Re: [wsi_wsbasic] Re: NEW ISSUE: wsa:Action header and SOAPAction HTTP header are of different types but required to be the same from Anish Karmarkar on 2006-08-09 (public-ws-addressing@w3.org from August 2006)

From: Anish Karmarkar <Anish.Karmarkar@oracle.com>
Date: Tue, 08 Aug 2006 17:34:03 -0700
To: "Liu, Kevin" <kevin.liu@sap.com>
CC: Christopher B Ferris <chrisfer@us.ibm.com>, public-ws-addressing@w3.org, WSI Basic <wsi_wsbasic@lists.ws-i.org>
Message-ID: <44D92D7B.1070204@oracle.com>

Kevin,

wsa:Action is:
"An absolute IRI that uniquely identifies the semantics implied by this 
message." -- from ws-addr core

SOAPAction:
"... indicate the intent of the SOAP HTTP request." -- from soap 1.1

So when the SOAPAction value is "", the semantics are still identified 
by the value of wsa:Action, the intent is identified by the value of the 
HTTP Request-URI (since SOAPACtion is "").

But that is really not an answer, it is a roundabout way of saying 'i 
don't know.'

Most folks think that SOAPAction and wsa:Action are used for 
"dispatching" and have the same purpose, hence the requirement in the 
ws-a soap binding spec that requires them to be the same. The exception 
for "" as a value for SOAPAction was included because of security 
issues. If one were to use, say WSS, and encrypt the wsa:Action header 
(along with a bunch of other stuff in the SOAP message), information 
would still be leaked through SOAPAction (since the value was the same) 
-- not a good thing. To avoid such leak SOAPAction is allowed to be "". 
Another fallout of this is that, similar to WS-I Basic Profile 1.1, this 
nudges implementation to not rely on the value of SOAPAction. wsa:Action 
is the new way forward.

But I'm not sure if we can or need to say any of this in a spec.

My .02

-Anish
--

Liu, Kevin wrote:
> Hi Anish, Hi Chris,
>  
> What's the semantic when SOAPAction is assigned the empty string ("") 
> while wsa:Action is assigned an absolute URI?
>  
> It would be good if we can add some explanation text for such case.
> 
> Best Regards,
> Kevin
>  
> 
>  
> 
>     ------------------------------------------------------------------------
>     *From:* Christopher B Ferris [mailto:chrisfer@us.ibm.com]
>     *Sent:* Tuesday, Aug 08, 2006 10:34 AM
>     *To:* Anish Karmarkar
>     *Cc:* public-ws-addressing@w3.org ; WSI Basic
>     *Subject:* [wsi_wsbasic] Re: NEW ISSUE: wsa:Action header and
>     SOAPAction HTTP header are of different types but required to be the
>     same
> 
> 
>     Makes sense to me.
> 
>     Proposal:
> 
>     Add new section, new Rnnnn and accompanying rationale.
> 
>     X.x Valid Range of SOAPAction When WS-Addressing is Used
> 
>     There may be some confusion as regards to the range of valid values
>     for SOAPAction when WS-Addressing
>     is used, given that the SOAP 1.1 specification permits the use of
>     relative URIs. When composed with
>     WS-Addressing, the valid range of values of SOAPAction is limited to
>     either an absolute URI that
>     matches the value specified for wsa:Action, or the empty string ("").
> 
>     Rnnnn When wsa:Action MAP is present in an envelope, the containing
>     MESSAGE MUST specify a SOAPAction
>     HTTP header with either a value that is an absolute URI that has the
>     same value as the value of the wsa:Action MAP,
>     or a value of "".
> 
>     Cheers,
> 
>     Christopher Ferris
>     STSM, Software Group Standards Strategy
>     email: chrisfer@us.ibm.com
>     blog: http://www.ibm.com/developerworks/blogs/dw_blog.jspa?blog=440
>     phone: +1 508 377 9295
> 
>     Anish Karmarkar <Anish.Karmarkar@oracle.com> wrote on 08/08/2006
>     12:37:27 PM:
> 
>      > Basic Profilers,
>      >
>      > WS-Addressing wsa:Action header block is of type absolute URI [1].
>      > SOAPAction HTTP header [2] is a URI reference (but not required
>     to be
>      > absolute). Per the WS-Addressing SOAP binding [3] the two must
>     either be
>      > the same or the SOAPAction HTTP header value must be "".
>      >
>      > It therefore follows from the three specs referenced above that any
>      > SOAP/HTTP message that uses WS-Addressing cannot have a
>     SOAPAction HTTP
>      > header with a value that is not an absolute URI (with the
>     exception of
>      > ""). I.e., relative URIs (other than the empty string) are
>     prohibited.
>      >
>      > The WS-Addressing WG felt that this was clearly stated by the three
>      > specifications involved, but there were concerns expressed within
>     the
>      > WS-A WG that this may not be very obvious to the readers (who
>     have to
>      > connect the dots). It was felt that such clarification fell
>     within the
>      > purview of WS-I Basic Profile WG and the WS-A WG wanted to bring
>     this to
>      > your attention.
>      >
>      > Thanks and regards.
>      >
>      > -Anish Karmarkar
>      > on behalf of WS-Addressing WG
>      > --
>      >
>      > [1] http://www.w3.org/TR/2006/REC-ws-addr-core-20060509/#msgaddrprops
>      > [2] http://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383528
>      > [3] http://www.w3.org/TR/2006/REC-ws-addr-soap-20060509/#s11extdesc
>      >

Received on Wednesday, 9 August 2006 00:36:24 UTC