Re: [wsi_wsbasic] Re: NEW ISSUE: wsa:Action header and SOAPAction HTTP header are of different types but required to be the same from Christopher B Ferris on 2006-08-09 (public-ws-addressing@w3.org from August 2006)

From: Christopher B Ferris <chrisfer@us.ibm.com>
Date: Wed, 9 Aug 2006 09:44:50 -0400
To: "Liu, Kevin" <kevin.liu@sap.com>
Cc: "Anish Karmarkar" <Anish.Karmarkar@oracle.com>, public-ws-addressing@w3.org, "WSI Basic" <wsi_wsbasic@lists.ws-i.org>
Message-ID: <OFC741A8A0.08C48079-ON852571C5.004401FE-852571C5.004B8464@us.ibm.com>
This works for me.

Cheers,

Christopher Ferris
STSM, Software Group Standards Strategy
email: chrisfer@us.ibm.com
blog: http://www.ibm.com/developerworks/blogs/dw_blog.jspa?blog=440
phone: +1 508 377 9295

"Liu, Kevin" <kevin.liu@sap.com> wrote on 08/09/2006 12:00:18 AM:

> Hi Anish,
> 
> Thanks. I think the security consideration is a valid reason for
> allowing the empty string. Some explanation text would be helpful for
> the readers. Here is my minor amendment to Chris's proposal
> (modification marked with <kl>)
> 
> ---------
> Add new section, new Rnnnn and accompanying rationale. 
> 
> X.x Valid Range of SOAPAction When WS-Addressing is Used 
> 
> There may be some confusion as regards to the range of valid values for
> SOAPAction when WS-Addressing 
> is used, given that the SOAP 1.1 specification permits the use of
> relative URIs. <kl>When composed with 
> WS-Addressing, the valid range of values of SOAPAction should be limited
> to an absolute URI that 
> matches the value specified for wsa:Action. The empty string ("") is
> also allowed for special cases such as security considerations. For
> example, when the wsa:Action header is encrypted, set SOAPAction to ""
> maybe a way to avoid leakage. </kl> 
> 
> Rnnnn When wsa:Action MAP is present in an envelope, the containing
> MESSAGE MUST specify a SOAPAction 
> HTTP header with either a value that is an absolute URI that has the
> same value as the value of the wsa:Action MAP, 
> or a value of "". 
> ------
> 
> 
> Best Regards,
> Kevin
> 
> 
> > -----Original Message-----
> > From: Anish Karmarkar [mailto:Anish.Karmarkar@oracle.com] 
> > Sent: Tuesday, Aug 08, 2006 5:34 PM
> > To: Liu, Kevin
> > Cc: Christopher B Ferris; public-ws-addressing@w3.org; WSI Basic
> > Subject: [wsi_wsbasic] Re: NEW ISSUE: wsa:Action header and 
> > SOAPAction HTTP header are of different types but required to 
> > be the same
> > 
> > Kevin,
> > 
> > wsa:Action is:
> > "An absolute IRI that uniquely identifies the semantics 
> > implied by this 
> > message." -- from ws-addr core
> > 
> > SOAPAction:
> > "... indicate the intent of the SOAP HTTP request." -- from soap 1.1
> > 
> > So when the SOAPAction value is "", the semantics are still 
> > identified 
> > by the value of wsa:Action, the intent is identified by the 
> > value of the 
> > HTTP Request-URI (since SOAPACtion is "").
> > 
> > But that is really not an answer, it is a roundabout way of saying 'i 
> > don't know.'
> > 
> > Most folks think that SOAPAction and wsa:Action are used for 
> > "dispatching" and have the same purpose, hence the requirement in the 
> > ws-a soap binding spec that requires them to be the same. The 
> > exception 
> > for "" as a value for SOAPAction was included because of security 
> > issues. If one were to use, say WSS, and encrypt the 
> > wsa:Action header 
> > (along with a bunch of other stuff in the SOAP message), information 
> > would still be leaked through SOAPAction (since the value was 
> > the same) 
> > -- not a good thing. To avoid such leak SOAPAction is allowed 
> > to be "". 
> > Another fallout of this is that, similar to WS-I Basic 
> > Profile 1.1, this 
> > nudges implementation to not rely on the value of SOAPAction. 
> > wsa:Action 
> > is the new way forward.
> > 
> > But I'm not sure if we can or need to say any of this in a spec.
> > 
> > My .02
> > 
> > -Anish
> > --
> > 
> > Liu, Kevin wrote:
> > > Hi Anish, Hi Chris,
> > > 
> > > What's the semantic when SOAPAction is assigned the empty 
> > string ("") 
> > > while wsa:Action is assigned an absolute URI?
> > > 
> > > It would be good if we can add some explanation text for such case.
> > > 
> > > Best Regards,
> > > Kevin
> > > 
> > > 
> > > 
> > > 
> > > 
> > --------------------------------------------------------------
> > ----------
> > >     *From:* Christopher B Ferris [mailto:chrisfer@us.ibm.com]
> > >     *Sent:* Tuesday, Aug 08, 2006 10:34 AM
> > >     *To:* Anish Karmarkar
> > >     *Cc:* public-ws-addressing@w3.org ; WSI Basic
> > >     *Subject:* [wsi_wsbasic] Re: NEW ISSUE: wsa:Action header and
> > >     SOAPAction HTTP header are of different types but 
> > required to be the
> > >     same
> > > 
> > > 
> > >     Makes sense to me.
> > > 
> > >     Proposal:
> > > 
> > >     Add new section, new Rnnnn and accompanying rationale.
> > > 
> > >     X.x Valid Range of SOAPAction When WS-Addressing is Used
> > > 
> > >     There may be some confusion as regards to the range of 
> > valid values
> > >     for SOAPAction when WS-Addressing
> > >     is used, given that the SOAP 1.1 specification permits 
> > the use of
> > >     relative URIs. When composed with
> > >     WS-Addressing, the valid range of values of SOAPAction 
> > is limited to
> > >     either an absolute URI that
> > >     matches the value specified for wsa:Action, or the 
> > empty string ("").
> > > 
> > >     Rnnnn When wsa:Action MAP is present in an envelope, 
> > the containing
> > >     MESSAGE MUST specify a SOAPAction
> > >     HTTP header with either a value that is an absolute URI 
> > that has the
> > >     same value as the value of the wsa:Action MAP,
> > >     or a value of "".
> > > 
> > >     Cheers,
> > > 
> > >     Christopher Ferris
> > >     STSM, Software Group Standards Strategy
> > >     email: chrisfer@us.ibm.com
> > >     blog: 
> > http://www.ibm.com/developerworks/blogs/dw_blog.jspa?blog=440
> > >     phone: +1 508 377 9295
> > > 
> > >     Anish Karmarkar <Anish.Karmarkar@oracle.com> wrote on 08/08/2006
> > >     12:37:27 PM:
> > > 
> > >      > Basic Profilers,
> > >      >
> > >      > WS-Addressing wsa:Action header block is of type 
> > absolute URI [1].
> > >      > SOAPAction HTTP header [2] is a URI reference (but 
> > not required
> > >     to be
> > >      > absolute). Per the WS-Addressing SOAP binding [3] 
> > the two must
> > >     either be
> > >      > the same or the SOAPAction HTTP header value must be "".
> > >      >
> > >      > It therefore follows from the three specs referenced 
> > above that any
> > >      > SOAP/HTTP message that uses WS-Addressing cannot have a
> > >     SOAPAction HTTP
> > >      > header with a value that is not an absolute URI (with the
> > >     exception of
> > >      > ""). I.e., relative URIs (other than the empty string) are
> > >     prohibited.
> > >      >
> > >      > The WS-Addressing WG felt that this was clearly 
> > stated by the three
> > >      > specifications involved, but there were concerns 
> > expressed within
> > >     the
> > >      > WS-A WG that this may not be very obvious to the readers (who
> > >     have to
> > >      > connect the dots). It was felt that such clarification fell
> > >     within the
> > >      > purview of WS-I Basic Profile WG and the WS-A WG 
> > wanted to bring
> > >     this to
> > >      > your attention.
> > >      >
> > >      > Thanks and regards.
> > >      >
> > >      > -Anish Karmarkar
> > >      > on behalf of WS-Addressing WG
> > >      > --
> > >      >
> > >      > [1] 
> > http://www.w3.org/TR/2006/REC-ws-addr-core-20060509/#msgaddrprops
> > >      > [2] 
> > http://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383528
> > >      > [3] 
> > http://www.w3.org/TR/2006/REC-ws-addr-soap-20060509/#s11extdesc
> > >      >
> > 
> > 
>
Received on Wednesday, 9 August 2006 13:45:34 UTC