Let me clarify .. Rampart2 shows a potentially major issue in WSS4J/Rampart - which is that it does policy validation *after* doing security processing, giving a nice way to do a DoS attack.
I guess the issue with Rampart2 is its by design a layer of Axiom with its own XML Security impl ... which is what gives it its performance (avoiding the conversion to DOM for C14N and XMLSec processing in WSS4J). I'm not sure how its possible to achieve good performance without avoiding XML Infoset representation model conversion. That's why Rampart2 work included C14N, XML Security and WS-Security stuff. It has ways to go in terms of finishing all the stuff of course, but the approach has proven to deliver good results. Sanjiva. 2009/6/16 Sanjiva Weerawarana <sanj...@opensource.lk> > Um I'm confused Nandana ... I thought our strategy is Rampart2, which *is* > policy-aware. Why would we invest anything into WSS4J at this point? > > Sanjiva. > > 2009/6/16 Nandana Mihindukulasooriya <nandana....@gmail.com> > > +1, I also agree that Security Policy stuff should be ideally in WSS4J or >> Neethi and eventually we should make WSS4J security policy aware. Both >> Rampart and CXF will benefit from that. >> >> thanks, >> Nandana >> >> On Mon, Jun 15, 2009 at 8:19 PM, Daniel Kulp <dk...@apache.org> wrote: >> >> > >> > Some of you have noticed some discussions on WSCOMMONS-299. I've also >> > been >> > thinking about some of those issues and I DID have a discussion with >> Glen >> > Daniels at TSSJS about the possibility of starting work on a Neethi 3.0. >> > With the comments and stuff on WSCOMMONS-299, it might be time to really >> > start >> > it. Thus, I'd like to "svn cp" the trunk to a 2.x branch for future >> > maintenance and start making trunk 3.0. >> > >> > Things I'd like tackled for 3.0: >> > >> > 1) Java 5 - make the collections and everything typed. Use Enums where >> > appropriate, etc.... Basically, general cleanup. Also, I see that >> many >> > operations aren't threadsafe due to use of HashMap's with no >> > synchronization. >> > Possibly fix those with ConcurrentHashMaps or similar. >> > >> > 2) Better support for the nested policies as described in WSCOMMONS-299. >> > >> > 3) Change the builders to use XMLStreamReader. The Policies use >> > XMLStreamWriter. For consistency, using the reader is preferred. This >> > also >> > removes Axiom as a dependency making the requirement list smaller. >> > >> > 4) With (3) fixed, most of the Neethi "fork" we have in CXF can be >> ported >> > back. CXF has a few utilities and such that would be good to push back >> and >> > then remove from CXF. >> > >> > 5) Once all of that is done, it would open up the door to allow some >> more >> > "common" Policies objects for standard policies. Some could be in >> Neethi >> > directly (things like policies objects for WS-Addressing assertions, >> mtom >> > stuff, etc...). Others, like the WS-SecurityPolicy stuff could either >> go >> > into Neethi or might be better in WSS4J. This could help eliminate a >> > BUNCH >> > of duplicate code between users of Neethi, particularly CXF and Rampart. >> > (maybe if I keep pushing similar code down into commons, we can have a >> big >> > merger in the future. Acxfis 3? Maybe not. :-) ) >> > >> > 6) Support for WS-Policy 1.5. >> > >> > Anyway, if no one really objects to starting the 3.0 work, I'd like to >> > create >> > the 2.x branch later this week. Thoughts? >> > >> > BTW: This is also why I STRONGLY am in favor of Neethi staying in >> commons >> > and >> > not going to an Axis2 TLP. >> > >> > -- >> > Daniel Kulp >> > dk...@apache.org >> > http://www.dankulp.com/blog >> > >> > > > > -- > Sanjiva Weerawarana, Ph.D. > Founder, Director & Chief Scientist; Lanka Software Foundation; > http://www.opensource.lk/ > Founder, Chairman & CEO; WSO2, Inc.; http://www.wso2.com/ > Member; Apache Software Foundation; http://www.apache.org/ > Visiting Lecturer; University of Moratuwa; http://www.cse.mrt.ac.lk/ > > Blog: http://sanjiva.weerawarana.org/ > -- Sanjiva Weerawarana, Ph.D. Founder, Director & Chief Scientist; Lanka Software Foundation; http://www.opensource.lk/ Founder, Chairman & CEO; WSO2, Inc.; http://www.wso2.com/ Member; Apache Software Foundation; http://www.apache.org/ Visiting Lecturer; University of Moratuwa; http://www.cse.mrt.ac.lk/ Blog: http://sanjiva.weerawarana.org/
