W3C home > Mailing lists > Public > public-ws-policy@w3.org > July 2006

RE: NEW ISSUE: HTTP/HTTPS conflict resolution between policy assertion and WSDL

From: Yalcinalp, Umit <umit.yalcinalp@sap.com>
Date: Wed, 19 Jul 2006 17:57:10 -0700
Message-ID: <2BA6015847F82645A9BB31C7F9D6416501C16339@uspale20.pal.sap.corp>
To: "Christopher B Ferris" <chrisfer@us.ibm.com>, "Sverdlov, Yakov" <Yakov.Sverdlov@ca.com>
Cc: <public-ws-policy@w3.org>, <public-ws-policy-request@w3.org>, "Toufic Boubez" <tboubez@layer7tech.com>
Hi Chris, 
 
I am not sure which "spec" you are referring to. If I am following this
thread correctly, the intent here is to provide some guidelines to deal
with this situation and if we decide to deal with it in a non-normative
manner, I see this as a potential item to be included into the primer. I
see no harm pointing out the pitfalls to users. 
 
Thanks, 
 
--umit
 


________________________________

	From: public-ws-policy-request@w3.org
[mailto:public-ws-policy-request@w3.org] On Behalf Of Christopher B
Ferris
	Sent: Tuesday, Jul 18, 2006 7:56 AM
	To: Sverdlov, Yakov
	Cc: public-ws-policy@w3.org; public-ws-policy-request@w3.org;
Toufic Boubez
	Subject: RE: NEW ISSUE: HTTP/HTTPS conflict resolution between
policy assertion and WSDL
	
	

	I agree that this is out of scope. There are plenty of
work-arounds for situations such as that cited 
	(e.g. use HTTP redirect to the secure URI). 
	
	IMO, this is a profiling issue, not something that the spec need
be concerned with. 
	
	Cheers, 
	
	Christopher Ferris
	STSM, Software Group Standards Strategy
	email: chrisfer@us.ibm.com
	blog:
http://www.ibm.com/developerworks/blogs/dw_blog.jspa?blog=440
	phone: +1 508 377 9295 
	
	public-ws-policy-request@w3.org wrote on 07/18/2006 10:46:49 AM:
	
	> I agree that the policy assertion takes precedence. My
understanding
	> is that the same "canned" policy, which requires HTTPS, may 
	> potentially be attached to different WSDLs at the management
stage, 
	> and if WSDL port for a particular WS uses HTTP, the policy
will be 
	> appropriately enforced at runtime i.e. rejecting the request. 
	>   
	> I think this is a legitimate conflict, and it has to do with
the 
	> policy management and enforcement which is out of scope. May
be the 
	> Attachment Primer should provide some guidance in regard to
possible
	> policy attachment outcomes during the enforcement phase for
two 
	> categories 'conflict' and 'ambiguity': 
	>   
	> 1. Conflict between the policy assertion and WSDL (not limited
to 
	> the transport) 
	> 2. Ambiguity as described by Ashok for the MQ transport
scenario, 
	> which the Primer should recommend to avoid 
	>   
	> Regards, 
	> Yakov Sverdlov 
	> CA 
	>   
	>   
	> 
	> From: public-ws-policy-request@w3.org
[mailto:public-ws-policy-
	> request@w3.org] On Behalf Of Toufic Boubez
	> Sent: Tuesday, July 18, 2006 10:27 AM
	> To: Toufic Boubez; public-ws-policy@w3.org
	> Subject: RE: NEW ISSUE: HTTP/HTTPS conflict resolution between

	> policy assertion and WSDL 
	>   
	> More information: 
	>   
	> Justification - This issue was raised by the WS-Policy interop
in 
	> April 2006 in Germany. 
	>   
	> Reference -
http://www.w3.org/2006/07/13-ws-policy-minutes.html#action32 
	>   
	> Toufic Boubez, Ph.D.
	> Chief Technology Officer
	>  
	> LAYER 7 TECHNOLOGIES / Advancing the application network.
	> 604.681.9377 x310 (w)   604.288.7970 (m) 
	> tboubez@layer7tech.com (e)  www.layer7tech.com (w) 
	>   
	> 
	> From: public-ws-policy-request@w3.org on behalf of Toufic
Boubez
	> Sent: Mon 7/17/2006 10:02 PM
	> To: public-ws-policy@w3.org
	> Subject: NEW ISSUE: HTTP/HTTPS conflict resolution between
policy 
	> assertion and WSDL 
	> Title - HTTP/HTTPS conflict resolution between policy
assertion and WSDL 
	>   
	> Description - If the security policy assertion requires the
use of 
	> HTTPS transport level security and WSDL port address uses HTTP

	> scheme, what is the best practice guidance for requestors? 
	>   
	> Target - WS-Policy Attachment 1.5? Primer? 
	>   
	> Proposal - Not sure if I have an absolute proposal, but I'll
get the
	> ball rolling: I propose that if there is a conflict, that
since 
	> presumably the policy authors are a better authority as to
what 
	> policies should exist for a service, whereas the WSDL might
have 
	> been automatically generated by a tool or a developer, the
policy 
	> assertion takes precedence. 
	>   
	> Toufic Boubez, Ph.D.
	> Chief Technology Officer
	>  
	> LAYER 7 TECHNOLOGIES / Advancing the application network.
	> 604.681.9377 x310 (w)   604.288.7970 (m) 
	> tboubez@layer7tech.com (e)  www.layer7tech.com (w)
Received on Thursday, 20 July 2006 00:54:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:20:40 GMT