RE: Problems with the SOAP binding from Jonathan Marsh on 2004-12-23 (public-ws-addressing@w3.org from December 2004)

From: Jonathan Marsh <jmarsh@microsoft.com>
Date: Thu, 23 Dec 2004 13:19:53 -0800
To: <tom@coastin.com>, "Rich Salz" <rsalz@datapower.com>
Cc: "Srinivas, Davanum M" <Davanum.Srinivas@ca.com>, <public-ws-addressing@w3.org>
Message-ID: <7DA77BF2392448449D094BCEF67569A50607B511@RED-MSG-30.redmond.corp.microsoft.com>

Um, wouldn't the wrapped problem "solve" this by hiding the security
stuff in a place where the SOAP security processor can't find it?  And
thus we'd have to define another WS-Addressing-specific security
processing model.

Likewise we'd have to define all other aspects we're currently relying
on the SOAP processing model for, such as mustUnderstand, targeting to
intermediaries, and ordering of headers.

I should probably wait for Gudge on this since WS-Security is outside my
comfort zone, but it seems to me that if wrapping implies that something
other than the SOAP processing model handles the security, we already
have that possibility with the current design.  Wrap your security
refP's yourself:

<wsa:To>
  <wsa:Address>urn:example:bar</wsa:Address>
  <wsa:ReferenceProperties>
    <my:AppLevelSecurityHeader>
      <wsse:Security ...

> -----Original Message-----
> From: public-ws-addressing-request@w3.org [mailto:public-ws-
> addressing-request@w3.org] On Behalf Of Tom Rutt
> Sent: Tuesday, December 21, 2004 6:25 PM
> To: Rich Salz
> Cc: Srinivas, Davanum M; public-ws-addressing@w3.org
> Subject: Re: Problems with the SOAP binding
> 
> 
> The "wrapper" proposals for refPs would not allow this "problem" to
> occur.
> 
> It seems the "feature" of top level refPs as headers is full of
> problems.
> 
> The "wrapped" wss:RefPRops or wsa:To headers could be read by
> intermediaries,
> they just would not be top level headers.
> 
> Tom Rutt
> Fujitsu
> 
> Rich Salz wrote:
> 
> >Yes, if you relax the rules for opacity, and allow the client to
> >do special processing when required, then the client can "merge"
> >the two ws-security messages (one in the refp and one it generates).
> >
> >So yes, since the current SOAP binding is "broken," this change to
> the
> >SOAP binding will address the issue.  As I said on the call (and in
> >email), I'd want Gudge's opinion.
> >
> >It'll be interesting to see how to violate opacity. :)
> >	/r$
> >
> >
> 
> --
> ----------------------------------------------------
> Tom Rutt	email: tom@coastin.com; trutt@us.fujitsu.com
> Tel: +1 732 801 5744          Fax: +1 732 774 5133
> 
>

Received on Thursday, 23 December 2004 21:20:41 UTC