- From: Ashok Malhotra <ashok.malhotra@oracle.com>
- Date: Thu, 28 Sep 2006 09:18:15 -0700
- To: "Daniel Roth" <Daniel.Roth@microsoft.com>, "Fabian Ritzmann" <Fabian.Ritzmann@Sun.COM>, "public-ws-policy@w3.org" <public-ws-policy@w3.org>
Dan: You said ... > Publishing multiple endpoints is > one way (this is how we do it in WCF). Another way is to add > another protocol to signal the selected alternative. What > technique you use is implementation specific. Two questions: 1. If you have multiple endpoints, how do you indicate which alternative each endpoint supports? 2. Is the other protocol you suggest something that the WS-Policy WG would endorse? All the best, Ashok > -----Original Message----- > From: public-ws-policy-request@w3.org > [mailto:public-ws-policy-request@w3.org] On Behalf Of Daniel Roth > Sent: Thursday, September 28, 2006 8:54 AM > To: Fabian Ritzmann; public-ws-policy@w3.org > Subject: RE: NEW ISSUE (3639) Which policy alternative was selected? > > > Hi Fabian, > > Thanks for posting your example. > > This is just another example of what we already discussed at > the F2F. The policy combinators (All, ExactlyOne) are very > powerful and it is very easy to construct policies that have > no reasonable implementation. When you use multiple policy > alternatives it may be ambiguous which policy alternative has > been applied. > > There are multiple ways of disambiguating which policy > alternative is being used. Publishing multiple endpoints is > one way (this is how we do it in WCF). Another way is to add > another protocol to signal the selected alternative. What > technique you use is implementation specific. > > Daniel Roth > > -----Original Message----- > From: public-ws-policy-request@w3.org > [mailto:public-ws-policy-request@w3.org] On Behalf Of Fabian Ritzmann > Sent: Wednesday, September 27, 2006 4:33 AM > To: public-ws-policy@w3.org > Subject: Re: NEW ISSUE (3639) Which policy alternative was selected? > > Here are security policy samples where the applicable policy > alternative can not be reliably determined from an incoming > message. The WSDL with the policies is attached. This is in > response to action item 115 that was assigned to Monica Martin. > > For an incoming message the security layer infers the policy > from the message. The inferred policy will then be compared > against the list of available alternatives. A simple example, > which attempts to show ambiguity in the policy to be selected. > > In the attached example , we have a policy alternative at the > binding level. Everything is the same except one assertion > WSS10 and WSS11. If RequireSignatureConfirmation element > under WSS11 assertion is set then SignatureConfirmation > element must be sent back to the client. If the server happen > to select the alternative which has WSS10 and Client had > selected alternative with WSS11 assertion it be an error as > the client would expect SignatureConfirmation element in the > response from the server. > > Fabian > > > >
Received on Thursday, 28 September 2006 16:19:21 UTC