Re: Ideas for 2.2

[Bharath Ganesh]

On Sat, Jun 21, 2008 at 2:35 AM, Glen Mazza <[EMAIL PROTECTED]> wrote:

>
> >>BTW, Fred, I'm reading "SOA Security" by publisher Manning right now, it
> says
> >>WSS4J is for Axis 1.x while Rampart is for Axis 2.0.  That doesn't seem
> >>correct--isn't WSS4J used with both Axis1 and Axis2?  Or is it just that
> >>Rampart uses WSS4J internally?


Yes Rampart is an Axis2 module on top of WSS4J, with a WS-SecurityPolicy
implementation, some features to send parts of message by MTOM and some
other additional configurations.

Thanks
Bharath
http://thoughts.bharathganesh.com


>
>
> As for the caching of the nonces, don't Axis 1 and Axis2 handle that
> themselves (because WSS4J can't do it itself right now, perhaps)?  You want
> to make sure that if Client X made a request with nonce = 4, no more
> requests of X with that nonce value within the timeout period are made, so
> that offhand would appear to be something that the web service provider can
> handle.  Then again, maybe this caching can be handled by WSS4J--less work
> for us.
>
> As for WS-SecureConversation, AFAICT it is just a generalization of
> WS-Security[1]--the tokens (of whatever type, Kerberos, SAML,
> UsernameToken,
> or whatever) are not continually regenerated/resent for each reply/request.
> It's primarily a performance issue--WS-SC makes things faster.  So I'm not
> exactly clear when you write "I think the right way to tackle that is to
> integrate with Kerberos and the GSS-API"--I think, whatever you do
> WS-SC-wise, would need to be generalized for *all* token profiles, not just
> Kerberos.  But I'm hardly the most knowledgable on this stuff.
>
> Regards,
> Glen
>
> [1] http://blogs.sun.com/trustjdg/entry/metro_and_netbeans_for_secure
>
>
>
> Fred Dushin-3 wrote:
> >
> > I think the right place for nonce support is in WSS4J, itself, though
> > honestly, a lot of work needs to be done to WSS4J to get it "up to
> > snuff" with CXF.  (Java5, JaxB support, maven, etc etc)
> >
> > I'd like to get a sense of what people need, in terms of WS-
> > SecureConversation and WS-Trust support.  What are the real use-cases
> > people need these specs for?  Could we talk about specific interop
> > scenarios, for example?  (WCF and Cardspace are fertile ground)
> >
> > As far as SAML support in WSS4J, yes, there is some support for this
> > profile, but we've run into a few issues:
> >
> >   1. It's using an outdated version of the opensaml libraries, and the
> > opensaml team is reluctant to support the version WSS4J is using;
> >   2. WSS4J doesn't provide much more than parsing support (using non-
> > standard representation of SAML data types) and signature support.
> > There is no support, AFAIK, of the various subject confirmation method
> > processing requirements dictated by the WS-Security SAML profile,
> > which is really the only guarantee of security (if you care about that
> > kind of thing).
> >   3. The opensaml folks seem reluctant to use JAX-B types for the
> > represenation of SAML Assertions.
> >
> > WS-SecureConversation is a big topic, and as I've discussed before in
> > this forum, I think the right way to tackle that is to integrate with
> > Kerberos and the GSS-API.  Otherwise, we'd probably find ourselves re-
> > inventing the kerberos authentication protocol, and chances are, we'd
> > get it wrong.  Why not tie in to a KDC, be it MIT'a, Heimdal'a, or
> > even, dare I even say it, ActiveDirectory?  (Personally, my feeling is
> > that this sort of feature would have the most real value to users, as
> > it would give you integrated SSO into your web services, based simply
> > on your windows domain -- or PAM -- login.  Death to passwords.)
> >
> > I'd also vote for client-side support for WS-SecurityPolicy.  That's a
> > big requirement for interop with WCF, for example, and it should help
> > to simplify config a lot.
> >
> > -Fred
> >
> > On Jun 18, 2008, at 9:32 PM, Glen Mazza wrote:
> >
> >> I think our WSS4J interceptors really need to support "nonces"--IIRC
> >> according to WS-Security w/UsernameToken profile web service calls
> >> aren't really secure if those aren't included with the username,
> >> password, and timestamp. I am still not sure if WSS4J supports the
> >> SAML
> >> Token Profile, but that would also something we probably need.  Having
> >> WS-SecureConversation would not be very meaningful for either SAML or
> >> UsernameTokens if we don't have the latter two working yet.  (The
> >> other
> >> profile--X.509--I don't know how well that is supported presently, but
> >> if working, WS-SecureConversation then becomes sensible.)
> >>
> >> Possibly also, an ability to support Sun's XWSS product in addition to
> >> WSS4J (although I'm aware of the performance issues you had mentioned
> >> earlier), a nice-to-have since Spring-WS apparently supports both.
> >>
> >> Perhaps also WSDL 2.0?
> >>
> >> Glen
> >>
> >>
> >> 2008-06-18 Daniel Kulp wrote:
> >>> Now that 2.1.1 is being voted on, I'd like to step back a bit an

Re: Ideas for 2.2

[Glen Mazza]

BTW, Fred, I'm reading "SOA Security" by publisher Manning right now, it says
WSS4J is for Axis 1.x while Rampart is for Axis 2.0.  That doesn't seem
correct--isn't WSS4J used with both Axis1 and Axis2?  Or is it just that
Rampart uses WSS4J internally?  I'm trying to get a feel for how up-to-date
WSS4J is.

As for the caching of the nonces, don't Axis 1 and Axis2 handle that
themselves (because WSS4J can't do it itself right now, perhaps)?  You want
to make sure that if Client X made a request with nonce = 4, no more
requests of X with that nonce value within the timeout period are made, so
that offhand would appear to be something that the web service provider can
handle.  Then again, maybe this caching can be handled by WSS4J--less work
for us.

As for WS-SecureConversation, AFAICT it is just a generalization of
WS-Security[1]--the tokens (of whatever type, Kerberos, SAML, UsernameToken,
or whatever) are not continually regenerated/resent for each reply/request.
It's primarily a performance issue--WS-SC makes things faster.  So I'm not
exactly clear when you write "I think the right way to tackle that is to
integrate with Kerberos and the GSS-API"--I think, whatever you do
WS-SC-wise, would need to be generalized for *all* token profiles, not just
Kerberos.  But I'm hardly the most knowledgable on this stuff.

Regards,
Glen

[1] http://blogs.sun.com/trustjdg/entry/metro_and_netbeans_for_secure



Fred Dushin-3 wrote:
> 
> I think the right place for nonce support is in WSS4J, itself, though  
> honestly, a lot of work needs to be done to WSS4J to get it "up to  
> snuff" with CXF.  (Java5, JaxB support, maven, etc etc)
> 
> I'd like to get a sense of what people need, in terms of WS- 
> SecureConversation and WS-Trust support.  What are the real use-cases  
> people need these specs for?  Could we talk about specific interop  
> scenarios, for example?  (WCF and Cardspace are fertile ground)
> 
> As far as SAML support in WSS4J, yes, there is some support for this  
> profile, but we've run into a few issues:
> 
>   1. It's using an outdated version of the opensaml libraries, and the  
> opensaml team is reluctant to support the version WSS4J is using;
>   2. WSS4J doesn't provide much more than parsing support (using non- 
> standard representation of SAML data types) and signature support.   
> There is no support, AFAIK, of the various subject confirmation method  
> processing requirements dictated by the WS-Security SAML profile,  
> which is really the only guarantee of security (if you care about that  
> kind of thing).
>   3. The opensaml folks seem reluctant to use JAX-B types for the  
> represenation of SAML Assertions.
> 
> WS-SecureConversation is a big topic, and as I've discussed before in  
> this forum, I think the right way to tackle that is to integrate with  
> Kerberos and the GSS-API.  Otherwise, we'd probably find ourselves re- 
> inventing the kerberos authentication protocol, and chances are, we'd  
> get it wrong.  Why not tie in to a KDC, be it MIT'a, Heimdal'a, or  
> even, dare I even say it, ActiveDirectory?  (Personally, my feeling is  
> that this sort of feature would have the most real value to users, as  
> it would give you integrated SSO into your web services, based simply  
> on your windows domain -- or PAM -- login.  Death to passwords.)
> 
> I'd also vote for client-side support for WS-SecurityPolicy.  That's a  
> big requirement for interop with WCF, for example, and it should help  
> to simplify config a lot.
> 
> -Fred
> 
> On Jun 18, 2008, at 9:32 PM, Glen Mazza wrote:
> 
>> I think our WSS4J interceptors really need to support "nonces"--IIRC
>> according to WS-Security w/UsernameToken profile web service calls
>> aren't really secure if those aren't included with the username,
>> password, and timestamp. I am still not sure if WSS4J supports the  
>> SAML
>> Token Profile, but that would also something we probably need.  Having
>> WS-SecureConversation would not be very meaningful for either SAML or
>> UsernameTokens if we don't have the latter two working yet.  (The  
>> other
>> profile--X.509--I don't know how well that is supported presently, but
>> if working, WS-SecureConversation then becomes sensible.)
>>
>> Possibly also, an ability to support Sun's XWSS product in addition to
>> WSS4J (although I'm aware of the performance issues you had mentioned
>> earlier), a nice-to-have since Spring-WS apparently supports both.
>>
>> Perhaps also WSDL 2.0?
>>
>> Glen
>>
>>
>> 2008-06-18 Daniel Kulp wrote:
>>> Now that 2.1.1 is being voted on, I'd like to step back a bit and  
>>> talk
>>> a little about ideas for the next versions.
>>>
>>> First, most likely, we'll need to do a 2.1.2 release in about 6-8
>>> weeks (and maybe 2.0.8 as well).   We've done a very good job of
>>> getting fixes out to our users in a timely manner and I'd like to  
>>> keep
>>> that up, but I also would like to think about 2.2 a bit as well.   I
>>> haven't created the 2.1.x fi

[RESULT] [VOTE] Release CXF 2.0.7

[Daniel Kulp]

We have 15 +1 votes, 12 are PMC binding.  Thus, this vote passes.

PMC: dkulp, jgenender, seanoc, ubhole, apaibir, eglynn, bmargulies,  
ffang, wjiang, gnodet, jgawor, pjones

Committer: bganesh,
Other: ekanu, gsauthier

I'll get the artifacts released.

Dan



On Jun 17, 2008, at 10:44 AM, Daniel Kulp wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



This is a vote to release CXF 2.0.7

Once again, there have been a bunch of bug fixes and enhancements that
have been done compared to the 2.0.7 release.   Over 48 JIRA issues  
are
resolved for 2.0.7 which is a large number of fixes for the 2.0.x  
branch.



The staging area is at:
http://people.apache.org/~dkulp/stage_cxf/2.0.7

The distributions are in the "dist" directory. The "maven" directory
contains the stuff that will by pushed to the central repository.

This release is tagged at:
http://svn.apache.org/repos/asf/incubator/cxf/tags/cxf-2.0.7


Here is my +1.   The vote will be open here for at least 72 hours.


- ---
Daniel Kulp
[EMAIL PROTECTED]
http://www.dankulp.com/blog




-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (Darwin)

iD8DBQFIV83Qq8juObtVB0YRAk9IAJ94zSGaE98mw4z2UOdcCeX8HzAntACfb4Zv
Px3oDUHzRTC53LDAs2yxIz8=
=fif0
-END PGP SIGNATURE-


---
Daniel Kulp
[EMAIL PROTECTED]
http://www.dankulp.com/blog

[RESULT] [VOTE] Release CXF 2.1.1

[Daniel Kulp]

We have 13 +1 votes, 10 PMC binding:

+1 PMC: dkulp, jgenender, seanoc, ubhole, apaibir, eglynn, bmargulies,  
ffang, wjiang, jgawor

+1 Committer: bganesh
+1 Other: ekanu, plipka

Thus, this vote passes.   I'll get the artifacts released.

Dan


On Jun 17, 2008, at 10:41 AM, Daniel Kulp wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


This is a vote to release CXF 2.1.1

Once again, there have been a bunch of bug fixes and enhancements that
have been done compared to the 2.1 release.   Over 74 JIRA issues are
resolved for 2.1.1 which is a large number of fixes.


The staging area is at:
http://people.apache.org/~dkulp/stage_cxf/2.1.1

The distributions are in the "dist" directory. The "maven" directory
contains the stuff that will by pushed to the central repository.

This release is tagged at:
http://svn.apache.org/repos/asf/incubator/cxf/tags/cxf-2.1.1


Here is my +1.   The vote will be open here for at least 72 hours.


- ---
Daniel Kulp
[EMAIL PROTECTED]
http://www.dankulp.com/blog




-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (Darwin)

iD8DBQFIV80oq8juObtVB0YRAiLyAJ9+HiWq61I9JZ01kRpr4g+L1O7woQCcCHbK
G1xxwnA5MSe77DORVGTRy3o=
=cx57
-END PGP SIGNATURE-


---
Daniel Kulp
[EMAIL PROTECTED]
http://www.dankulp.com/blog

Re: unrecognized parameter -Xdv

[Daniel Kulp]

Hmm.. I'm not seeing any problems on OSX or Linux.

If I do "rm -rf ~/.m2/repository ; mvn -Pfastinstall", it proceeds to  
build everything OK.  (although it takes a while to download  
everything :-( )


Dan



On Jun 20, 2008, at 10:55 AM, Peter Jones wrote:



Hi there,

When building the cxf-2.1.1 source distribution, or trunk for that  
matter,
with a clean local maven repo, from the top level directory, I see  
an error

like this when it reaches testutils:

[...]
[INFO] [cxf-codegen:wsdl2java {execution: generate-sources}]
[INFO] [cxf-common-xsd:xsdtojava {execution: generate-sources}]
unrecognized parameter -Xdv

Usage: xjc [-options ...]  ... [-b  
] ...

If dir is specified, all schema files in it will be compiled.
If jar is specified, /META-INF/sun-jaxb.episode binding file will be
compiled.
Options:
[...]
org.apache.tools.ant.ExitException: ExitException: status -1
   at  
org 
.apache 
.tools 
.ant 
.util 
.optional.NoExitSecurityManager.checkExit(NoExitSecurityManager.java: 
38)

   at java.lang.Runtime.exit(Runtime.java:88)
   at java.lang.System.exit(System.java:869)
   at com.sun.tools.xjc.Driver._main(Driver.java:126)
   at com.sun.tools.xjc.Driver.access$000(Driver.java:74)
   at com.sun.tools.xjc.Driver$1.run(Driver.java:96)
[INFO]  


[ERROR] BUILD ERROR
[INFO]  


[INFO] ExitException: status -1

If I build inside the testutils directory, there's no problem.  So  
it only

happens from the top level directory.  Has anyone else seen this?

Using java 1.5.0_12 and I've tried with maven 2.0.7 and 2.0.9.

Cheers,
Peter

--
Peter Jones
IONA Technologies
E-Mail: mailto:[EMAIL PROTECTED]
Tel: 709-738-3725 x321 | Fax: 709-738-3745
570 Newfoundland Drive, St. John's, NL, Canada A1A 5B1


---
Daniel Kulp
[EMAIL PROTECTED]
http://www.dankulp.com/blog

Re: Ideas for 2.2

[Fred Dushin]

I think the right place for nonce support is in WSS4J, itself, though  
honestly, a lot of work needs to be done to WSS4J to get it "up to  
snuff" with CXF.  (Java5, JaxB support, maven, etc etc)


I'd like to get a sense of what people need, in terms of WS- 
SecureConversation and WS-Trust support.  What are the real use-cases  
people need these specs for?  Could we talk about specific interop  
scenarios, for example?  (WCF and Cardspace are fertile ground)


As far as SAML support in WSS4J, yes, there is some support for this  
profile, but we've run into a few issues:


 1. It's using an outdated version of the opensaml libraries, and the  
opensaml team is reluctant to support the version WSS4J is using;
 2. WSS4J doesn't provide much more than parsing support (using non- 
standard representation of SAML data types) and signature support.   
There is no support, AFAIK, of the various subject confirmation method  
processing requirements dictated by the WS-Security SAML profile,  
which is really the only guarantee of security (if you care about that  
kind of thing).
 3. The opensaml folks seem reluctant to use JAX-B types for the  
represenation of SAML Assertions.


WS-SecureConversation is a big topic, and as I've discussed before in  
this forum, I think the right way to tackle that is to integrate with  
Kerberos and the GSS-API.  Otherwise, we'd probably find ourselves re- 
inventing the kerberos authentication protocol, and chances are, we'd  
get it wrong.  Why not tie in to a KDC, be it MIT'a, Heimdal'a, or  
even, dare I even say it, ActiveDirectory?  (Personally, my feeling is  
that this sort of feature would have the most real value to users, as  
it would give you integrated SSO into your web services, based simply  
on your windows domain -- or PAM -- login.  Death to passwords.)


I'd also vote for client-side support for WS-SecurityPolicy.  That's a  
big requirement for interop with WCF, for example, and it should help  
to simplify config a lot.


-Fred

On Jun 18, 2008, at 9:32 PM, Glen Mazza wrote:


I think our WSS4J interceptors really need to support "nonces"--IIRC
according to WS-Security w/UsernameToken profile web service calls
aren't really secure if those aren't included with the username,
password, and timestamp. I am still not sure if WSS4J supports the  
SAML

Token Profile, but that would also something we probably need.  Having
WS-SecureConversation would not be very meaningful for either SAML or
UsernameTokens if we don't have the latter two working yet.  (The  
other

profile--X.509--I don't know how well that is supported presently, but
if working, WS-SecureConversation then becomes sensible.)

Possibly also, an ability to support Sun's XWSS product in addition to
WSS4J (although I'm aware of the performance issues you had mentioned
earlier), a nice-to-have since Spring-WS apparently supports both.

Perhaps also WSDL 2.0?

Glen


2008-06-18 Daniel Kulp wrote:
Now that 2.1.1 is being voted on, I'd like to step back a bit and  
talk

a little about ideas for the next versions.

First, most likely, we'll need to do a 2.1.2 release in about 6-8
weeks (and maybe 2.0.8 as well).   We've done a very good job of
getting fixes out to our users in a timely manner and I'd like to  
keep

that up, but I also would like to think about 2.2 a bit as well.   I
haven't created the 2.1.x fixes branch yet, but I probably will
shortly if we start doing some new stuff toward 2.2.

That said, here is my list of stuff that is "missing" and could be
considered for 2.2:

1) WS-Trust/WS-SecurePolicy/WS-SecureConversation stuff.Not
supporting these is becoming increasingly problematic.   Most likely,
when I get back from my paternity leave, I'm going to start digging
into these a bit.  I haven't really read up on these yet (in depth)  
so

any help would be greatly appreciated.

2) XMLBeans tooling - I started this a bit for 2.1.1.   2.1.1 now  
will
actually generate some interfaces for xmlbeans, but the sample  
clients/
servers are wrong (don't set the jaxb databinding) and I'm not sure  
if
the interfaces even work unless you use a jaxws customization to  
force

everything into bare mode.   Cleaning this stuff up could be a 2.1.x
"fix" as well.

3) JIBX data binding - This is probably the last major thing not
ported from XFire.   Not sure the demand on it though.

4) Extension via annotation - Benson and I have chatted about this  
off

and on.Basically, we'd like to add hooks into the
ReflectServiceFactoryBean so that registered listeners can get events
about when things happen.   Like when an interface is mapped to a
ServiceInfo, a method is mapped to a OperaionInfo and
BingingOperationInfo, etc...The listeners can then examine the
Method object or Class object or whatever for any additional things
it's interested in at runtime. This would allow for some custom
annotations.   Examples:
Configure some logging:
@Logging(in = "in.log", out = "out.log", fault = "")
Confi

unrecognized parameter -Xdv

[Peter Jones]

Hi there,

When building the cxf-2.1.1 source distribution, or trunk for that matter,
with a clean local maven repo, from the top level directory, I see an error
like this when it reaches testutils:

[...]
[INFO] [cxf-codegen:wsdl2java {execution: generate-sources}]
[INFO] [cxf-common-xsd:xsdtojava {execution: generate-sources}]
unrecognized parameter -Xdv

Usage: xjc [-options ...]  ... [-b ] ...
If dir is specified, all schema files in it will be compiled.
If jar is specified, /META-INF/sun-jaxb.episode binding file will be
compiled.
Options:
[...]
org.apache.tools.ant.ExitException: ExitException: status -1
at 
org.apache.tools.ant.util.optional.NoExitSecurityManager.checkExit(NoExitSecurityManager.java:38)
at java.lang.Runtime.exit(Runtime.java:88)
at java.lang.System.exit(System.java:869)
at com.sun.tools.xjc.Driver._main(Driver.java:126)
at com.sun.tools.xjc.Driver.access$000(Driver.java:74)
at com.sun.tools.xjc.Driver$1.run(Driver.java:96)
[INFO] 
[ERROR] BUILD ERROR
[INFO] 
[INFO] ExitException: status -1

If I build inside the testutils directory, there's no problem.  So it only
happens from the top level directory.  Has anyone else seen this?

Using java 1.5.0_12 and I've tried with maven 2.0.7 and 2.0.9.

Cheers,
Peter

-- 
Peter Jones
IONA Technologies
E-Mail: mailto:[EMAIL PROTECTED]
Tel: 709-738-3725 x321 | Fax: 709-738-3745
570 Newfoundland Drive, St. John's, NL, Canada A1A 5B1