needs to be added as a child element of the sp:HttpsToken (if you
> > break it up into two parts: <sp:HttpsToken> and </sp:HttpsToken> it
> > might be
> clearer
> > for you.) Not as a sibling element to the <sp:HttpsToken/> as you have
> > it below.
> >
> > Glen
> >
> >
> > On 05/29/2012 12:46 PM, COURTAULT Francois wrote:
> > > Resending ...
> > >
> > > -----Original Message-----
> > > From: COURTAULT Francois [mailto:Francois.COURTAULT@gemalto.com]
> > > Sent: lundi 28 mai 2012 19:36
> > > To: coheigea@apache.org
> > > Cc: users@cxf.apache.org
> > > Subject: RE: Regression with UT over HTTPS on 2.6.1
> > >
> > > Hello,
> > >
> > > Sorry, you mean that in the policy file, I should have
> > > <sp:TransportToken>
> > > <wsp:Policy>
> > > <sp:HttpsToken/>
> > > <wsp:Policy/>
> > > </wsp:Policy>
> > > </sp:TransportToken>
> > >
> > > Instead of:
> > > <sp:TransportToken>
> > > <wsp:Policy>
> > > <sp:HttpsToken/>
> > > </wsp:Policy>
> > > </sp:TransportToken>
> > >
> > > Right ?
> > >
> > > Best Regards.
> > >
> > > From: COURTAULT Francois
> > > Sent: lundi 28 mai 2012 17:25
> > > To: 'coheigea@apache.org'
> > > Cc: users@cxf.apache.org
> > > Subject: RE: Regression with UT over HTTPS on 2.6.1
> > >
> > > Hello,
> > >
> > > But there is one in the policy I have sent to you.
> > > Extract:
> > > <sp:TransportToken>
> > > <wsp:Policy>
> > > <sp:HttpsToken/>
> > > </wsp:Policy>
> > > </sp:TransportToken>
> > >
> > > So what's wrong ?
> > >
> > > Best Regards.
> > >
> > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > > Sent: lundi 28 mai 2012 17:19
> > > To: COURTAULT Francois
> > > Cc: users@cxf.apache.org<ma...@cxf.apache.org>
> > > Subject: Re: Regression with UT over HTTPS on 2.6.1
> > >
> > > wsp:Policy is still required by the following fragment:
> > >
> > > <wsp:Policy xmlns:wsp="...">
> > > (
> > > <sp:HttpBasicAuthentication /> |
> > > <sp:HttpDigestAuthentication /> |
> > > <sp:RequireClientCertificate /> |
> > > ...
> > > )?
> > >
> > > the "?" refers to the children of the Policy. So HttpsToken must
> > > still
> > have a<wsp:Policy> child element, the fact that the children are
> > all optional is irrelevant.
> > >
> > > Colm.
> > > On Mon, May 28, 2012 at 3:32 PM, COURTAULT Francois<
> > Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.com
> > >>
> > wrote:
> > > Hello,
> > >
> > > I don't read the spec the same way than you, sorry.
> > >
> > > The spec says:
> > > <sp:HttpsToken xmlns:sp="..." ...>
> > > (
> > >
> > > <sp:Issuer>wsa:EndpointReferenceType</sp:Issuer> |
> > >
> > > <sp:IssuerName>xs:anyURI</sp:IssuerName>
> > >
> > > ) ?
> > >
> > > <wst:Claims Dialect="..."> ...</wst:Claims> ?
> > >
> > > <wsp:Policy xmlns:wsp="...">
> > > (
> > > <sp:HttpBasicAuthentication /> |
> > > <sp:HttpDigestAuthentication /> |
> > > <sp:RequireClientCertificate /> |
> > > ...
> > > )?
> > > ...
> > > </wsp:Policy>
> > > ...
> > > </sp:HttpsToken>
> > >
> > > And "?" means 0 or 1
> > > So, according to me, you can have<sp:HttpsToken.... with an
> > empty<wsp:Policy /> policy.
> > > More, the spec that:
> > > - /sp:HttpsToken/wsp:Policy/sp:HttpBasicAuthentication is OPTIONAL
> > > - /sp:HttpsToken/wsp:Policy/sp:HttpDigestAuthentication is OPTIONAL
> > > - /sp:HttpsToken/wsp:Policy/sp:RequireClientCertificate is
> > > OPTIONAL
> > Which is coherent with the ?
> > >
> > > So ??????
> > >
> > > Best Regards.
> > >
> > > -----Original Message-----
> > > From: Colm O hEigeartaigh
> > > [mailto:coheigea@apache.org<ma...@apache.org>]
> > > Sent: lundi 28 mai 2012 15:39
> > > To: COURTAULT Francois
> > > Cc: users@cxf.apache.org<ma...@cxf.apache.org>
> > > Subject: Re: Regression with UT over HTTPS on 2.6.1
> > >
> > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-secu
> > > ri
> > > ty
> > > policy-1.3-spec-os.html
> > >
> > > "sp:HttpsToken/wsp:Policy
> > >
> > > This REQUIRED element identifies additional requirements for use
> > > of the
> > sp:HttpsToken assertion."
> > >
> > > Colm.
> > >
> > >
> > > On Mon, May 28, 2012 at 2:33 PM, COURTAULT Francois<
> > Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.com
> > >>
> > wrote:
> > >
> > >> Hello,
> > >>
> > >> This means that the policy I have attached is not compliant: right?
> > >> Could you give me please a pointer or the spec paragraph which
> > >> specifies this ?
> > >>
> > >> Best Regards.
> > >>
> > >> -----Original Message-----
> > >> From: Colm O hEigeartaigh
> > >> [mailto:coheigea@apache.org<ma...@apache.org>]
> > >> Sent: lundi 28 mai 2012 15:18
> > >> To: users@cxf.apache.org<ma...@cxf.apache.org>
> > >> Subject: Re: Regression with UT over HTTPS on 2.6.1
> > >>
> > >> It's not a regression, but a stricter enforcement of the
> > >> WS-SecurityPolicy spec. You need to add a "<wsp:Policy/>" child
> > >> to the sp:HttpsToken element to be compliant.
> > >>
> > >> Colm.
> > >>
> > >> On Mon, May 28, 2012 at 1:12 PM, COURTAULT Francois<
> > >> Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.
> > >> co
> > >> m>>
> > wrote:
> > >>
> > >>> Hello,****
> > >>>
> > >>> ** **
> > >>>
> > >>> With the same WSS policy used, attached, at server side, I got
> > >>> this
> > >> error:
> > >>> ****
> > >>>
> > >>> 28 mai 2012 14:08:43
> > >>> org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolic
> > >>> yP
> > >>> ro
> > >>> vi
> > >>> der
> > >>> getElementPolicy****
> > >>>
> > >>> ATTENTION: Failed to build the policy
> > >>> 'Wssp1.2-2007-Https-UsernameToken-Plain.xml':sp:HttpsToken/wsp:P
> > >>> ol
> > >>> ic
> > >>> y
> > >>> must have a value****
> > >>>
> > >>> Exception in thread "main" *javax.xml.ws.soap.SOAPFaultException*:
> > >>> sp:HttpsToken/wsp:Policy must have a value****
> > >>>
> > >>> whereas I didn't get any error on 2.5.4.****
> > >>>
> > >>> ** **
> > >>>
> > >>> Do I have to enter an issue in CXF 2.6.1 ?****
> > >>>
> > >>> ** **
> > >>>
> > >>> Best Regards.****
> > >>>
> > >>
> > >>
> > >> --
> > >> Colm O hEigeartaigh
> > >>
> > >> Talend Community Coder
> > >> http://coders.talend.com
> > >>
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> >
> >
> > --
> > Glen Mazza
> > Talend Community Coders
> > coders.talend.com
> > blog: www.jroller.com/gmazza
> >
> >
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Regression with UT over HTTPS on 2.6.1
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi,
My interpretation is that the comment associated with TokenAssertionType
defined in the schema does not trump the specification requirements. The
errata for WS-SecurityPolicy 1.2 still requires that a HttpsToken have a
Policy child:
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.2/errata01/os/ws-securitypolicy-1.2-errata01-os-complete.pdf
Having said that, if this is causing interop problems with WCF I'm willing
to reconsider. Does anyone else have an opinion on this?
Colm.
On Wed, Oct 10, 2012 at 2:41 PM, COURTAULT Francois <
Francois.COURTAULT@gemalto.com> wrote:
> Hello,
>
> It is an old topic but Company X people claims that are right (meaning
> that they are compliant to the spec).
> They said if you look at WSS security schema located at:
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsd
> - At one point, we have:
> <xs:element name="HttpsToken"
> type="tns:TokenAssertionType">
> <xs:annotation>
> <xs:documentation
> xml:lang="en">5.4.10 HttpsToken Assertion</xs:documentation>
> </xs:annotation>
> </xs:element>
> - At another location, we have:
> <xs:complexType name="TokenAssertionType">
> <xs:sequence>
> <xs:choice minOccurs="0">
> <xs:element name="Issuer"
> type="wsa:EndpointReferenceType"/>
> <xs:element
> name="IssuerName" type="xs:anyURI"/>
> </xs:choice>
> <!--
> Actual content model is non-deterministic, hence
> wildcard. The following shows intended content model:
> <xs:element ref="wsp:Policy" minOccurs="0" />
> -->
>
> <xs:any minOccurs="0"
> maxOccurs="unbounded" namespace="##other" processContents="lax"/>
> </xs:sequence>
> <xs:attribute ref="tns:IncludeToken"
> use="optional"/>
> <xs:anyAttribute namespace="##any"
> processContents="lax"/>
> </xs:complexType>
>
>
> According to the comment above <xs:element ref="wsp:Policy" minOccurs="0"
> />, they said that:
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken/>
> </wsp:Policy>
> </sp:TransportToken>
>
> is valid and compliant to the ws security policy schema !
>
> What should I believe ? The spec ? The schema ? Who is wrong ?
>
> Best Regards.
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: mercredi 30 mai 2012 09:56
> To: users@cxf.apache.org
> Subject: Re: Regression with UT over HTTPS on 2.6.1
>
> Yes that looks right.
>
> Colm.
>
> On Wed, May 30, 2012 at 8:12 AM, COURTAULT Francois <
> Francois.COURTAULT@gemalto.com> wrote:
>
> > Hello everyone,
> >
> > You are right, I made a mistake in the extract policy I have sent.
> > So could you confirm that the right section is:
> > <sp:TransportToken>
> > <wsp:Policy>
> > <sp:HttpsToken>
> > <wsp:Policy/>
> > </sp:HttpsToken>
> > </wsp:Policy>
> > </sp:TransportToken>
> >
> > Instead of:
> > <sp:TransportToken>
> > <wsp:Policy>
> > <sp:HttpsToken/>
> > </wsp:Policy>
> > </sp:TransportToken>
> > ?
> >
> > Best Regards.
> >
> > -----Original Message-----
> > From: Glen Mazza [mailto:gmazza@talend.com]
> > Sent: mardi 29 mai 2012 20:33
> > To: users@cxf.apache.org
> > Subject: Re: Regression with UT over HTTPS on 2.6.1
> >
> > No, I believe Colm was rather clear that a new ws:Policy element needs
> > to be added as a child element of the sp:HttpsToken (if you break it
> > up into two parts: <sp:HttpsToken> and </sp:HttpsToken> it might be
> clearer
> > for you.) Not as a sibling element to the <sp:HttpsToken/> as you have
> > it below.
> >
> > Glen
> >
> >
> > On 05/29/2012 12:46 PM, COURTAULT Francois wrote:
> > > Resending ...
> > >
> > > -----Original Message-----
> > > From: COURTAULT Francois [mailto:Francois.COURTAULT@gemalto.com]
> > > Sent: lundi 28 mai 2012 19:36
> > > To: coheigea@apache.org
> > > Cc: users@cxf.apache.org
> > > Subject: RE: Regression with UT over HTTPS on 2.6.1
> > >
> > > Hello,
> > >
> > > Sorry, you mean that in the policy file, I should have
> > > <sp:TransportToken>
> > > <wsp:Policy>
> > > <sp:HttpsToken/>
> > > <wsp:Policy/>
> > > </wsp:Policy>
> > > </sp:TransportToken>
> > >
> > > Instead of:
> > > <sp:TransportToken>
> > > <wsp:Policy>
> > > <sp:HttpsToken/>
> > > </wsp:Policy>
> > > </sp:TransportToken>
> > >
> > > Right ?
> > >
> > > Best Regards.
> > >
> > > From: COURTAULT Francois
> > > Sent: lundi 28 mai 2012 17:25
> > > To: 'coheigea@apache.org'
> > > Cc: users@cxf.apache.org
> > > Subject: RE: Regression with UT over HTTPS on 2.6.1
> > >
> > > Hello,
> > >
> > > But there is one in the policy I have sent to you.
> > > Extract:
> > > <sp:TransportToken>
> > > <wsp:Policy>
> > > <sp:HttpsToken/>
> > > </wsp:Policy>
> > > </sp:TransportToken>
> > >
> > > So what's wrong ?
> > >
> > > Best Regards.
> > >
> > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > > Sent: lundi 28 mai 2012 17:19
> > > To: COURTAULT Francois
> > > Cc: users@cxf.apache.org<ma...@cxf.apache.org>
> > > Subject: Re: Regression with UT over HTTPS on 2.6.1
> > >
> > > wsp:Policy is still required by the following fragment:
> > >
> > > <wsp:Policy xmlns:wsp="...">
> > > (
> > > <sp:HttpBasicAuthentication /> |
> > > <sp:HttpDigestAuthentication /> |
> > > <sp:RequireClientCertificate /> |
> > > ...
> > > )?
> > >
> > > the "?" refers to the children of the Policy. So HttpsToken must
> > > still
> > have a<wsp:Policy> child element, the fact that the children are all
> > optional is irrelevant.
> > >
> > > Colm.
> > > On Mon, May 28, 2012 at 3:32 PM, COURTAULT Francois<
> > Francois.COURTAULT@gemalto.com<ma...@gemalto.com>>
> > wrote:
> > > Hello,
> > >
> > > I don't read the spec the same way than you, sorry.
> > >
> > > The spec says:
> > > <sp:HttpsToken xmlns:sp="..." ...>
> > > (
> > >
> > > <sp:Issuer>wsa:EndpointReferenceType</sp:Issuer> |
> > >
> > > <sp:IssuerName>xs:anyURI</sp:IssuerName>
> > >
> > > ) ?
> > >
> > > <wst:Claims Dialect="..."> ...</wst:Claims> ?
> > >
> > > <wsp:Policy xmlns:wsp="...">
> > > (
> > > <sp:HttpBasicAuthentication /> |
> > > <sp:HttpDigestAuthentication /> |
> > > <sp:RequireClientCertificate /> |
> > > ...
> > > )?
> > > ...
> > > </wsp:Policy>
> > > ...
> > > </sp:HttpsToken>
> > >
> > > And "?" means 0 or 1
> > > So, according to me, you can have<sp:HttpsToken.... with an
> > empty<wsp:Policy /> policy.
> > > More, the spec that:
> > > - /sp:HttpsToken/wsp:Policy/sp:HttpBasicAuthentication is OPTIONAL
> > > - /sp:HttpsToken/wsp:Policy/sp:HttpDigestAuthentication is OPTIONAL
> > > - /sp:HttpsToken/wsp:Policy/sp:RequireClientCertificate is
> > > OPTIONAL
> > Which is coherent with the ?
> > >
> > > So ??????
> > >
> > > Best Regards.
> > >
> > > -----Original Message-----
> > > From: Colm O hEigeartaigh
> > > [mailto:coheigea@apache.org<ma...@apache.org>]
> > > Sent: lundi 28 mai 2012 15:39
> > > To: COURTAULT Francois
> > > Cc: users@cxf.apache.org<ma...@cxf.apache.org>
> > > Subject: Re: Regression with UT over HTTPS on 2.6.1
> > >
> > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-securi
> > > ty
> > > policy-1.3-spec-os.html
> > >
> > > "sp:HttpsToken/wsp:Policy
> > >
> > > This REQUIRED element identifies additional requirements for use of
> > > the
> > sp:HttpsToken assertion."
> > >
> > > Colm.
> > >
> > >
> > > On Mon, May 28, 2012 at 2:33 PM, COURTAULT Francois<
> > Francois.COURTAULT@gemalto.com<ma...@gemalto.com>>
> > wrote:
> > >
> > >> Hello,
> > >>
> > >> This means that the policy I have attached is not compliant: right?
> > >> Could you give me please a pointer or the spec paragraph which
> > >> specifies this ?
> > >>
> > >> Best Regards.
> > >>
> > >> -----Original Message-----
> > >> From: Colm O hEigeartaigh
> > >> [mailto:coheigea@apache.org<ma...@apache.org>]
> > >> Sent: lundi 28 mai 2012 15:18
> > >> To: users@cxf.apache.org<ma...@cxf.apache.org>
> > >> Subject: Re: Regression with UT over HTTPS on 2.6.1
> > >>
> > >> It's not a regression, but a stricter enforcement of the
> > >> WS-SecurityPolicy spec. You need to add a "<wsp:Policy/>" child to
> > >> the sp:HttpsToken element to be compliant.
> > >>
> > >> Colm.
> > >>
> > >> On Mon, May 28, 2012 at 1:12 PM, COURTAULT Francois<
> > >> Francois.COURTAULT@gemalto.com<mailto:Francois.COURTAULT@gemalto.co
> > >> m>>
> > wrote:
> > >>
> > >>> Hello,****
> > >>>
> > >>> ** **
> > >>>
> > >>> With the same WSS policy used, attached, at server side, I got
> > >>> this
> > >> error:
> > >>> ****
> > >>>
> > >>> 28 mai 2012 14:08:43
> > >>> org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyP
> > >>> ro
> > >>> vi
> > >>> der
> > >>> getElementPolicy****
> > >>>
> > >>> ATTENTION: Failed to build the policy
> > >>> 'Wssp1.2-2007-Https-UsernameToken-Plain.xml':sp:HttpsToken/wsp:Pol
> > >>> ic
> > >>> y
> > >>> must have a value****
> > >>>
> > >>> Exception in thread "main" *javax.xml.ws.soap.SOAPFaultException*:
> > >>> sp:HttpsToken/wsp:Policy must have a value****
> > >>>
> > >>> whereas I didn't get any error on 2.5.4.****
> > >>>
> > >>> ** **
> > >>>
> > >>> Do I have to enter an issue in CXF 2.6.1 ?****
> > >>>
> > >>> ** **
> > >>>
> > >>> Best Regards.****
> > >>>
> > >>
> > >>
> > >> --
> > >> Colm O hEigeartaigh
> > >>
> > >> Talend Community Coder
> > >> http://coders.talend.com
> > >>
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> >
> >
> > --
> > Glen Mazza
> > Talend Community Coders
> > coders.talend.com
> > blog: www.jroller.com/gmazza
> >
> >
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com