-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Exactly what i was afraid of :( Sigh! this is a *very* slippery slope.
- -- dims
Amila Suriarachchi wrote:
| On Mon, Jul 7, 2008 at 6:03 PM, Davanum Srinivas <[EMAIL PROTECTED]>
wrote:
|
|> Nandana,
|>
|> +1 from me for you to be the Release Manager for 1.4.1
|
|
| + 1 from me.
|
|>
|> IMHO, we should use 1.4 branch. The *ONLY* change should be the
|> security change. Nothing more.
|
| I think we need to fix any possible other critical issues as well.
| eg. https://issues.apache.org/jira/browse/AXIS2-3870
| This is a memory leak and we need to fix this.
|
| thanks,
| Amila.
|
|
|
|>
|> thanks,
|> dims
|>
|> On Mon, Jul 7, 2008 at 6:50 AM, Nandana Mihindukulasooriya
|> <[EMAIL PROTECTED]> wrote:
|>> I would like to volunteer to be the release manager for Axis2 1.4.1.
|>>
|>> I think we can fix the critical issues in the 1.4 branch (or a 1.4.1
|> branch
|>> ) and do the 1.4.1 release. I don't think doing 1.4.1 from the
trunk is
|> the
|>> appropriate way as trunk is now java 1.5 and has lot of major changes
|> after
|>> Axis2 1.4 . However we can fix any issues that are not already
fixed in
|> the
|>> trunk at the same time when we fix those in the branch.
|>>
|>> Hope this is oky with Axis2 release guidelines.
|>>
|>> thanks,
|>> nandana
|>>
|>> On Tue, Jul 1, 2008 at 6:39 PM, Davanum Srinivas <[EMAIL PROTECTED]>
|> wrote:
|>>> IMHO, The logic is the same as for blockers. If there is a work
|>>> around, it's not a blocker. So i am +0 on a 1.4.1 since there is a
|>>> work around that can be documented.
|>>>
|>>> That said, If someone is willing to drive a 1.4.1 as the release
|>>> manager, please do go ahead.
|>>>
|>>> thanks,
|>>> dims
|>>>
|>>> On Tue, Jul 1, 2008 at 2:48 AM, Sanka Samaranayake
<[EMAIL PROTECTED]>
|>>> wrote:
|>>>> Hi,
|>>>>
|>>>> For the users who is already using 1.4 version, the workaround
would
|> be
|>>>> to
|>>>> define policies in services.xml without using
<wsa:PolicyAttachment>.
|>>>> Then
|>>>> the problem is that those policies will appear in <wsdl:PortType>
|> which
|>>>> is
|>>>> not correct but security will apply for both format of service
URLs.
|>>>>
|>>>> Hence +1 for fixing that issue and do 1.4.1 release.
|>>>>
|>>>> Thanks,
|>>>> Sanka
|>>>>
|>>>>
|>>>> On Mon, Jun 30, 2008 at 8:59 PM, Nandana Mihindukulasooriya
|>>>> <[EMAIL PROTECTED]> wrote:
|>>>>> Hi,
|>>>>> There are few issues with Axis2 1.4 / Rampart 1.4 with the new
|>>>>> policy
|>>>>> configuration. The new policy configuration which allows us to
apply
|>>>>> policies to binding hierarchy is a great feature when in comes
to ws
|>>>>> security policy configuration. It allows security policies to be
|>>>>> attached to
|>>>>> the correct attachment points. But there are few issues that
need to
|> be
|>>>>> fixed in Axis2 1.4. I will list them below.
|>>>>> 1.) If we configure security using new configuration,
service can
|>>>>> be
|>>>>> accessed without security.
|>>>>> In Axis2 1.4, a service is exposed in two EPRs (consider
|> SOAP
|>>>>> 1.1
|>>>>> binding).
|>>>>> eg.
|>>>>>
|>>>>>
|>>>>>
|>
http://localhost:8080/axis2/services/SecureService.SecureServiceHttpSoap11Endpoint
|>>>>> http://localhost:8080/axis2/services/SecureService
|>>>>> But if we you set the policies using the new
configuration,
|>>>>> if
|>>>>> you do a web service call to the older EPR, you can access the
|> service
|>>>>> without any security even though it is secured using the binding
|>>>>> hierarchy.
|>>>>> This happens because if we call the old EPR, it is not
dispatched to
|> a
|>>>>> binding. But this leaves the service vulnerable. I think we should
|>>>>> dispatch
|>>>>> to one of the bindings may be using soap envelope version if we
have
|>>>>> only
|>>>>> one binding with that soap version. We should have a way to
dispatch
|>>>>> messages which comes to old EPR to one of the bindings else we
should
|>>>>> have
|>>>>> an option to disable that EPR.
|>>>>>
|>>>>> 2.) In the out flow, policies are not set correctly in the
|> binding
|>>>>> message.
|>>>>> This is fixed in the trunk but this bug is there in
Axis2
|>>>>> 1.4.
|>>>>>
|>>>>> So the option we have is to configure security using the old
|>>>>> configuration. But then the problem is policies are attached to
the
|>>>>> port
|>>>>> type which is the correct way to do if we have policies using
|>>>>> <service>,<operation><message> tags. But this makes Axis2 not
|>>>>> interoperable
|>>>>> as security policies should be attached to binding hierarchy
|> according
|>>>>> WS
|>>>>> Security policy specification. Ideally we should always use the
new
|>>>>> configuration to apply security. And code generation also doesn't
|> work
|>>>>> correctly when the policies attached to the port type (polices are
|> not
|>>>>> correctly attached to the stub).
|>>>>>
|>>>>> So I think it would be great if can consider a Axis2 1.4.1 with
|>>>>> these
|>>>>> things fixed.
|>>>>>
|>>>>> thanks,
|>>>>> nandana
|>>>>
|>>>> --
|>>>> Sanka Samaranayake
|>>>> WSO2 Inc.
|>>>>
|>>>> http://sankas.blogspot.com/
|>>>> http://www.wso2.org/
|>>>
|>>>
|>>> --
|>>> Davanum Srinivas :: http://davanum.wordpress.com
|>>>
|>>>
---------------------------------------------------------------------
|>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
|>>> For additional commands, e-mail: [EMAIL PROTECTED]
|>>>
|>
|>
|> --
|> Davanum Srinivas :: http://davanum.wordpress.com
|>
|> ---------------------------------------------------------------------
|> To unsubscribe, e-mail: [EMAIL PROTECTED]
|> For additional commands, e-mail: [EMAIL PROTECTED]
|>
|>
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIchYLgNg6eWEDv1kRAo7lAKDKyTiR50/aWOSuc9d7pVPHQPUoeACgkg+A
sQpm1+6vbyVf0CMQkT1aYXI=
=hpVj
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]