W3C home > Mailing lists > Public > public-ws-policy@w3.org > July 2006

RE: NEW ISSUE: HTTP/HTTPS conflict resolution between policy assertion and WSDL

From: Jong Lee <jlee@bea.com>
Date: Sat, 29 Jul 2006 09:52:31 -0700
Message-ID: <6E9C82D532D127439D866C0425182770019BA398@repbex01.amer.bea.com>
To: "Sverdlov, Yakov" <Yakov.Sverdlov@ca.com>, "Asir Vedamuthu" <asirveda@microsoft.com>, "Maryann Hondo" <mhondo@us.ibm.com>, "Yalcinalp, Umit" <umit.yalcinalp@sap.com>
Cc: "Christopher B Ferris" <chrisfer@us.ibm.com>, <public-ws-policy@w3.org>, "Toufic Boubez" <tboubez@layer7tech.com>

+1


Jong
BEA Systems. 

-----Original Message-----
From: public-ws-policy-request@w3.org [mailto:public-ws-policy-request@w3.org] On Behalf Of Sverdlov, Yakov
Sent: Saturday, July 29, 2006 9:39 AM
To: Asir Vedamuthu; Maryann Hondo; Yalcinalp, Umit
Cc: Christopher B Ferris; public-ws-policy@w3.org; Toufic Boubez
Subject: RE: NEW ISSUE: HTTP/HTTPS conflict resolution between policy assertion and WSDL


All,

I agree with Asir that 'Policy takes precedence' does not help in this particular SSL handshake example. However, we may add a reverse proxy between requester and web service, and this will make "HTTPS policy over HTTP endpoint" a meaningful conflict.  

I think that, as a higher level spec, WS-Policy (and its existing and future derivatives, such as WS-SecurityPolicy) should take precedence over lower level specs (HTTP, HTTPS, WSDL, SOAP) wherever possible. The Primer should provide some guidance in this direction.

Regards,

Yakov Sverdlov
CA

-----Original Message-----
From: Asir Vedamuthu [mailto:asirveda@microsoft.com]
Sent: Friday, July 28, 2006 7:45 PM
To: Maryann Hondo; Yalcinalp, Umit
Cc: Christopher B Ferris; public-ws-policy@w3.org; Toufic Boubez; Sverdlov, Yakov
Subject: RE: NEW ISSUE: HTTP/HTTPS conflict resolution between policy assertion and WSDL

Let's say a requestor initiates an SSL handshake with a non-SSL endpoint. What happens? The handshake will fail. 'Policy takes precedence' does not help.

Service metadata can describe different parts of a Web service. Some of these descriptions may contradict. Say, a WSDL binding description requires SOAP over HTTP and the endpoint address uses a non-HTTP/HTTPS scheme. Does the port or binding description take precedence? Regardless, precedence does not help.

In the specific case described below, the contradiction involves multiple specs (HTTP, HTTPS, WSDL, WS-Policy and WS-SecurityPolicy). A smart metadata tool may reason and flag this.

The primer is a good vehicle to highlight that some of these descriptions may contradict.

Regards,
 
Asir S Vedamuthu
Microsoft Corporation

________________________________________
From: public-ws-policy-request@w3.org [mailto:public-ws-policy-request@w3.org] On Behalf Of Maryann Hondo
Sent: Wednesday, July 26, 2006 2:11 AM
To: Yalcinalp, Umit
Cc: Christopher B Ferris; public-ws-policy@w3.org; public-ws-policy-request@w3.org; Toufic Boubez; Sverdlov, Yakov
Subject: RE: NEW ISSUE: HTTP/HTTPS conflict resolution between policy assertion and WSDL


All, 

I agree with Toufic that for the specific WSDL binding case with HTTP/HTTPS in WS-Policy attachment, we can state that policy takes precedence over the WSDL. 

 But  I also agree with Umit, that  this is also an area where the primer can offer guidance. 

Policy authors ( like RM) have to do the domain decomposition. In the case of RM, maybe the authors did not take into account transport agnostic, and transport specific capabilities. 

I believe the security domain did attempt to address this. So the primer can provdide guidance and examples of how domain authors can chose to express the capabilities of their particular domain. 

And if there are new models for attachment ( beyond WSDL) then the precedence can be stated normatively in the WS-PolicyAttachment document. 

Maryann 

"Yalcinalp, Umit" <umit.yalcinalp@sap.com> Sent by: public-ws-policy-request@w3.org
07/19/2006 08:57 PM
To
Christopher B Ferris/Waltham/IBM@IBMUS, "Sverdlov, Yakov" <Yakov.Sverdlov@ca.com> cc <public-ws-policy@w3.org>, <public-ws-policy-request@w3.org>, "Toufic Boubez" <tboubez@layer7tech.com> Subject
RE: NEW ISSUE: HTTP/HTTPS conflict resolution between policy assertion and  WSDL







Hi Chris, 
  
I am not sure which "spec" you are referring to. If I am following this thread correctly, the intent here is to provide some guidelines to deal with this situation and if we decide to deal with it in a non-normative manner, I see this as a potential item to be included into the primer. I see no harm pointing out the pitfalls to users. 
  
Thanks, 
  
--umit 
  
________________________________________
From: public-ws-policy-request@w3.org [mailto:public-ws-policy-request@w3.org] On Behalf Of Christopher B Ferris
Sent: Tuesday, Jul 18, 2006 7:56 AM
To: Sverdlov, Yakov
Cc: public-ws-policy@w3.org; public-ws-policy-request@w3.org; Toufic Boubez
Subject: RE: NEW ISSUE: HTTP/HTTPS conflict resolution between policy assertion and WSDL


I agree that this is out of scope. There are plenty of work-arounds for situations such as that cited (e.g. use HTTP redirect to the secure URI). 

IMO, this is a profiling issue, not something that the spec need be concerned with. 

Cheers, 

Christopher Ferris
STSM, Software Group Standards Strategy
email: chrisfer@us.ibm.com
blog: http://www.ibm.com/developerworks/blogs/dw_blog.jspa?blog=440
phone: +1 508 377 9295 

public-ws-policy-request@w3.org wrote on 07/18/2006 10:46:49 AM:

> I agree that the policy assertion takes precedence. My understanding 
> is that the same "canned" policy, which requires HTTPS, may 
> potentially be attached to different WSDLs at the management stage, 
> and if WSDL port for a particular WS uses HTTP, the policy will be 
> appropriately enforced at runtime i.e. rejecting the request.
>   
> I think this is a legitimate conflict, and it has to do with the 
> policy management and enforcement which is out of scope. May be the 
> Attachment Primer should provide some guidance in regard to possible 
> policy attachment outcomes during the enforcement phase for two 
> categories 'conflict' and 'ambiguity':
>   
> 1. Conflict between the policy assertion and WSDL (not limited to the 
> transport) 2. Ambiguity as described by Ashok for the MQ transport 
> scenario, which the Primer should recommend to avoid
>   
> Regards,
> Yakov Sverdlov
> CA
>   
>   
> 
> From: public-ws-policy-request@w3.org [mailto:public-ws-policy- 
> request@w3.org] On Behalf Of Toufic Boubez
> Sent: Tuesday, July 18, 2006 10:27 AM
> To: Toufic Boubez; public-ws-policy@w3.org
> Subject: RE: NEW ISSUE: HTTP/HTTPS conflict resolution between policy 
> assertion and WSDL
>   
> More information: 
>   
> Justification - This issue was raised by the WS-Policy interop in 
> April 2006 in Germany.
>   
> Reference - 
> http://www.w3.org/2006/07/13-ws-policy-minutes.html#action32
>   
> Toufic Boubez, Ph.D.
> Chief Technology Officer
>  
> LAYER 7 TECHNOLOGIES / Advancing the application network.
> 604.681.9377 x310 (w)   604.288.7970 (m) tboubez@layer7tech.com (e)  
> www.layer7tech.com (w)
>   
> 
> From: public-ws-policy-request@w3.org on behalf of Toufic Boubez
> Sent: Mon 7/17/2006 10:02 PM
> To: public-ws-policy@w3.org
> Subject: NEW ISSUE: HTTP/HTTPS conflict resolution between policy 
> assertion and WSDL Title - HTTP/HTTPS conflict resolution between 
> policy assertion and WSDL
>   
> Description - If the security policy assertion requires the use of 
> HTTPS transport level security and WSDL port address uses HTTP scheme, 
> what is the best practice guidance for requestors?
>   
> Target - WS-Policy Attachment 1.5? Primer? 
>   
> Proposal - Not sure if I have an absolute proposal, but I'll get the 
> ball rolling: I propose that if there is a conflict, that since 
> presumably the policy authors are a better authority as to what 
> policies should exist for a service, whereas the WSDL might have been 
> automatically generated by a tool or a developer, the policy assertion 
> takes precedence.
>   
> Toufic Boubez, Ph.D.
> Chief Technology Officer
>  
> LAYER 7 TECHNOLOGIES / Advancing the application network.
> 604.681.9377 x310 (w)   604.288.7970 (m) tboubez@layer7tech.com (e)  
> www.layer7tech.com (w)


_______________________________________________________________________
Notice:  This email message, together with any attachments, may contain
information  of  BEA Systems,  Inc.,  its subsidiaries  and  affiliated
entities,  that may be confidential,  proprietary,  copyrighted  and/or
legally privileged, and is intended solely for the use of the individual
or entity named in this message. If you are not the intended recipient,
and have received this message in error, please immediately return this
by email and then delete it.
Received on Monday, 31 July 2006 08:06:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:20:40 GMT