RE: [wsi_wsbasic] Re: NEW ISSUE: wsa:Action header and SOAPAction HTTP header are of different types but required to be the same from Liu, Kevin on 2006-08-09 (public-ws-addressing@w3.org from August 2006)

From: Liu, Kevin <kevin.liu@sap.com>
Date: Tue, 8 Aug 2006 21:00:18 -0700
To: "Anish Karmarkar" <Anish.Karmarkar@oracle.com>
Cc: "Christopher B Ferris" <chrisfer@us.ibm.com>, <public-ws-addressing@w3.org>, "WSI Basic" <wsi_wsbasic@lists.ws-i.org>
Message-ID: <3470F33FF8ED12498D07F3A9651AA18E01B89C3B@uspale20.pal.sap.corp>
Hi Anish,

Thanks. I think the security consideration is a valid reason for
allowing the empty string. Some explanation text would be helpful for
the readers. Here is my minor amendment to Chris's proposal
(modification marked with <kl>)

---------
Add new section, new Rnnnn and accompanying rationale. 

X.x Valid Range of SOAPAction When WS-Addressing is Used 

There may be some confusion as regards to the range of valid values for
SOAPAction when WS-Addressing 
is used, given that the SOAP 1.1 specification permits the use of
relative URIs. <kl>When composed with 
WS-Addressing, the valid range of values of SOAPAction should be limited
to an absolute URI that 
matches the value specified for wsa:Action. The empty string ("") is
also allowed for special cases such as security considerations. For
example, when the wsa:Action header is encrypted, set SOAPAction to ""
maybe a way to avoid leakage. </kl>  

Rnnnn When wsa:Action MAP is present in an envelope, the containing
MESSAGE MUST specify a SOAPAction 
HTTP header with either a value that is an absolute URI that has the
same value as the value of the wsa:Action MAP, 
or a value of "". 
------


Best Regards,
Kevin
  

> -----Original Message-----
> From: Anish Karmarkar [mailto:Anish.Karmarkar@oracle.com] 
> Sent: Tuesday, Aug 08, 2006 5:34 PM
> To: Liu, Kevin
> Cc: Christopher B Ferris; public-ws-addressing@w3.org; WSI Basic
> Subject: [wsi_wsbasic] Re: NEW ISSUE: wsa:Action header and 
> SOAPAction HTTP header are of different types but required to 
> be the same
> 
> Kevin,
> 
> wsa:Action is:
> "An absolute IRI that uniquely identifies the semantics 
> implied by this 
> message." -- from ws-addr core
> 
> SOAPAction:
> "... indicate the intent of the SOAP HTTP request." -- from soap 1.1
> 
> So when the SOAPAction value is "", the semantics are still 
> identified 
> by the value of wsa:Action, the intent is identified by the 
> value of the 
> HTTP Request-URI (since SOAPACtion is "").
> 
> But that is really not an answer, it is a roundabout way of saying 'i 
> don't know.'
> 
> Most folks think that SOAPAction and wsa:Action are used for 
> "dispatching" and have the same purpose, hence the requirement in the 
> ws-a soap binding spec that requires them to be the same. The 
> exception 
> for "" as a value for SOAPAction was included because of security 
> issues. If one were to use, say WSS, and encrypt the 
> wsa:Action header 
> (along with a bunch of other stuff in the SOAP message), information 
> would still be leaked through SOAPAction (since the value was 
> the same) 
> -- not a good thing. To avoid such leak SOAPAction is allowed 
> to be "". 
> Another fallout of this is that, similar to WS-I Basic 
> Profile 1.1, this 
> nudges implementation to not rely on the value of SOAPAction. 
> wsa:Action 
> is the new way forward.
> 
> But I'm not sure if we can or need to say any of this in a spec.
> 
> My .02
> 
> -Anish
> --
> 
> Liu, Kevin wrote:
> > Hi Anish, Hi Chris,
> >  
> > What's the semantic when SOAPAction is assigned the empty 
> string ("") 
> > while wsa:Action is assigned an absolute URI?
> >  
> > It would be good if we can add some explanation text for such case.
> > 
> > Best Regards,
> > Kevin
> >  
> > 
> >  
> > 
> >     
> --------------------------------------------------------------
> ----------
> >     *From:* Christopher B Ferris [mailto:chrisfer@us.ibm.com]
> >     *Sent:* Tuesday, Aug 08, 2006 10:34 AM
> >     *To:* Anish Karmarkar
> >     *Cc:* public-ws-addressing@w3.org ; WSI Basic
> >     *Subject:* [wsi_wsbasic] Re: NEW ISSUE: wsa:Action header and
> >     SOAPAction HTTP header are of different types but 
> required to be the
> >     same
> > 
> > 
> >     Makes sense to me.
> > 
> >     Proposal:
> > 
> >     Add new section, new Rnnnn and accompanying rationale.
> > 
> >     X.x Valid Range of SOAPAction When WS-Addressing is Used
> > 
> >     There may be some confusion as regards to the range of 
> valid values
> >     for SOAPAction when WS-Addressing
> >     is used, given that the SOAP 1.1 specification permits 
> the use of
> >     relative URIs. When composed with
> >     WS-Addressing, the valid range of values of SOAPAction 
> is limited to
> >     either an absolute URI that
> >     matches the value specified for wsa:Action, or the 
> empty string ("").
> > 
> >     Rnnnn When wsa:Action MAP is present in an envelope, 
> the containing
> >     MESSAGE MUST specify a SOAPAction
> >     HTTP header with either a value that is an absolute URI 
> that has the
> >     same value as the value of the wsa:Action MAP,
> >     or a value of "".
> > 
> >     Cheers,
> > 
> >     Christopher Ferris
> >     STSM, Software Group Standards Strategy
> >     email: chrisfer@us.ibm.com
> >     blog: 
> http://www.ibm.com/developerworks/blogs/dw_blog.jspa?blog=440
> >     phone: +1 508 377 9295
> > 
> >     Anish Karmarkar <Anish.Karmarkar@oracle.com> wrote on 08/08/2006
> >     12:37:27 PM:
> > 
> >      > Basic Profilers,
> >      >
> >      > WS-Addressing wsa:Action header block is of type 
> absolute URI [1].
> >      > SOAPAction HTTP header [2] is a URI reference (but 
> not required
> >     to be
> >      > absolute). Per the WS-Addressing SOAP binding [3] 
> the two must
> >     either be
> >      > the same or the SOAPAction HTTP header value must be "".
> >      >
> >      > It therefore follows from the three specs referenced 
> above that any
> >      > SOAP/HTTP message that uses WS-Addressing cannot have a
> >     SOAPAction HTTP
> >      > header with a value that is not an absolute URI (with the
> >     exception of
> >      > ""). I.e., relative URIs (other than the empty string) are
> >     prohibited.
> >      >
> >      > The WS-Addressing WG felt that this was clearly 
> stated by the three
> >      > specifications involved, but there were concerns 
> expressed within
> >     the
> >      > WS-A WG that this may not be very obvious to the readers (who
> >     have to
> >      > connect the dots). It was felt that such clarification fell
> >     within the
> >      > purview of WS-I Basic Profile WG and the WS-A WG 
> wanted to bring
> >     this to
> >      > your attention.
> >      >
> >      > Thanks and regards.
> >      >
> >      > -Anish Karmarkar
> >      > on behalf of WS-Addressing WG
> >      > --
> >      >
> >      > [1] 
> http://www.w3.org/TR/2006/REC-ws-addr-core-20060509/#msgaddrprops
> >      > [2] 
> http://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383528
> >      > [3] 
> http://www.w3.org/TR/2006/REC-ws-addr-soap-20060509/#s11extdesc
> >      >
> 
>
Received on Wednesday, 9 August 2006 04:00:32 UTC