Hi Prabath,
I just tried a couple of simple tests, using the signing+encryption
policy on the server and trying different variations of policy
(including no policy) on the client with both Metro and Axis2. All the
client variations were rejected by the server in both cases, so at least
at this basic level both Metro and Axis2/Rampart are enforcing the
server policy.
What sort of shortfalls did you see in Metro's policy-based validations?
- Dennis
Prabath Siriwardena wrote:
Hi Dennis;
Nice analysis...
Does Metro do policy based validations?
Rampart does validations at two levels - first validation at the
message level with info gathered from the message it self - and then
validate the entire message with the defined policy.
If somebody skips the second step - it could open up holes for attacks
like XML wrapping attacks.
I found few occasions that Metro doesn't do policy based validations.
Would be glad if you could please confirm it.
Thanks & regards.
-Prabath
Dennis Sosnoski wrote:
Following up on some earlier discussions of Axis2/Rampart WS-Security
performance, devWorks has now published my latest article in the Java
Web Services series, comparing Axis2/Rampart with Metro WS-Security
performance: http://www.ibm.com/developerworks/java/library/j-jws11/
The results are very bad for Axis2/Rampart, with Metro more than
twice as fast overall in the WS-Security tests.
As mentioned in the article, some timing tests with
org.apache.rampart.TIME logging seemed to indicate that a lot of the
overhead is actually occurring outside the Rampart handler. I suspect
that Axis2 has fallen into the same performance pit as Axis in doing
conversions to and from different forms of the message.
If anyone is interested in investigating further, the full source
code for the performance comparison is available as a download from
the article.
- Dennis
