-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Exactly what i was afraid of :( Sigh! this is a *very* slippery slope.
- -- dims Amila Suriarachchi wrote: | On Mon, Jul 7, 2008 at 6:03 PM, Davanum Srinivas <[EMAIL PROTECTED]> wrote: | |> Nandana, |> |> +1 from me for you to be the Release Manager for 1.4.1 | | | + 1 from me. | |> |> IMHO, we should use 1.4 branch. The *ONLY* change should be the |> security change. Nothing more. | | I think we need to fix any possible other critical issues as well. | eg. https://issues.apache.org/jira/browse/AXIS2-3870 | This is a memory leak and we need to fix this. | | thanks, | Amila. | | | |> |> thanks, |> dims |> |> On Mon, Jul 7, 2008 at 6:50 AM, Nandana Mihindukulasooriya |> <[EMAIL PROTECTED]> wrote: |>> I would like to volunteer to be the release manager for Axis2 1.4.1. |>> |>> I think we can fix the critical issues in the 1.4 branch (or a 1.4.1 |> branch |>> ) and do the 1.4.1 release. I don't think doing 1.4.1 from the trunk is |> the |>> appropriate way as trunk is now java 1.5 and has lot of major changes |> after |>> Axis2 1.4 . However we can fix any issues that are not already fixed in |> the |>> trunk at the same time when we fix those in the branch. |>> |>> Hope this is oky with Axis2 release guidelines. |>> |>> thanks, |>> nandana |>> |>> On Tue, Jul 1, 2008 at 6:39 PM, Davanum Srinivas <[EMAIL PROTECTED]> |> wrote: |>>> IMHO, The logic is the same as for blockers. If there is a work |>>> around, it's not a blocker. So i am +0 on a 1.4.1 since there is a |>>> work around that can be documented. |>>> |>>> That said, If someone is willing to drive a 1.4.1 as the release |>>> manager, please do go ahead. |>>> |>>> thanks, |>>> dims |>>> |>>> On Tue, Jul 1, 2008 at 2:48 AM, Sanka Samaranayake <[EMAIL PROTECTED]> |>>> wrote: |>>>> Hi, |>>>> |>>>> For the users who is already using 1.4 version, the workaround would |> be |>>>> to |>>>> define policies in services.xml without using <wsa:PolicyAttachment>. |>>>> Then |>>>> the problem is that those policies will appear in <wsdl:PortType> |> which |>>>> is |>>>> not correct but security will apply for both format of service URLs. |>>>> |>>>> Hence +1 for fixing that issue and do 1.4.1 release. |>>>> |>>>> Thanks, |>>>> Sanka |>>>> |>>>> |>>>> On Mon, Jun 30, 2008 at 8:59 PM, Nandana Mihindukulasooriya |>>>> <[EMAIL PROTECTED]> wrote: |>>>>> Hi, |>>>>> There are few issues with Axis2 1.4 / Rampart 1.4 with the new |>>>>> policy |>>>>> configuration. The new policy configuration which allows us to apply |>>>>> policies to binding hierarchy is a great feature when in comes to ws |>>>>> security policy configuration. It allows security policies to be |>>>>> attached to |>>>>> the correct attachment points. But there are few issues that need to |> be |>>>>> fixed in Axis2 1.4. I will list them below. |>>>>> 1.) If we configure security using new configuration, service can |>>>>> be |>>>>> accessed without security. |>>>>> In Axis2 1.4, a service is exposed in two EPRs (consider |> SOAP |>>>>> 1.1 |>>>>> binding). |>>>>> eg. |>>>>> |>>>>> |>>>>> |> http://localhost:8080/axis2/services/SecureService.SecureServiceHttpSoap11Endpoint |>>>>> http://localhost:8080/axis2/services/SecureService |>>>>> But if we you set the policies using the new configuration, |>>>>> if |>>>>> you do a web service call to the older EPR, you can access the |> service |>>>>> without any security even though it is secured using the binding |>>>>> hierarchy. |>>>>> This happens because if we call the old EPR, it is not dispatched to |> a |>>>>> binding. But this leaves the service vulnerable. I think we should |>>>>> dispatch |>>>>> to one of the bindings may be using soap envelope version if we have |>>>>> only |>>>>> one binding with that soap version. We should have a way to dispatch |>>>>> messages which comes to old EPR to one of the bindings else we should |>>>>> have |>>>>> an option to disable that EPR. |>>>>> |>>>>> 2.) In the out flow, policies are not set correctly in the |> binding |>>>>> message. |>>>>> This is fixed in the trunk but this bug is there in Axis2 |>>>>> 1.4. |>>>>> |>>>>> So the option we have is to configure security using the old |>>>>> configuration. But then the problem is policies are attached to the |>>>>> port |>>>>> type which is the correct way to do if we have policies using |>>>>> <service>,<operation><message> tags. But this makes Axis2 not |>>>>> interoperable |>>>>> as security policies should be attached to binding hierarchy |> according |>>>>> WS |>>>>> Security policy specification. Ideally we should always use the new |>>>>> configuration to apply security. And code generation also doesn't |> work |>>>>> correctly when the policies attached to the port type (polices are |> not |>>>>> correctly attached to the stub). |>>>>> |>>>>> So I think it would be great if can consider a Axis2 1.4.1 with |>>>>> these |>>>>> things fixed. |>>>>> |>>>>> thanks, |>>>>> nandana |>>>> |>>>> -- |>>>> Sanka Samaranayake |>>>> WSO2 Inc. |>>>> |>>>> http://sankas.blogspot.com/ |>>>> http://www.wso2.org/ |>>> |>>> |>>> -- |>>> Davanum Srinivas :: http://davanum.wordpress.com |>>> |>>> --------------------------------------------------------------------- |>>> To unsubscribe, e-mail: [EMAIL PROTECTED] |>>> For additional commands, e-mail: [EMAIL PROTECTED] |>>> |> |> |> -- |> Davanum Srinivas :: http://davanum.wordpress.com |> |> --------------------------------------------------------------------- |> To unsubscribe, e-mail: [EMAIL PROTECTED] |> For additional commands, e-mail: [EMAIL PROTECTED] |> |> | | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIchYLgNg6eWEDv1kRAo7lAKDKyTiR50/aWOSuc9d7pVPHQPUoeACgkg+A sQpm1+6vbyVf0CMQkT1aYXI= =hpVj -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
