On XAdES what goes for the EncapsulatedTimeStamp element? The TSTInfo or the TimeStampToken?
I found that is the Timestamp token according to https://www.etsi.org/deliver/etsi_ts/101900_101999/101903/01.04.02_60/ts_101903v010402p.pdf.
note that the term time-stamp token used thorought the present
document does NOT refer to the TSA's response to a requesting client,
but the token generated by the TSA, which is present within this
response. In the case of RFC 3161 [10] protocol, the time-stamp token
term is referring to the timeStampToken field within the TimeStampResp
element (the TSA's response returned to the requesting client).
Related
How to verify response of below type which has dynamic value and need to be validated against test data in Examples section of scenario outline
Original response:(This is one of the key and value of the response, actual response has multiple key value. I am stuck at this point)
"NAVIGATION_KEY": "{"m_Schema":"Schema_DE_TEST","m_TableName":"PTR_DETAIL","m_KeyValues":[{"m_KeyName":"CTRY_CODE","m_KeyValue":"US"},{"m_KeyName":"CMP_CODE","m_KeyValue":"TEST"},{"m_KeyName":"PTNR_SEQ_NUM","m_KeyValue":"5648545"},{"m_KeyName":"TNS_ID","m_KeyValue":"845421"},{"m_KeyName":"TNS_TYPE","m_KeyValue":"SO"}]}",
Below is how i have parameterized, but it is not working. It is not replacing with the test data from Examples.
"NAVIGATION_KEY": "{"m_Schema":"Schema_DE_#(expectedOrg)","m_TableName":"PTR_DETAIL","m_KeyValues":[{"m_KeyName":"CTRY_CODE","m_KeyValue":"US"},{"m_KeyName":"CMP_CODE","m_KeyValue":"#(expectedOrg)"},{"m_KeyName":"PTNR_SEQ_NUM","m_KeyValue":"#notnull"},{"m_KeyName":"TNS_ID","m_KeyValue":"#notnull"},{"m_KeyName":"TNS_TYPE","m_KeyValue":"#(expectedType)"}]}",
Background: Suppose I want to verify the ownership of some tweet or some picture by looking up the data in the blockchain. If my understanding is correct, I need to be able to assign a unique tokenId that represents that tweet/picture.
Question 1: Is there some standardization on how this ID is assigned? Do different platform perform this mapping in a unique way? I feel like without such a standardization, the non-fungibility becomes questionable (e.g., do you really own this tweet, or do you only own it if you apply the tweet->token ID mapping you crafted yourself?).
Question 2: Could you provide a few examples of how exactly is the token ID assigned to some (well-known) NFTs?
Is there some standardization on how this ID is assigned?
The ERC-721 standard explicitly states that there is no standard to assign the ID (except for the uint256 datatype):
While some ERC-721 smart contracts may find it convenient to start with ID 0 and simply increment by one for each new NFT, callers SHALL NOT assume that ID numbers have any specific pattern to them, and MUST treat the ID as a “black box”.
e.g., do you really own this tweet, or do you only own it if you apply the tweet->token ID mapping
Token ownership does not mean that you own the underlying resource. It only means that you own the token (representing the resource).
Could you provide a few examples of how exactly is the token ID assigned to some (well-known) NFTs?
CryptoKitties - link, line 412, incrementing
uint256 newKittenId = kitties.push(_kitty) - 1;
CryptoPunks - link, lines 73 and 83, assigning ID set by the (authorized) caller
mapping (uint => address) public punkIndexToAddress;
function setInitialOwner(address to, uint punkIndex) {
// ...
punkIndexToAddress[punkIndex] = to;
When an NFT is minted with a smart contract, associated with the NFT TokenID, the block chain also typically records a URI (universal resource identifier) that points to the NFT metadata (usually a json file). This URI can be obtained by querying the blockchain via the smart contract address and TokenID. The json file itself includes, among other things, another URI that points to the digital asset linked with the NFT. If immutable URIs are used (e.g. IPFS URIs), the URI recorded in the block chain for the NFT TokenID is unambiguously linked to the unchangeable json file which unambiguously links to the unchangeable digital asset. As Petr correctly points out, technologically, nothing prevents anyone else from minting another NFT that also records the same URI and therefore points to the same json file (and by transitivity to the same digital asset). I've tried to be precise in the preceding statements to avoid incorrect extrapolatory claims that would actually depend on the smart contract implementation details.
Let's suppose an application with a table with pagination.
The table shows indexed items (item1, item2,... itemN).
The pagination result is provided by a REST GET call like /items
The detail of an item is provided by a GET call like /items/1 or /items/N
The question is: Which is the best way to secure accessing a not allowed item.
For instance.
a) user call to /items results in {1 ,2, 3, 4, 5} whichs prints a
table with links to each detailed item.
b) prevent a call to /item/6
Only stateless solution please, Thanks!
Not sure I completely understand your problem. What it seems to me is that you want to have item level authorization. For example, user A should only see items 1, 3 and 5, while user B should see items 1, 2, 3 and 6. If that is the case, you should enforce the authorization constraints for both the list and for the individual items.
If what you want is that a user can only access items he has listed before, you are not in a stateless context. The result of the call to the item is dependent on the previous call. So you have a state. You can move the state around, move it to the client, but it will still be state.
If what you want is the second option and you want your service to remain mostly stateless, have a look into capability base security. Basically, your list needs to return a cryptographic token that needs to be used by the client in order to access the individual items.
Basically, instead of returning just the items IDs, add a cryptographic token with it:
[
{ id = 1, token = 'XXX'},
{ id = 2, token = 'YYY'}
]
The token will be composed of :
a nonce
en expiry date
the item ID to be authorized
a cryptographic signature of the above elements
You sign the authorization token with your server private key, so nobody can forge it. You ask the client to add this token to any request (as an HTTP header). So the server can validate that the client has received an authorization.
You can add the username to the token to make sure the authorization cannot be reused by someone else.
Note that I just describe this implementation from memory. As always with security, please double check anything I tell you ;-)
i am using postages Db for my services.When Null defined for any fields DSS giving Some object so my front end also getting same object .But they are expecting "NULL" instead of this they are getting {#nil":"true"}
How can i get NULL value As NULL only and its creating its own name space also for this row
http://www.w3.org/2001/XMLSchema-instance"
username password
=========== ============
NULL NULL
kk a123
for above i am getting like this fro WSO2dss side
<Datalist>
<username xmlns="http:sps.in" xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<password xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
</Datalist>
from my wso2esb side i am getting JSON like this
{"Body":{"Datalist":{"username":{"#nil":"true"},"password":{"#nil":"true"}}}}
But my front end service expecting in this below format where can modify for above this
{"Body":{"Datalist":{"username":"NULL","password":"NULL"}}}
In XML, the standard/recommended way to indicate that the value of a particular XML node is NULL, is via the notation [xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"]. If any standard XML parser comes across this particular notation, the element which contains the aforesaid notation is treated as an element with NULL as its value. This is particularly useful, when there are values such as "NULL" (not the actual NULL but a string containing the characters, "N","U","L","L") as there's no way to distinguish the real NULL values and "NULL" character streams.
Therefore, the best way to handle this scenario would be to check for #nil attribute at client side while parsing the JSON content that returns as the response of the web service invocation. Alternatively, you can add an XSLT transformation at the data service query level to transform the response (in XML format which gets processed internally within DSS before returning JSON content) the way you want so that you'll be able to add any custom rules and transform the response before it is returned to the client side. You can refer to the sample data service named "ExcelSampleService.dbs" located in "DSS_HOME/samples/dbs/excel/" directory in the product package for an example on how this is done.
Hope this helps!
Regards,
Prabath
It worked for me. I just put that two atributtes (xsi:nil, xmlns:xsi) into my XML by changing my AS (Application Server) like this:
public static OMElement addAttributeNull(OMElement parametro){
parametro.addAttribute("xmlns:xsi", "http://www.w3.org/2001/XMLSchema-instance", null);
parametro.addAttribute("xsi:nil", "true", null);
return parametro;
}
I have the following state machine and I want this:
create a new order
add items into it (listing is optional)
confirm order by calling finish
pay for it
send it
And this flow is controlled via a REST web service and I'm not sure which method follows the REST principles better.
I came up with two possibilities (numbers below correspond with numbers above):
the first one - operation is specified by the path
1.
POST /create HTTP/1.1
2.
POST /addItem HTTP/1.1
<data>
<itemId>123</itemId>
</data>
GET /listItems HTTP/1.1
3.
POST /finish HTTP/1.1
4.
POST /pay HTTP/1.1
<data>
<price>123</price>
</data>
5.
POST /send HTTP/1.1
the second one - operation is specified in the body
1.
POST / HTTP/1.1
<data>
<operation>create.new.order</operation>
</data>
- returns resId
2.
PUT /{resId} HTTP/1.1
<data>
<itemId>123</itemId>
</data>
GET /items HTTP/1.1
3.
PUT /{resId} HTTP/1.1
<data>
<operation>finish.order</operation>
</data>
4.
PUT /{resId} HTTP/1.1
<data>
<price>123</price>
<operation>pay.order</operation>
</data>
5.
PUT /{resId} HTTP/1.1
<data>
<operation>send.order</operation>
</data>
The second solution seems better but I don't know if I can specify an operation in the request's body - is it ok or not?
Also I'm not sure if I should use PUT or POST at 3 and 5 in the second solution because I don't really update the resourse, I just change the state machine's state.
If none of these is correct how should I do it?
How about:
POST /orders
From that you get back a 201 Created response, along with a Content-Location header which specifies the URL of the just-created order, something like /orders/2876276
ok, then to add an item to an existing order:
POST /orders/2876276
The message can include url-encoded form data, specifying whatever you'd like to add to the order.
Then,
GET /orders/2876276
...gets some representation of the order. You could do content-type negotiation to figure out whether to format it as json, xml, or whatever. The response message would provide all the information about the order that you wish to share with the requester. Date received, status, order items, and so on.
I don't know what FINISH is exactly, but from my naive view it is just a special kind of update to the order item, so that is just another POST with special form data. After a POST with finish, the response to a GET will include a special indicator stating that the order is "complete."
To handle the payment, you may just use another POST on the same order. If your design calls for tracking accounts receivable, then you may have another object entirely. In other words if there is not one payment per order, but if a customer gets billed monthly or on some other rhythm, then you would have another object category like /accounts/39839. But in the simple case you could just use the order object to track payment state.
So, POST to an order URL to provide credit-card or paypal information to obtain payment. Subsequently, a GET will retrieve a representation that includes the order has been paid for.
The "Send" is not an HTTP request, I would think. Send is something YOU do to fulfill the order after receiving payment. Perhaps some system in your shop can post to /orders/872872872 to mark it sent. Subsequently, a GET will retrieve a representation that includes the order has been shipped, with maybe a tracking number.
I would be careful about using PUT. PUT indicates a insertion of an entire object into a repository, and implicit replacement if the object already exists. But your model doesn't call for that. The order manager manages the order, and exposes a limited set of operations (create, add item, etc) on each order. Insertion of an entire order is not one of those operations. Therefore PUT seems like the wrong thing in your scenario.
PUT would be right if you were inserting a document into a repository. For example imagine an auction where you offer an item for sale. You might use POST to create the auction item, then receive /items/29829 as the URL for the item. Then a PUT might be used to add an image to the item being auctioned - you might PUT to /items/29829/mainImage or something like that. PUT implies you know the URL of the thing to which you are PUT-ting.
you asked:
I don't know if I can specify an operation in the request's body - is it ok or not?
HTTP has only a limiited set of verbs. Your "order" object has a variety of states. You need to map the HTTP verbs to the state transitions. It makes sense to use POST to the order object for each state transition or state change. You might think of this as specifying "an operation" in the request body, but to me it is specifying the details of the request in the request body. This is precisely what the request body is for.
For more background, check out How to get a cup of coffee.