- From: Gilbert Pilz <gilbert.pilz@oracle.com>
- Date: Thu, 22 Oct 2009 22:31:10 -0700
- To: "public-ws-resource-access@w3.org" <public-ws-resource-access@w3.org>
- Message-ID: <4AE13F9E.9030708@oracle.com>
It seems to me that there are two fundamentally different ways for a client to violate a MUST in a request and they are (sort of) like the difference between involuntary manslaughter and murder (bear with me here). A "manslaughter-MUST violation" is something the client does without premeditation. That is to say, the client can't and doesn't know that they've violated the MUST condition. For example, the latest proposal for 7586/7588 has a clause that reads "Regardless of the value types, it MUST be true that wse:Expires/@min <= wse:Expires <= wse:Expires/@max as interpreted by the Event Source or Subscription manager at the time the wse:Subscribe request is processed." It is possible for a client to send a Subscribe request where @min <= wse:Expires <= @max at the moment the request is sent but, due to various circumstances (queuing delays, clock skew, etc.), by the time the request is processed by the Event Source, wse:Expires > @max, and the request violates the MUST. Had things gone differently, the request might have satisfied the @min <= wse:Expires <= @max constraint when it was processed by the Event Source. We define the fault that is generated when this MUST condition is violated because there is no other way for the client (which, BTW, is conforming to the spec in this area) to determine what happened. A "murder-MUST violation" is the result of premeditated action. That is to say, the client has a bug. If a client sends a WS-Transfer request with an [Action] of "http://www.w3.org/2009/09/ws-tra/Get" and a [Body]/[child] of "wst:Put", it is sending an illegal, non-conforming request. Unlike the above case, there are no circumstances under which this request could ever be valid. All you have to do is look at this request and you can tell that it is invalid. There may be some WS-T impls that will honor this request and perform either a Get or a Put and, while it seems weird that you can't tell what an implementation will do in this case, *non-conforming clients have no reasonable expectation of predictable behavior*. It's difficult define and implement predictable behavior for conforming clients. It's *impossible* to define and implement predictable behavior for *all* the different ways you can violate a spec. Which isn't to say you should do nothing! To help developers and admins figure out what is going wrong, implementations can and do perform various checks on the well-formedness and validity of incoming requests, but the nature and extent of these checks are up to the implementation. For every check there is a performance penalty and you have to weigh this cost against the benefit of catching the problem, the ability to detect it via some other means, and the likelihood of its occurrence. This is why very few production SOAP services (or even test services for that matter) perform schema validation on their incoming requests; the performance costs of schema validation outweigh the benefit of catching the *rare* cases of non-schema-valid requests. Which brings me to my final point: from a programmer's perspective, this is really a tempest in a teapot. Most WS-T client implementations will include request marshaling code that is auto-generated by some wsdl-to-code tool. Unless there is some major bug in your tooling that has gone undetected for a number of years, the [Action] and [Body]/child will agree with their definition in the WS-Transfer WSDL. If you are hand-coding WS-Transfer request marshaling, it is a simple matter to test the four (count them, 4!) WS-T operations to verify that [Action] and [Body]/child agree for all four operations. Once this code works, leave it alone and you will be fine. - gp
Received on Friday, 23 October 2009 05:32:42 UTC