You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by Marc Giger <gi...@gmx.ch> on 2011/08/16 12:56:39 UTC
Streaming-WebServices-Security-Framework inclusion into WSS4J
Hello All
Back in january i wrote an email
(http://mail-archives.apache.org/mod_mbox/incubator-general/201101.mbox/%3C20110111222249.17e837d3@mgi.gigerstyle.ch%3E)
to the incubator mailing list to discuss the inclusion of
swssf as a new incubator project. The feedback was positive but
the people suggested as alternative way the inclusion into WSS4J.
So here I am again:-)
It would be a pity when all of the code fizzles out.
Details to the project and the code can be found on
http://gigerstyle.homelinux.com/?page_id=76
If you find the code or parts of it useful, I'm willing to
re-license it under the Apache License.
It is not my intention to leave the code the ASF and forget
about it. Further development from my side is guaranteed.
So what do you think? Are you interested in it?
One of the open discussion points will be the integration: Should /
Can it be integrated as it is or must be done some adaptions?
Or probably you don't like the concept? Tell me please!
Thank you.
Kind regards
Marc
--
Lesson 1: Cryptographic protocols should not be developed by a
committee. -- Niels Ferguson and Bruce Schneier --
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: Streaming-WebServices-Security-Framework inclusion into WSS4J
Posted by Marc Giger <gi...@gmx.ch>.
Hi Colm,
On Mon, 22 Aug 2011 09:59:39 +0100
Colm O hEigeartaigh <co...@apache.org> wrote:
> Hi Marc,
>
> One thing I would like to discuss is that we move the streaming c14n,
> signature and encryption code to the Santuario project. It seems like
> the logical place for it, rather than keep it as part of WSS4J. There
> is a large number of test vectors in Santuario that we could test the
> streaming code against, etc. What do you think? Would it be possible
> to easily isolate this code in SWSSF? What external dependencies would
> it have?
Before I began to develop swssf I was studing the source code of WSS4J and
santuario in detail. During this time I came to the conclusion that just small
pieces of the code can be reused.
When you e.g. move the encryption code to
santuario you also have to move the ProcessorChainImpl. And if you move
the ProcessorChainImpl you have to move most of the framework. When you just
move e.g. the encryption/decryption code it will become useless. Let me explain this in the case
of signature verification (encryption/decryption is a lot more complex):
The signature verification needs a
- Signature-Header processor
- A signedInfo processor
- C14N feeder
- buffer and replay processor for the header, to catch signed header elements (use before declaration)
All these components must be applied at the right time and in the right order. This is one of the ProcessorChainImpl
responsiblities. Set the InputProcessorChainImpl logging to debug, run the test-cases and you will see the processor
interactions. Another important dependency are the SecurityEvents. They will be emitted in realtime when a security-relevant
event occurs. Have a look into the SecurityEvent class.
Other than that, most of the tests in xml-sec are incompatible because of different structures or just because the dependency
to DOM. Left are just the C14N tests which I have ported over to swssf.
Summary:
What we could do is to move all of the code to santuario and just left WSS specific things in WSS4J like
- SAMLTokenProcessors
- Timestamprocessors
- UsernameProcessors
- PolicyProcessors
- ...
and all of the direct dependencies. So it is doable but no easily.
I think such a split up will lower the maintainability.
Another way to go is just to cleanly integrate swssf into WSS4J and wait until one requests
the streaming ability in xmlsec. Then we have a use case and we can think about it, then generic xmlsec
is a bit more complicated than WSSec.
<loudlyThinking>Why not merge WSS4J and santuario? :-)</loudlyThinking>
Don't hesitate to ask more questions. Also I can draw concept/architecture diagramms if it
helps to understand the framework.
Kind regards
Marc
>
> Colm.
>
> On Thu, Aug 18, 2011 at 8:06 PM, Marc Giger <gi...@gmx.ch> wrote:
> > Hi Colm,
> >
> > On Thu, 18 Aug 2011 15:18:02 +0100
> > Colm O hEigeartaigh <co...@apache.org> wrote:
> >
> >> Hi Marc,
> >>
> >> > So what do you think? Are you interested in it?
> >>
> >> Absolutely :-)
> >
> > Cool :-)
> >
> >>
> >> WSS4J currently has two branches, 1.5.x (current release 1.5.12) that
> >> is essentially deprecated but still maintained for bug-fixes (and used
> >> by Rampart), and trunk (current release 1.6.2) which involved the
> >> Opensaml2 update. Once I finish the Kerberos support trunk will be
> >> more or less feature complete I think.
> >>
> >> I think we could use your project as the basis for a WSS4J 2.0 release
> >> next year. You would need to submit the code under an Apache License,
> >> and we could subsequently grant you commit rights for the project.
> >
> > Sounds good to me.
> >
> >>
> >> I think the code as is would likely need quite a lot of work, but we
> >> would start by just dumping the code in svn and discussing what needs
> >> to be done with it etc. For example, your project is coupled with
> >> WS-SecurityPolicy support which WSS4J does not currently do, so we
> >> could discuss whether it should stay like this, or whether we could
> >> separate it out into a separate module etc.
> >
> > Yes, at first glance it seems like the WS-SecurityPolicy is hard coupled
> > with the rest. But this not the case. WS-SecurityPolicy is very loosely
> > coupled. All what you have to do when you want policy verification is
> > to add the PolicyProcessor to the chain and registering of the
> > PolicyEnforcer. That's it. The loose coupling was one of my primary
> > goals. Moving WS-SecurityPolicy into a separate module is done in 5,
> > ok, say in 10 minutes:-)
> > Complete separation from swssf doesn't make sense to me, because the
> > policy verification is optimized for streaming processing (fail-fast
> > behavior)
> >
> >>
> >> How many cases does it actually create a DOM tree - just for SAML
> >> creation/processing?
> >
> > Yes and in the PolicyEnforcerFactory to parse and validate the WSDL and
> > its policy.
> >
> >>
> >> I took a quick look at the source-code - I couldn't compile the latest
> >> snapshot code, it looks like it is not compiling the schemas by
> >> default?
> >
> > Unfortunately not all files have made it into the tar. A fixed tarball
> > is ready to be downloaded.
> > Probably you have to lower the heap settings in the pom before you
> > execute maven.
> >
> >>
> >> What do you think?
> >
> > Fine.
> > Some questions:
> > - In which format do you expect the source? tar? svn dump? Access
> > to my repo? ...?
> > - Is anything else to do from my side (separating, ...), aside
> > re-licensing under the apache license?
> > - Whom should I send the (of course re-licensed) code?
> >
> > Do you have some more questions?
> >
> > Kind regards
> >
> > Marc
> >
> >
> >
> >>
> >> Colm.
> >>
> >>
> >>
> >>
> >> On Tue, Aug 16, 2011 at 11:56 AM, Marc Giger <gi...@gmx.ch>
> >> wrote:
> >> > Hello All
> >> >
> >> > Back in january i wrote an email
> >> > (http://mail-archives.apache.org/mod_mbox/incubator-general/201101.mbox/%3C20110111222249.17e837d3@mgi.gigerstyle.ch%3E)
> >> > to the incubator mailing list to discuss the inclusion of
> >> > swssf as a new incubator project. The feedback was positive but
> >> > the people suggested as alternative way the inclusion into WSS4J.
> >> >
> >> > So here I am again:-)
> >> >
> >> > It would be a pity when all of the code fizzles out.
> >> > Details to the project and the code can be found on
> >> > http://gigerstyle.homelinux.com/?page_id=76
> >> >
> >> > If you find the code or parts of it useful, I'm willing to
> >> > re-license it under the Apache License.
> >> >
> >> > It is not my intention to leave the code the ASF and forget
> >> > about it. Further development from my side is guaranteed.
> >> >
> >> > So what do you think? Are you interested in it?
> >> > One of the open discussion points will be the integration: Should /
> >> > Can it be integrated as it is or must be done some adaptions?
> >> > Or probably you don't like the concept? Tell me please!
> >> >
> >> > Thank you.
> >> >
> >> > Kind regards
> >> >
> >> > Marc
> >> >
> >> > --
> >> > Lesson 1: Cryptographic protocols should not be developed by a
> >> > committee. -- Niels Ferguson and Bruce Schneier --
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> >> > For additional commands, e-mail: dev-help@ws.apache.org
> >> >
> >> >
> >>
> >>
> >>
> >> --
> >> Colm O hEigeartaigh
> >>
> >> http://coheigea.blogspot.com/
> >> Talend - http://www.talend.com
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> >> For additional commands, e-mail: dev-help@ws.apache.org
> >>
> >
> >
> > --
> > Lesson 1: Cryptographic protocols should not be developed by a
> > committee. -- Niels Ferguson and Bruce Schneier --
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> http://coheigea.blogspot.com/
> Talend - http://www.talend.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: dev-help@ws.apache.org
>
--
itServe AG
M.Sc. Marc Giger
Länggassstrasse 26
3000 Bern 9
Tel.: +41 31 305 16 16
Fax: +41 31 305 16 17
Direkt: +41 31 305 43 27
Email: marc.giger@itserve.ch
http://www.itserve.ch
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: Streaming-WebServices-Security-Framework inclusion into WSS4J
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Amila,
> 1. After this change will we be able to use WSS4J as we do it now, (As
> in current release, i.e 1.6.2) without doing major changes to Rampart
> ?
Yes absolutely. The new streaming implementation will not be available
until next year I guess, and will appear as a new major version (2.0).
> 2. Is it possible to disable policy processing within SWSSF so that we
> can use streaming ability on messages and use policy processing
> already within Rampart ?
Apparently yes. There are a lot of questions to be resolved about how
we are going to integrate SWSSF with CXF/Rampart/etc, so I would
encourage you guys to be involved in the discussions.
Colm.
On Mon, Aug 22, 2011 at 10:38 AM, Amila Jayasekara <am...@wso2.com> wrote:
> Hi Marc/Colm,
>
> I am sorry, if i am hijacking your mail thread. But thought of using
> the same thread as my questions are relevant to SWSSF integration.
>
> We are in the process of porting Rampart code to use WSS4J 1.6.2. We
> are hoping to contribute relevant changes to Apache Rampart within
> next 2 weeks.
> We are also interested in using streaming ability within Rampart. But
> as far as i know Rampart already have policy processing and policy
> verification code.
> So i am having following questions with this regard,
> 1. After this change will we be able to use WSS4J as we do it now, (As
> in current release, i.e 1.6.2) without doing major changes to Rampart
> ?
> 2. Is it possible to disable policy processing within SWSSF so that we
> can use streaming ability on messages and use policy processing
> already within Rampart ?
>
> Thanks in advance.
> AmilaJ
>
> On Mon, Aug 22, 2011 at 2:29 PM, Colm O hEigeartaigh
> <co...@apache.org> wrote:
>> Hi Marc,
>>
>> One thing I would like to discuss is that we move the streaming c14n,
>> signature and encryption code to the Santuario project. It seems like
>> the logical place for it, rather than keep it as part of WSS4J. There
>> is a large number of test vectors in Santuario that we could test the
>> streaming code against, etc. What do you think? Would it be possible
>> to easily isolate this code in SWSSF? What external dependencies would
>> it have?
>>
>> Colm.
>>
>> On Thu, Aug 18, 2011 at 8:06 PM, Marc Giger <gi...@gmx.ch> wrote:
>>> Hi Colm,
>>>
>>> On Thu, 18 Aug 2011 15:18:02 +0100
>>> Colm O hEigeartaigh <co...@apache.org> wrote:
>>>
>>>> Hi Marc,
>>>>
>>>> > So what do you think? Are you interested in it?
>>>>
>>>> Absolutely :-)
>>>
>>> Cool :-)
>>>
>>>>
>>>> WSS4J currently has two branches, 1.5.x (current release 1.5.12) that
>>>> is essentially deprecated but still maintained for bug-fixes (and used
>>>> by Rampart), and trunk (current release 1.6.2) which involved the
>>>> Opensaml2 update. Once I finish the Kerberos support trunk will be
>>>> more or less feature complete I think.
>>>>
>>>> I think we could use your project as the basis for a WSS4J 2.0 release
>>>> next year. You would need to submit the code under an Apache License,
>>>> and we could subsequently grant you commit rights for the project.
>>>
>>> Sounds good to me.
>>>
>>>>
>>>> I think the code as is would likely need quite a lot of work, but we
>>>> would start by just dumping the code in svn and discussing what needs
>>>> to be done with it etc. For example, your project is coupled with
>>>> WS-SecurityPolicy support which WSS4J does not currently do, so we
>>>> could discuss whether it should stay like this, or whether we could
>>>> separate it out into a separate module etc.
>>>
>>> Yes, at first glance it seems like the WS-SecurityPolicy is hard coupled
>>> with the rest. But this not the case. WS-SecurityPolicy is very loosely
>>> coupled. All what you have to do when you want policy verification is
>>> to add the PolicyProcessor to the chain and registering of the
>>> PolicyEnforcer. That's it. The loose coupling was one of my primary
>>> goals. Moving WS-SecurityPolicy into a separate module is done in 5,
>>> ok, say in 10 minutes:-)
>>> Complete separation from swssf doesn't make sense to me, because the
>>> policy verification is optimized for streaming processing (fail-fast
>>> behavior)
>>>
>>>>
>>>> How many cases does it actually create a DOM tree - just for SAML
>>>> creation/processing?
>>>
>>> Yes and in the PolicyEnforcerFactory to parse and validate the WSDL and
>>> its policy.
>>>
>>>>
>>>> I took a quick look at the source-code - I couldn't compile the latest
>>>> snapshot code, it looks like it is not compiling the schemas by
>>>> default?
>>>
>>> Unfortunately not all files have made it into the tar. A fixed tarball
>>> is ready to be downloaded.
>>> Probably you have to lower the heap settings in the pom before you
>>> execute maven.
>>>
>>>>
>>>> What do you think?
>>>
>>> Fine.
>>> Some questions:
>>> - In which format do you expect the source? tar? svn dump? Access
>>> to my repo? ...?
>>> - Is anything else to do from my side (separating, ...), aside
>>> re-licensing under the apache license?
>>> - Whom should I send the (of course re-licensed) code?
>>>
>>> Do you have some more questions?
>>>
>>> Kind regards
>>>
>>> Marc
>>>
>>>
>>>
>>>>
>>>> Colm.
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Aug 16, 2011 at 11:56 AM, Marc Giger <gi...@gmx.ch>
>>>> wrote:
>>>> > Hello All
>>>> >
>>>> > Back in january i wrote an email
>>>> > (http://mail-archives.apache.org/mod_mbox/incubator-general/201101.mbox/%3C20110111222249.17e837d3@mgi.gigerstyle.ch%3E)
>>>> > to the incubator mailing list to discuss the inclusion of
>>>> > swssf as a new incubator project. The feedback was positive but
>>>> > the people suggested as alternative way the inclusion into WSS4J.
>>>> >
>>>> > So here I am again:-)
>>>> >
>>>> > It would be a pity when all of the code fizzles out.
>>>> > Details to the project and the code can be found on
>>>> > http://gigerstyle.homelinux.com/?page_id=76
>>>> >
>>>> > If you find the code or parts of it useful, I'm willing to
>>>> > re-license it under the Apache License.
>>>> >
>>>> > It is not my intention to leave the code the ASF and forget
>>>> > about it. Further development from my side is guaranteed.
>>>> >
>>>> > So what do you think? Are you interested in it?
>>>> > One of the open discussion points will be the integration: Should /
>>>> > Can it be integrated as it is or must be done some adaptions?
>>>> > Or probably you don't like the concept? Tell me please!
>>>> >
>>>> > Thank you.
>>>> >
>>>> > Kind regards
>>>> >
>>>> > Marc
>>>> >
>>>> > --
>>>> > Lesson 1: Cryptographic protocols should not be developed by a
>>>> > committee. -- Niels Ferguson and Bruce Schneier --
>>>> >
>>>> > ---------------------------------------------------------------------
>>>> > To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
>>>> > For additional commands, e-mail: dev-help@ws.apache.org
>>>> >
>>>> >
>>>>
>>>>
>>>>
>>>> --
>>>> Colm O hEigeartaigh
>>>>
>>>> http://coheigea.blogspot.com/
>>>> Talend - http://www.talend.com
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
>>>> For additional commands, e-mail: dev-help@ws.apache.org
>>>>
>>>
>>>
>>> --
>>> Lesson 1: Cryptographic protocols should not be developed by a
>>> committee. -- Niels Ferguson and Bruce Schneier --
>>>
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> http://coheigea.blogspot.com/
>> Talend - http://www.talend.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: dev-help@ws.apache.org
>>
>>
>
--
Colm O hEigeartaigh
http://coheigea.blogspot.com/
Talend - http://www.talend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: Streaming-WebServices-Security-Framework inclusion into WSS4J
Posted by Amila Jayasekara <am...@wso2.com>.
Hi Marc/Colm,
I am sorry, if i am hijacking your mail thread. But thought of using
the same thread as my questions are relevant to SWSSF integration.
We are in the process of porting Rampart code to use WSS4J 1.6.2. We
are hoping to contribute relevant changes to Apache Rampart within
next 2 weeks.
We are also interested in using streaming ability within Rampart. But
as far as i know Rampart already have policy processing and policy
verification code.
So i am having following questions with this regard,
1. After this change will we be able to use WSS4J as we do it now, (As
in current release, i.e 1.6.2) without doing major changes to Rampart
?
2. Is it possible to disable policy processing within SWSSF so that we
can use streaming ability on messages and use policy processing
already within Rampart ?
Thanks in advance.
AmilaJ
On Mon, Aug 22, 2011 at 2:29 PM, Colm O hEigeartaigh
<co...@apache.org> wrote:
> Hi Marc,
>
> One thing I would like to discuss is that we move the streaming c14n,
> signature and encryption code to the Santuario project. It seems like
> the logical place for it, rather than keep it as part of WSS4J. There
> is a large number of test vectors in Santuario that we could test the
> streaming code against, etc. What do you think? Would it be possible
> to easily isolate this code in SWSSF? What external dependencies would
> it have?
>
> Colm.
>
> On Thu, Aug 18, 2011 at 8:06 PM, Marc Giger <gi...@gmx.ch> wrote:
>> Hi Colm,
>>
>> On Thu, 18 Aug 2011 15:18:02 +0100
>> Colm O hEigeartaigh <co...@apache.org> wrote:
>>
>>> Hi Marc,
>>>
>>> > So what do you think? Are you interested in it?
>>>
>>> Absolutely :-)
>>
>> Cool :-)
>>
>>>
>>> WSS4J currently has two branches, 1.5.x (current release 1.5.12) that
>>> is essentially deprecated but still maintained for bug-fixes (and used
>>> by Rampart), and trunk (current release 1.6.2) which involved the
>>> Opensaml2 update. Once I finish the Kerberos support trunk will be
>>> more or less feature complete I think.
>>>
>>> I think we could use your project as the basis for a WSS4J 2.0 release
>>> next year. You would need to submit the code under an Apache License,
>>> and we could subsequently grant you commit rights for the project.
>>
>> Sounds good to me.
>>
>>>
>>> I think the code as is would likely need quite a lot of work, but we
>>> would start by just dumping the code in svn and discussing what needs
>>> to be done with it etc. For example, your project is coupled with
>>> WS-SecurityPolicy support which WSS4J does not currently do, so we
>>> could discuss whether it should stay like this, or whether we could
>>> separate it out into a separate module etc.
>>
>> Yes, at first glance it seems like the WS-SecurityPolicy is hard coupled
>> with the rest. But this not the case. WS-SecurityPolicy is very loosely
>> coupled. All what you have to do when you want policy verification is
>> to add the PolicyProcessor to the chain and registering of the
>> PolicyEnforcer. That's it. The loose coupling was one of my primary
>> goals. Moving WS-SecurityPolicy into a separate module is done in 5,
>> ok, say in 10 minutes:-)
>> Complete separation from swssf doesn't make sense to me, because the
>> policy verification is optimized for streaming processing (fail-fast
>> behavior)
>>
>>>
>>> How many cases does it actually create a DOM tree - just for SAML
>>> creation/processing?
>>
>> Yes and in the PolicyEnforcerFactory to parse and validate the WSDL and
>> its policy.
>>
>>>
>>> I took a quick look at the source-code - I couldn't compile the latest
>>> snapshot code, it looks like it is not compiling the schemas by
>>> default?
>>
>> Unfortunately not all files have made it into the tar. A fixed tarball
>> is ready to be downloaded.
>> Probably you have to lower the heap settings in the pom before you
>> execute maven.
>>
>>>
>>> What do you think?
>>
>> Fine.
>> Some questions:
>> - In which format do you expect the source? tar? svn dump? Access
>> to my repo? ...?
>> - Is anything else to do from my side (separating, ...), aside
>> re-licensing under the apache license?
>> - Whom should I send the (of course re-licensed) code?
>>
>> Do you have some more questions?
>>
>> Kind regards
>>
>> Marc
>>
>>
>>
>>>
>>> Colm.
>>>
>>>
>>>
>>>
>>> On Tue, Aug 16, 2011 at 11:56 AM, Marc Giger <gi...@gmx.ch>
>>> wrote:
>>> > Hello All
>>> >
>>> > Back in january i wrote an email
>>> > (http://mail-archives.apache.org/mod_mbox/incubator-general/201101.mbox/%3C20110111222249.17e837d3@mgi.gigerstyle.ch%3E)
>>> > to the incubator mailing list to discuss the inclusion of
>>> > swssf as a new incubator project. The feedback was positive but
>>> > the people suggested as alternative way the inclusion into WSS4J.
>>> >
>>> > So here I am again:-)
>>> >
>>> > It would be a pity when all of the code fizzles out.
>>> > Details to the project and the code can be found on
>>> > http://gigerstyle.homelinux.com/?page_id=76
>>> >
>>> > If you find the code or parts of it useful, I'm willing to
>>> > re-license it under the Apache License.
>>> >
>>> > It is not my intention to leave the code the ASF and forget
>>> > about it. Further development from my side is guaranteed.
>>> >
>>> > So what do you think? Are you interested in it?
>>> > One of the open discussion points will be the integration: Should /
>>> > Can it be integrated as it is or must be done some adaptions?
>>> > Or probably you don't like the concept? Tell me please!
>>> >
>>> > Thank you.
>>> >
>>> > Kind regards
>>> >
>>> > Marc
>>> >
>>> > --
>>> > Lesson 1: Cryptographic protocols should not be developed by a
>>> > committee. -- Niels Ferguson and Bruce Schneier --
>>> >
>>> > ---------------------------------------------------------------------
>>> > To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
>>> > For additional commands, e-mail: dev-help@ws.apache.org
>>> >
>>> >
>>>
>>>
>>>
>>> --
>>> Colm O hEigeartaigh
>>>
>>> http://coheigea.blogspot.com/
>>> Talend - http://www.talend.com
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
>>> For additional commands, e-mail: dev-help@ws.apache.org
>>>
>>
>>
>> --
>> Lesson 1: Cryptographic protocols should not be developed by a
>> committee. -- Niels Ferguson and Bruce Schneier --
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> http://coheigea.blogspot.com/
> Talend - http://www.talend.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: Streaming-WebServices-Security-Framework inclusion into WSS4J
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Marc,
One thing I would like to discuss is that we move the streaming c14n,
signature and encryption code to the Santuario project. It seems like
the logical place for it, rather than keep it as part of WSS4J. There
is a large number of test vectors in Santuario that we could test the
streaming code against, etc. What do you think? Would it be possible
to easily isolate this code in SWSSF? What external dependencies would
it have?
Colm.
On Thu, Aug 18, 2011 at 8:06 PM, Marc Giger <gi...@gmx.ch> wrote:
> Hi Colm,
>
> On Thu, 18 Aug 2011 15:18:02 +0100
> Colm O hEigeartaigh <co...@apache.org> wrote:
>
>> Hi Marc,
>>
>> > So what do you think? Are you interested in it?
>>
>> Absolutely :-)
>
> Cool :-)
>
>>
>> WSS4J currently has two branches, 1.5.x (current release 1.5.12) that
>> is essentially deprecated but still maintained for bug-fixes (and used
>> by Rampart), and trunk (current release 1.6.2) which involved the
>> Opensaml2 update. Once I finish the Kerberos support trunk will be
>> more or less feature complete I think.
>>
>> I think we could use your project as the basis for a WSS4J 2.0 release
>> next year. You would need to submit the code under an Apache License,
>> and we could subsequently grant you commit rights for the project.
>
> Sounds good to me.
>
>>
>> I think the code as is would likely need quite a lot of work, but we
>> would start by just dumping the code in svn and discussing what needs
>> to be done with it etc. For example, your project is coupled with
>> WS-SecurityPolicy support which WSS4J does not currently do, so we
>> could discuss whether it should stay like this, or whether we could
>> separate it out into a separate module etc.
>
> Yes, at first glance it seems like the WS-SecurityPolicy is hard coupled
> with the rest. But this not the case. WS-SecurityPolicy is very loosely
> coupled. All what you have to do when you want policy verification is
> to add the PolicyProcessor to the chain and registering of the
> PolicyEnforcer. That's it. The loose coupling was one of my primary
> goals. Moving WS-SecurityPolicy into a separate module is done in 5,
> ok, say in 10 minutes:-)
> Complete separation from swssf doesn't make sense to me, because the
> policy verification is optimized for streaming processing (fail-fast
> behavior)
>
>>
>> How many cases does it actually create a DOM tree - just for SAML
>> creation/processing?
>
> Yes and in the PolicyEnforcerFactory to parse and validate the WSDL and
> its policy.
>
>>
>> I took a quick look at the source-code - I couldn't compile the latest
>> snapshot code, it looks like it is not compiling the schemas by
>> default?
>
> Unfortunately not all files have made it into the tar. A fixed tarball
> is ready to be downloaded.
> Probably you have to lower the heap settings in the pom before you
> execute maven.
>
>>
>> What do you think?
>
> Fine.
> Some questions:
> - In which format do you expect the source? tar? svn dump? Access
> to my repo? ...?
> - Is anything else to do from my side (separating, ...), aside
> re-licensing under the apache license?
> - Whom should I send the (of course re-licensed) code?
>
> Do you have some more questions?
>
> Kind regards
>
> Marc
>
>
>
>>
>> Colm.
>>
>>
>>
>>
>> On Tue, Aug 16, 2011 at 11:56 AM, Marc Giger <gi...@gmx.ch>
>> wrote:
>> > Hello All
>> >
>> > Back in january i wrote an email
>> > (http://mail-archives.apache.org/mod_mbox/incubator-general/201101.mbox/%3C20110111222249.17e837d3@mgi.gigerstyle.ch%3E)
>> > to the incubator mailing list to discuss the inclusion of
>> > swssf as a new incubator project. The feedback was positive but
>> > the people suggested as alternative way the inclusion into WSS4J.
>> >
>> > So here I am again:-)
>> >
>> > It would be a pity when all of the code fizzles out.
>> > Details to the project and the code can be found on
>> > http://gigerstyle.homelinux.com/?page_id=76
>> >
>> > If you find the code or parts of it useful, I'm willing to
>> > re-license it under the Apache License.
>> >
>> > It is not my intention to leave the code the ASF and forget
>> > about it. Further development from my side is guaranteed.
>> >
>> > So what do you think? Are you interested in it?
>> > One of the open discussion points will be the integration: Should /
>> > Can it be integrated as it is or must be done some adaptions?
>> > Or probably you don't like the concept? Tell me please!
>> >
>> > Thank you.
>> >
>> > Kind regards
>> >
>> > Marc
>> >
>> > --
>> > Lesson 1: Cryptographic protocols should not be developed by a
>> > committee. -- Niels Ferguson and Bruce Schneier --
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
>> > For additional commands, e-mail: dev-help@ws.apache.org
>> >
>> >
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> http://coheigea.blogspot.com/
>> Talend - http://www.talend.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: dev-help@ws.apache.org
>>
>
>
> --
> Lesson 1: Cryptographic protocols should not be developed by a
> committee. -- Niels Ferguson and Bruce Schneier --
>
--
Colm O hEigeartaigh
http://coheigea.blogspot.com/
Talend - http://www.talend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: Streaming-WebServices-Security-Framework inclusion into WSS4J
Posted by Daniel Kulp <dk...@apache.org>.
On Tuesday, August 30, 2011 6:51:38 PM Marc Giger wrote:
> swssf emits policy-relevant events just in time. So as example, if swssf
> finds a X509Token it will be emitted immediately, the Policy-Engine
> picks it up and throws an exception if it detects that it doesn't meet
> the policy.
We DO need to be careful about this though. In some cases, this can be an
attack vector based on timing. If it fails fast in some cases and fails slow
in others, that is potential information that an attacker can use. I just
wanted to mention this. :-)
> But I don't see any reason why not to use Rampart for this job when
> it supports the just in time evaluation. Also I did use the Rampart
> and Neethi classes as a starting point.
Oi.... OK. The CXF WS-SecurityPolicy Neethi classes are much further along
than the Rampart equivalents. Something we can reconcile later though.
The nice thing about Neethi 3 though is that we should be able to create a
collection of policies classes that are actually shareable. That was part of
the goal.
> It would be nice if the just in time evaluation could be kept.
Agreed, but keep in mind the attack vectors.
Dan
> > I have more questions related to streaming behaviour of SWSSF. But i
> > will ask them once i get a high-level overview on how SWSSF works.
>
> I hope my explanations helps a bit to understand swssf. I will be glad
> to answer further questions you may have.
>
> Kind regards
>
> Marc
>
> > Thanks in advance.
> >
> >
> >
> > AmilaJ
> >
> > On Wed, Aug 24, 2011 at 2:05 AM, Daniel Kulp <dk...@apache.org> wrote:
> > > On Tuesday, August 23, 2011 9:01:27 PM Marc Giger wrote:
> > >> Hi Dan,
> > >>
> > >> On Tue, 23 Aug 2011 13:04:40 -0400
> > >>
> > >> Daniel Kulp <dk...@apache.org> wrote:
> > >> > Actually, one more grant related things...
> > >> >
> > >> > The ip-clearance form mentions making sure the granted files
> > >> > have the proper Apache license header which the current files
> > >> > do
> > >> > not. I'm not sure if that can be done after the vote and
> > >> > import
> > >> > or not. It would be simpler if the granted dump and
> > >> > checksums
> > >> > and all pointed to a version that had the headers already
> > >> > updated.
> > >>
> > >> The latest revision of the files in the svndump attached in the
> > >> jira have the following header:
> > >>
> > >> /**
> > >> * Licensed to the Apache Software Foundation (ASF) under one
> > >> * or more contributor license agreements. See the NOTICE file
> > >> * distributed with this work for additional information
> > >> * regarding copyright ownership. The ASF licenses this file
> > >> * to you under the Apache License, Version 2.0 (the
> > >> * "License"); you may not use this file except in compliance
> > >> * with the License. You may obtain a copy of the License at
> > >> *
> > >> * http://www.apache.org/licenses/LICENSE-2.0
> > >> *
> > >> * Unless required by applicable law or agreed to in writing,
> > >> * software distributed under the License is distributed on an
> > >> * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
> > >> * KIND, either express or implied. See the License for the
> > >> * specific language governing permissions and limitations
> > >> * under the License.
> > >> */
> > >>
> > >> AFAIK this should be the correct one, right? Also I added the
> > >> NOTICE file to the tree.
> > >
> > > Ah. OK. I was just looking at the raw dump and I guess was
> > > ending up looking at previous versions of files.
> > >
> > >
> > > Looks fine.
> > >
> > > Thanks!
> > > Dan
> > >
> > >> Kind regards
> > >>
> > >> Marc
> > >>
> > >> > Dan
> > >> >
> > >> > On Tuesday, August 23, 2011 12:50:20 PM Daniel Kulp wrote:
> > >> > > On Sunday, August 21, 2011 9:41:42 PM Marc Giger wrote:
> > >> > > > > There are a few other things to think about with
> > >> > > > > it as well
> > >> > > > > like
> > >> > > > > interactions with FastInfoset (which CXF can
> > >> > > > > currently
> > >> > > > > support,
> > >> > > > > but this wouldn't due to operating on the
> > >> > > > > OutputStream
> > >> > > > > directly
> > >> > > > > instead of an XMLStream/EventWriter). Mapping all
> > >> > > > > the
> > >> > > > > current
> > >> > > > > CXF configs in may take a bit as well, but nothing
> > >> > > > > too
> > >> > > > > major I
> > >> > > > > would expect.
> > >> > > >
> > >> > > > I was just to lazy and had no time left to implement
> > >> > > > the
> > >> > > > XMLStreamWriter. At the time, I noticed that a simple
> > >> > > > OutputStream
> > >> > > > matches perfectly for the CXF integration. But you are
> > >> > > > right,
> > >> > > > this
> > >> > > > will be a requirement. For the FastInfoset case, maybe
> > >> > > > we
> > >> > > > find a more efficient way as writing to an
> > >> > > > XMLStreamWriter
> > >> > > > and then translate to FastInfoset...
> > >> > >
> > >> > > That's pretty much how fastinfoset works. We have an
> > >> > > XMLStreamWriter that writes fastinfoset instead of regular
> > >> > > XML.
> > >> > > Thus instead of creating a normal Woodstox (or other Stax)
> > >> > > XMLStreamWriter that wrappers the OutputStream, we create
> > >> > > an FI
> > >> > > version of an XMLStreamWriter that wrappers the
> > >> > > OutputStream.
> > >> > > It's pretty simple if things can be set to write/read to
> > >> > > the
> > >> > > Stax things instead of raw streams.
> > >> > >
> > >> > > > > Filing a grant requires an Apache member to help
> > >> > > > > out, but
> > >> > > > > Colm
> > >> > > > > and I are both members (and there are other around
> > >> > > > > here as
> > >> > > > > well) that would
> > >> > > > > be more than happy to help out. If you have any
> > >> > > > > questions
> > >> > > > > about it,
> > >> > > > > let me know and I'd be happy to help.
> > >> > > >
> > >> > > > I prepared the form as far as I could. Please have a
> > >> > > > look at
> > >> > > > http://gigerstyle.homelinux.com/downloads/swssf/swssf.
> > >> > > > xml
> > >> > >
> > >> > > OK. I've started with this. Major thanks. I'll get
> > >> > > this
> > >> > > added to the ip- clearance page shortly.
> > >> > >
> > >> > > > Also I filled out the grants.txt :
> > >> > > >
> > >> > > > http://gigerstyle.homelinux.com/downloads/swssf/grants
> > >> > > > .txt
> > >> > > > http://gigerstyle.homelinux.com/downloads/swssf/grants
> > >> > > > .txt.asc
> > >> > > >
> > >> > > > You will find my gpg public key for
> > >> > > > signature-verification on
> > >> > > > the
> > >> > > > key-servers or under the following URL:
> > >> > > >
> > >> > > > http://gigerstyle.homelinux.com/?page_id=28
> > >> > > >
> > >> > > > It's not entirely clear to me: Do I have to send some
> > >> > > > documents to the apache office or secretary?
> > >> > >
> > >> > > You need to send the grants.txt file to secretary@ ,
> > >> > > digitally
> > >> > > signed. Once they process that, I think we can proceed
> > >> > > with the
> > >> > > rest of the grant.
> > >> > >
> > >> > > > Did I everything correctly so far? What are the next
> > >> > > > steps?
> > >> > >
> > >> > > So far, so good.
> > >> > >
> > >> > > > > Also, you should file an Apache ICLA:
> > >> > > > > http://www.apache.org/licenses/#clas
> > >> > > > >
> > >> > > > > That's the first step in getting an account
> > >> > > > > created for you
> > >> > > > > to
> > >> > > > > become
> > >> > > > > a committer. Doing that sooner can help speed
> > >> > > > > things up.
> > >> > > >
> > >> > > > Also done. I already got an ack from secretary. Should
> > >> > > > I
> > >> > > > forward the acknowledgment to you?
> > >> > >
> > >> > > I see your name now listed at:
> > >> > > http://people.apache.org/committer-index.html#unlistedclas
> > >> > >
> > >> > > That's all I need. :-)
> > >> > >
> > >> > > > > > Do you have some more questions?
> > >> > > > >
> > >> > > > > I think that's it for me. Let me just say "very
> > >> > > > > nice
> > >> > > > > job". :-)
> > >> > > >
> > >> > > > Thank you Dan!
> > >> > > >
> > >> > > > Kind regards
> > >> > > >
> > >> > > > Marc
> > >> > > >
> > >> > > > > Dan
> > >>
> > >> ------------------------------------------------------------------
> > >> ---
> > >> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> > >> For additional commands, e-mail: dev-help@ws.apache.org
> > >
> > > --
> > > Daniel Kulp
> > > dkulp@apache.org
> > > http://dankulp.com/blog
> > > Talend - http://www.talend.com
> > >
> > > --------------------------------------------------------------------
> > > -
> > > To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> > > For additional commands, e-mail: dev-help@ws.apache.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: dev-help@ws.apache.org
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
Talend - http://www.talend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: Streaming-WebServices-Security-Framework inclusion into WSS4J
Posted by Marc Giger <gi...@gmx.ch>.
Hi Amila,
On Tue, 30 Aug 2011 00:15:19 +0530
Amila Jayasekara <am...@wso2.com> wrote:
> Hi Marc,
>
>
>
> I went through your initial proposal in detail.
>
>
>
> After going through it i understood following,
>
> 1. SWSSF implementation is no longer using DOM based processing
Right
>
> 2. SWSSF is also doing security policy processing
Also correct
>
>
>
> I am having few questions related to this.
>
> As i understood you are no longer using xmlsec or wss4j. So i am
> particularly interested how this works. Also according to your initial
> description you are no longer using DOM based object model. So what is
> the xml processing, object model SWSSF is using ? How it is handling
> streaming behaviour ? It will be great if you can give us an overview.
> A reference would be sufficient. (If you already have one).
In short: StAX iterator API
In detail:
As far as I know there are three main XML API's in Java:
- DOM
- SAX
- StAX (Cursor and Iterator API)
As we all know DOM is not streaming capable because the whole XML
will be parsed and hold in the memory. SAX is a streaming
model but has the following disadvantages:
- Push; The xml-events are pushed to the application
- No write API
StAX is also a streaming model and has the following advantages:
- Pull; Application can request the next events
- Write API
Because of this and also because CXF (and AFAIK Axis) are build around
StaX, I decided to use the StAX model.
StAX itself is split again into two API's:
The cursor (XMLStreamReader/XMLStreamWriter) and the iterator API
(XMLEventReader/XMLEventWriter).
When you use the cursor API you are operating directly on the
XMLStreamReader/Writer and it's not easy possible to buffer,replay, etc
any events. Also if you have built a chain of responsibilities you
have to pass the XMLStreamReader through the whole chain. In contrast to
the cursor model, the iterator model allows you to store, replay, etc
the events. Also you get for free an abstraction between the Reader and
the events. In a chain of responsibilities you just have to pass the
XMLEvents.
So intern in swssf the iterator model is used. Every XMLEvent the
application requests from the swssf-stream-reader will be pulled
through the swssf chain. swssf analyses every XMLEvent and looks
for interesting events. If one is found a new processor will be
instanciated and inserted in the chain. A swssf processor is a handler
with a specific WebServiceSecurity functionality. E.g there is a
DecryptionProcessor which takes care of the decryption. Or a
SAMLTokenProcessor to process SAML-Tokens.
If you need custom functionality, just write a processor and register
it in swssf.
>
>
> SWSSF also implements a security policy processing part. In a previous
> mail you mentioned that policy processing cannot be isolated from
> security processing part. I agree with you. But in the existing
> Rampart implementation the policy processing is build within Rampart.
> Rampart is responsible for reading policies from services and
> validating them against requests. So with SWSSF i believe this logic
> is carried out within WSS4J (Once SWSSF is integrated into WSS4J). If
> i am wrong please explain how you expect policy processing should
> happened. Also, is policy validating logic built into SWSSF ?
Perhaps I did not express myself very well. The policy part of
swssf is extremely loose coupled. This was an important design decision.
To follow the principle of the streaming model, low resource usage and
fail-fast behavior, the just in time evaluation is needed for policy
relevant events. This is not supported by Rampart.
Up to now, in CXF as example (Please correct me, if I'm wrong), WSS4J is
applied to a DOM-Tree and then, when the security-processing is
finished, the policy will be verified with the
WSSecurityResults-Vector. Most of the needed informations to verify the
policy can be looked up in this WSSecurityResults-Vector.
swssf emits policy-relevant events just in time. So as example, if swssf
finds a X509Token it will be emitted immediately, the Policy-Engine
picks it up and throws an exception if it detects that it doesn't meet
the policy.
Of course there are constelations possible (Cross-Policy-Alternatives)
where the policy relevant event can not be verified finally just in
time. So there is always a finally verification needed when the security
processing is finished.
If you compare this behavior with the classic DOM model, this can be a
a very big win with regard to memory, cpu and time consumption.
But I don't see any reason why not to use Rampart for this job when
it supports the just in time evaluation. Also I did use the Rampart
and Neethi classes as a starting point.
It would be nice if the just in time evaluation could be kept.
>
>
>
> I have more questions related to streaming behaviour of SWSSF. But i
> will ask them once i get a high-level overview on how SWSSF works.
I hope my explanations helps a bit to understand swssf. I will be glad
to answer further questions you may have.
Kind regards
Marc
>
> Thanks in advance.
>
>
>
> AmilaJ
>
> On Wed, Aug 24, 2011 at 2:05 AM, Daniel Kulp <dk...@apache.org> wrote:
> > On Tuesday, August 23, 2011 9:01:27 PM Marc Giger wrote:
> >> Hi Dan,
> >>
> >> On Tue, 23 Aug 2011 13:04:40 -0400
> >>
> >> Daniel Kulp <dk...@apache.org> wrote:
> >> > Actually, one more grant related things...
> >> >
> >> > The ip-clearance form mentions making sure the granted files
> >> > have the proper Apache license header which the current files do
> >> > not. I'm not sure if that can be done after the vote and import
> >> > or not. It would be simpler if the granted dump and checksums
> >> > and all pointed to a version that had the headers already
> >> > updated.
> >>
> >> The latest revision of the files in the svndump attached in the
> >> jira have the following header:
> >>
> >> /**
> >> * Licensed to the Apache Software Foundation (ASF) under one
> >> * or more contributor license agreements. See the NOTICE file
> >> * distributed with this work for additional information
> >> * regarding copyright ownership. The ASF licenses this file
> >> * to you under the Apache License, Version 2.0 (the
> >> * "License"); you may not use this file except in compliance
> >> * with the License. You may obtain a copy of the License at
> >> *
> >> * http://www.apache.org/licenses/LICENSE-2.0
> >> *
> >> * Unless required by applicable law or agreed to in writing,
> >> * software distributed under the License is distributed on an
> >> * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
> >> * KIND, either express or implied. See the License for the
> >> * specific language governing permissions and limitations
> >> * under the License.
> >> */
> >>
> >> AFAIK this should be the correct one, right? Also I added the
> >> NOTICE file to the tree.
> >
> > Ah. OK. I was just looking at the raw dump and I guess was
> > ending up looking at previous versions of files.
> >
> >
> > Looks fine.
> >
> > Thanks!
> > Dan
> >
> >
> >
> >> Kind regards
> >>
> >> Marc
> >>
> >> > Dan
> >> >
> >> > On Tuesday, August 23, 2011 12:50:20 PM Daniel Kulp wrote:
> >> > > On Sunday, August 21, 2011 9:41:42 PM Marc Giger wrote:
> >> > > > > There are a few other things to think about with it as well
> >> > > > > like
> >> > > > > interactions with FastInfoset (which CXF can currently
> >> > > > > support,
> >> > > > > but this wouldn't due to operating on the OutputStream
> >> > > > > directly
> >> > > > > instead of an XMLStream/EventWriter). Mapping all the
> >> > > > > current
> >> > > > > CXF configs in may take a bit as well, but nothing too
> >> > > > > major I
> >> > > > > would expect.
> >> > > >
> >> > > > I was just to lazy and had no time left to implement the
> >> > > > XMLStreamWriter. At the time, I noticed that a simple
> >> > > > OutputStream
> >> > > > matches perfectly for the CXF integration. But you are right,
> >> > > > this
> >> > > > will be a requirement. For the FastInfoset case, maybe we
> >> > > > find a more efficient way as writing to an XMLStreamWriter
> >> > > > and then translate to FastInfoset...
> >> > >
> >> > > That's pretty much how fastinfoset works. We have an
> >> > > XMLStreamWriter that writes fastinfoset instead of regular XML.
> >> > > Thus instead of creating a normal Woodstox (or other Stax)
> >> > > XMLStreamWriter that wrappers the OutputStream, we create an FI
> >> > > version of an XMLStreamWriter that wrappers the OutputStream.
> >> > > It's pretty simple if things can be set to write/read to the
> >> > > Stax things instead of raw streams.
> >> > >
> >> > > > > Filing a grant requires an Apache member to help out, but
> >> > > > > Colm
> >> > > > > and I are both members (and there are other around here as
> >> > > > > well) that would
> >> > > > > be more than happy to help out. If you have any questions
> >> > > > > about it,
> >> > > > > let me know and I'd be happy to help.
> >> > > >
> >> > > > I prepared the form as far as I could. Please have a look at
> >> > > > http://gigerstyle.homelinux.com/downloads/swssf/swssf.xml
> >> > >
> >> > > OK. I've started with this. Major thanks. I'll get this
> >> > > added to the ip- clearance page shortly.
> >> > >
> >> > > > Also I filled out the grants.txt :
> >> > > >
> >> > > > http://gigerstyle.homelinux.com/downloads/swssf/grants.txt
> >> > > > http://gigerstyle.homelinux.com/downloads/swssf/grants.txt.asc
> >> > > >
> >> > > > You will find my gpg public key for signature-verification on
> >> > > > the
> >> > > > key-servers or under the following URL:
> >> > > >
> >> > > > http://gigerstyle.homelinux.com/?page_id=28
> >> > > >
> >> > > > It's not entirely clear to me: Do I have to send some
> >> > > > documents to the apache office or secretary?
> >> > >
> >> > > You need to send the grants.txt file to secretary@ , digitally
> >> > > signed. Once they process that, I think we can proceed with the
> >> > > rest of the grant.
> >> > >
> >> > > > Did I everything correctly so far? What are the next steps?
> >> > >
> >> > > So far, so good.
> >> > >
> >> > > > > Also, you should file an Apache ICLA:
> >> > > > > http://www.apache.org/licenses/#clas
> >> > > > >
> >> > > > > That's the first step in getting an account created for you
> >> > > > > to
> >> > > > > become
> >> > > > > a committer. Doing that sooner can help speed things up.
> >> > > >
> >> > > > Also done. I already got an ack from secretary. Should I
> >> > > > forward the acknowledgment to you?
> >> > >
> >> > > I see your name now listed at:
> >> > > http://people.apache.org/committer-index.html#unlistedclas
> >> > >
> >> > > That's all I need. :-)
> >> > >
> >> > > > > > Do you have some more questions?
> >> > > > >
> >> > > > > I think that's it for me. Let me just say "very nice
> >> > > > > job". :-)
> >> > > >
> >> > > > Thank you Dan!
> >> > > >
> >> > > > Kind regards
> >> > > >
> >> > > > Marc
> >> > > >
> >> > > > > Dan
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> >> For additional commands, e-mail: dev-help@ws.apache.org
> > --
> > Daniel Kulp
> > dkulp@apache.org
> > http://dankulp.com/blog
> > Talend - http://www.talend.com
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: dev-help@ws.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: dev-help@ws.apache.org
>
--
Lesson 1: Cryptographic protocols should not be developed by a
committee. -- Niels Ferguson and Bruce Schneier --
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: Streaming-WebServices-Security-Framework inclusion into WSS4J
Posted by Amila Jayasekara <am...@wso2.com>.
Hi Marc,
I went through your initial proposal in detail.
After going through it i understood following,
1. SWSSF implementation is no longer using DOM based processing
2. SWSSF is also doing security policy processing
I am having few questions related to this.
As i understood you are no longer using xmlsec or wss4j. So i am
particularly interested how this works. Also according to your initial
description you are no longer using DOM based object model. So what is
the xml processing, object model SWSSF is using ? How it is handling
streaming behaviour ? It will be great if you can give us an overview.
A reference would be sufficient. (If you already have one).
SWSSF also implements a security policy processing part. In a previous
mail you mentioned that policy processing cannot be isolated from
security processing part. I agree with you. But in the existing
Rampart implementation the policy processing is build within Rampart.
Rampart is responsible for reading policies from services and
validating them against requests. So with SWSSF i believe this logic
is carried out within WSS4J (Once SWSSF is integrated into WSS4J). If
i am wrong please explain how you expect policy processing should
happened. Also, is policy validating logic built into SWSSF ?
I have more questions related to streaming behaviour of SWSSF. But i
will ask them once i get a high-level overview on how SWSSF works.
Thanks in advance.
AmilaJ
On Wed, Aug 24, 2011 at 2:05 AM, Daniel Kulp <dk...@apache.org> wrote:
> On Tuesday, August 23, 2011 9:01:27 PM Marc Giger wrote:
>> Hi Dan,
>>
>> On Tue, 23 Aug 2011 13:04:40 -0400
>>
>> Daniel Kulp <dk...@apache.org> wrote:
>> > Actually, one more grant related things...
>> >
>> > The ip-clearance form mentions making sure the granted files have the
>> > proper Apache license header which the current files do not. I'm not
>> > sure if that can be done after the vote and import or not. It would
>> > be simpler if the granted dump and checksums and all pointed to a
>> > version that had the headers already updated.
>>
>> The latest revision of the files in the svndump attached in the jira
>> have the following header:
>>
>> /**
>> * Licensed to the Apache Software Foundation (ASF) under one
>> * or more contributor license agreements. See the NOTICE file
>> * distributed with this work for additional information
>> * regarding copyright ownership. The ASF licenses this file
>> * to you under the Apache License, Version 2.0 (the
>> * "License"); you may not use this file except in compliance
>> * with the License. You may obtain a copy of the License at
>> *
>> * http://www.apache.org/licenses/LICENSE-2.0
>> *
>> * Unless required by applicable law or agreed to in writing,
>> * software distributed under the License is distributed on an
>> * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>> * KIND, either express or implied. See the License for the
>> * specific language governing permissions and limitations
>> * under the License.
>> */
>>
>> AFAIK this should be the correct one, right? Also I added the NOTICE
>> file to the tree.
>
> Ah. OK. I was just looking at the raw dump and I guess was ending up
> looking at previous versions of files.
>
>
> Looks fine.
>
> Thanks!
> Dan
>
>
>
>> Kind regards
>>
>> Marc
>>
>> > Dan
>> >
>> > On Tuesday, August 23, 2011 12:50:20 PM Daniel Kulp wrote:
>> > > On Sunday, August 21, 2011 9:41:42 PM Marc Giger wrote:
>> > > > > There are a few other things to think about with it as well
>> > > > > like
>> > > > > interactions with FastInfoset (which CXF can currently
>> > > > > support,
>> > > > > but this wouldn't due to operating on the OutputStream
>> > > > > directly
>> > > > > instead of an XMLStream/EventWriter). Mapping all the
>> > > > > current
>> > > > > CXF configs in may take a bit as well, but nothing too major
>> > > > > I
>> > > > > would expect.
>> > > >
>> > > > I was just to lazy and had no time left to implement the
>> > > > XMLStreamWriter. At the time, I noticed that a simple
>> > > > OutputStream
>> > > > matches perfectly for the CXF integration. But you are right,
>> > > > this
>> > > > will be a requirement. For the FastInfoset case, maybe we find a
>> > > > more efficient way as writing to an XMLStreamWriter and then
>> > > > translate to FastInfoset...
>> > >
>> > > That's pretty much how fastinfoset works. We have an
>> > > XMLStreamWriter that writes fastinfoset instead of regular XML.
>> > > Thus instead of creating a normal Woodstox (or other Stax)
>> > > XMLStreamWriter that wrappers the OutputStream, we create an FI
>> > > version of an XMLStreamWriter that wrappers the OutputStream. It's
>> > > pretty simple if things can be set to write/read to the Stax things
>> > > instead of raw streams.
>> > >
>> > > > > Filing a grant requires an Apache member to help out, but
>> > > > > Colm
>> > > > > and I are both members (and there are other around here as
>> > > > > well) that would
>> > > > > be more than happy to help out. If you have any questions
>> > > > > about it,
>> > > > > let me know and I'd be happy to help.
>> > > >
>> > > > I prepared the form as far as I could. Please have a look at
>> > > > http://gigerstyle.homelinux.com/downloads/swssf/swssf.xml
>> > >
>> > > OK. I've started with this. Major thanks. I'll get this added
>> > > to the ip- clearance page shortly.
>> > >
>> > > > Also I filled out the grants.txt :
>> > > >
>> > > > http://gigerstyle.homelinux.com/downloads/swssf/grants.txt
>> > > > http://gigerstyle.homelinux.com/downloads/swssf/grants.txt.asc
>> > > >
>> > > > You will find my gpg public key for signature-verification on
>> > > > the
>> > > > key-servers or under the following URL:
>> > > >
>> > > > http://gigerstyle.homelinux.com/?page_id=28
>> > > >
>> > > > It's not entirely clear to me: Do I have to send some documents
>> > > > to the apache office or secretary?
>> > >
>> > > You need to send the grants.txt file to secretary@ , digitally
>> > > signed. Once they process that, I think we can proceed with the
>> > > rest of the grant.
>> > >
>> > > > Did I everything correctly so far? What are the next steps?
>> > >
>> > > So far, so good.
>> > >
>> > > > > Also, you should file an Apache ICLA:
>> > > > > http://www.apache.org/licenses/#clas
>> > > > >
>> > > > > That's the first step in getting an account created for you
>> > > > > to
>> > > > > become
>> > > > > a committer. Doing that sooner can help speed things up.
>> > > >
>> > > > Also done. I already got an ack from secretary. Should I forward
>> > > > the acknowledgment to you?
>> > >
>> > > I see your name now listed at:
>> > > http://people.apache.org/committer-index.html#unlistedclas
>> > >
>> > > That's all I need. :-)
>> > >
>> > > > > > Do you have some more questions?
>> > > > >
>> > > > > I think that's it for me. Let me just say "very nice
>> > > > > job". :-)
>> > > >
>> > > > Thank you Dan!
>> > > >
>> > > > Kind regards
>> > > >
>> > > > Marc
>> > > >
>> > > > > Dan
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: dev-help@ws.apache.org
> --
> Daniel Kulp
> dkulp@apache.org
> http://dankulp.com/blog
> Talend - http://www.talend.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: Streaming-WebServices-Security-Framework inclusion into WSS4J
Posted by Daniel Kulp <dk...@apache.org>.
On Tuesday, August 23, 2011 9:01:27 PM Marc Giger wrote:
> Hi Dan,
>
> On Tue, 23 Aug 2011 13:04:40 -0400
>
> Daniel Kulp <dk...@apache.org> wrote:
> > Actually, one more grant related things...
> >
> > The ip-clearance form mentions making sure the granted files have the
> > proper Apache license header which the current files do not. I'm not
> > sure if that can be done after the vote and import or not. It would
> > be simpler if the granted dump and checksums and all pointed to a
> > version that had the headers already updated.
>
> The latest revision of the files in the svndump attached in the jira
> have the following header:
>
> /**
> * Licensed to the Apache Software Foundation (ASF) under one
> * or more contributor license agreements. See the NOTICE file
> * distributed with this work for additional information
> * regarding copyright ownership. The ASF licenses this file
> * to you under the Apache License, Version 2.0 (the
> * "License"); you may not use this file except in compliance
> * with the License. You may obtain a copy of the License at
> *
> * http://www.apache.org/licenses/LICENSE-2.0
> *
> * Unless required by applicable law or agreed to in writing,
> * software distributed under the License is distributed on an
> * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
> * KIND, either express or implied. See the License for the
> * specific language governing permissions and limitations
> * under the License.
> */
>
> AFAIK this should be the correct one, right? Also I added the NOTICE
> file to the tree.
Ah. OK. I was just looking at the raw dump and I guess was ending up
looking at previous versions of files.
Looks fine.
Thanks!
Dan
> Kind regards
>
> Marc
>
> > Dan
> >
> > On Tuesday, August 23, 2011 12:50:20 PM Daniel Kulp wrote:
> > > On Sunday, August 21, 2011 9:41:42 PM Marc Giger wrote:
> > > > > There are a few other things to think about with it as well
> > > > > like
> > > > > interactions with FastInfoset (which CXF can currently
> > > > > support,
> > > > > but this wouldn't due to operating on the OutputStream
> > > > > directly
> > > > > instead of an XMLStream/EventWriter). Mapping all the
> > > > > current
> > > > > CXF configs in may take a bit as well, but nothing too major
> > > > > I
> > > > > would expect.
> > > >
> > > > I was just to lazy and had no time left to implement the
> > > > XMLStreamWriter. At the time, I noticed that a simple
> > > > OutputStream
> > > > matches perfectly for the CXF integration. But you are right,
> > > > this
> > > > will be a requirement. For the FastInfoset case, maybe we find a
> > > > more efficient way as writing to an XMLStreamWriter and then
> > > > translate to FastInfoset...
> > >
> > > That's pretty much how fastinfoset works. We have an
> > > XMLStreamWriter that writes fastinfoset instead of regular XML.
> > > Thus instead of creating a normal Woodstox (or other Stax)
> > > XMLStreamWriter that wrappers the OutputStream, we create an FI
> > > version of an XMLStreamWriter that wrappers the OutputStream. It's
> > > pretty simple if things can be set to write/read to the Stax things
> > > instead of raw streams.
> > >
> > > > > Filing a grant requires an Apache member to help out, but
> > > > > Colm
> > > > > and I are both members (and there are other around here as
> > > > > well) that would
> > > > > be more than happy to help out. If you have any questions
> > > > > about it,
> > > > > let me know and I'd be happy to help.
> > > >
> > > > I prepared the form as far as I could. Please have a look at
> > > > http://gigerstyle.homelinux.com/downloads/swssf/swssf.xml
> > >
> > > OK. I've started with this. Major thanks. I'll get this added
> > > to the ip- clearance page shortly.
> > >
> > > > Also I filled out the grants.txt :
> > > >
> > > > http://gigerstyle.homelinux.com/downloads/swssf/grants.txt
> > > > http://gigerstyle.homelinux.com/downloads/swssf/grants.txt.asc
> > > >
> > > > You will find my gpg public key for signature-verification on
> > > > the
> > > > key-servers or under the following URL:
> > > >
> > > > http://gigerstyle.homelinux.com/?page_id=28
> > > >
> > > > It's not entirely clear to me: Do I have to send some documents
> > > > to the apache office or secretary?
> > >
> > > You need to send the grants.txt file to secretary@ , digitally
> > > signed. Once they process that, I think we can proceed with the
> > > rest of the grant.
> > >
> > > > Did I everything correctly so far? What are the next steps?
> > >
> > > So far, so good.
> > >
> > > > > Also, you should file an Apache ICLA:
> > > > > http://www.apache.org/licenses/#clas
> > > > >
> > > > > That's the first step in getting an account created for you
> > > > > to
> > > > > become
> > > > > a committer. Doing that sooner can help speed things up.
> > > >
> > > > Also done. I already got an ack from secretary. Should I forward
> > > > the acknowledgment to you?
> > >
> > > I see your name now listed at:
> > > http://people.apache.org/committer-index.html#unlistedclas
> > >
> > > That's all I need. :-)
> > >
> > > > > > Do you have some more questions?
> > > > >
> > > > > I think that's it for me. Let me just say "very nice
> > > > > job". :-)
> > > >
> > > > Thank you Dan!
> > > >
> > > > Kind regards
> > > >
> > > > Marc
> > > >
> > > > > Dan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: dev-help@ws.apache.org
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
Talend - http://www.talend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: Streaming-WebServices-Security-Framework inclusion into WSS4J
Posted by Marc Giger <gi...@gmx.ch>.
Hi Dan,
On Tue, 23 Aug 2011 13:04:40 -0400
Daniel Kulp <dk...@apache.org> wrote:
>
> Actually, one more grant related things...
>
> The ip-clearance form mentions making sure the granted files have the
> proper Apache license header which the current files do not. I'm not
> sure if that can be done after the vote and import or not. It would
> be simpler if the granted dump and checksums and all pointed to a
> version that had the headers already updated.
The latest revision of the files in the svndump attached in the jira
have the following header:
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
AFAIK this should be the correct one, right? Also I added the NOTICE
file to the tree.
Kind regards
Marc
>
>
> Dan
>
>
> On Tuesday, August 23, 2011 12:50:20 PM Daniel Kulp wrote:
> > On Sunday, August 21, 2011 9:41:42 PM Marc Giger wrote:
> > > > There are a few other things to think about with it as well like
> > > > interactions with FastInfoset (which CXF can currently support,
> > > > but this wouldn't due to operating on the OutputStream directly
> > > > instead of an XMLStream/EventWriter). Mapping all the current
> > > > CXF configs in may take a bit as well, but nothing too major I
> > > > would expect.
> > >
> > > I was just to lazy and had no time left to implement the
> > > XMLStreamWriter. At the time, I noticed that a simple OutputStream
> > > matches perfectly for the CXF integration. But you are right, this
> > > will be a requirement. For the FastInfoset case, maybe we find a
> > > more efficient way as writing to an XMLStreamWriter and then
> > > translate to FastInfoset...
> >
> > That's pretty much how fastinfoset works. We have an
> > XMLStreamWriter that writes fastinfoset instead of regular XML.
> > Thus instead of creating a normal Woodstox (or other Stax)
> > XMLStreamWriter that wrappers the OutputStream, we create an FI
> > version of an XMLStreamWriter that wrappers the OutputStream. It's
> > pretty simple if things can be set to write/read to the Stax things
> > instead of raw streams.
> >
> > > > Filing a grant requires an Apache member to help out, but Colm
> > > > and I are both members (and there are other around here as
> > > > well) that would
> > > > be more than happy to help out. If you have any questions
> > > > about it,
> > > > let me know and I'd be happy to help.
> > >
> > > I prepared the form as far as I could. Please have a look at
> > > http://gigerstyle.homelinux.com/downloads/swssf/swssf.xml
> >
> > OK. I've started with this. Major thanks. I'll get this added
> > to the ip- clearance page shortly.
> >
> > > Also I filled out the grants.txt :
> > >
> > > http://gigerstyle.homelinux.com/downloads/swssf/grants.txt
> > > http://gigerstyle.homelinux.com/downloads/swssf/grants.txt.asc
> > >
> > > You will find my gpg public key for signature-verification on the
> > > key-servers or under the following URL:
> > >
> > > http://gigerstyle.homelinux.com/?page_id=28
> > >
> > > It's not entirely clear to me: Do I have to send some documents
> > > to the apache office or secretary?
> >
> > You need to send the grants.txt file to secretary@ , digitally
> > signed. Once they process that, I think we can proceed with the
> > rest of the grant.
> > > Did I everything correctly so far? What are the next steps?
> >
> > So far, so good.
> >
> > > > Also, you should file an Apache ICLA:
> > > > http://www.apache.org/licenses/#clas
> > > >
> > > > That's the first step in getting an account created for you to
> > > > become
> > > > a committer. Doing that sooner can help speed things up.
> > >
> > > Also done. I already got an ack from secretary. Should I forward
> > > the acknowledgment to you?
> >
> > I see your name now listed at:
> > http://people.apache.org/committer-index.html#unlistedclas
> >
> > That's all I need. :-)
> >
> > > > > Do you have some more questions?
> > > >
> > > > I think that's it for me. Let me just say "very nice
> > > > job". :-)
> > >
> > > Thank you Dan!
> > >
> > > Kind regards
> > >
> > > Marc
> > >
> > > > Dan
> --
> Daniel Kulp
> dkulp@apache.org
> http://dankulp.com/blog
> Talend - http://www.talend.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: dev-help@ws.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: Streaming-WebServices-Security-Framework inclusion into WSS4J
Posted by Daniel Kulp <dk...@apache.org>.
Actually, one more grant related things...
The ip-clearance form mentions making sure the granted files have the proper
Apache license header which the current files do not. I'm not sure if that
can be done after the vote and import or not. It would be simpler if the
granted dump and checksums and all pointed to a version that had the headers
already updated.
Dan
On Tuesday, August 23, 2011 12:50:20 PM Daniel Kulp wrote:
> On Sunday, August 21, 2011 9:41:42 PM Marc Giger wrote:
> > > There are a few other things to think about with it as well like
> > > interactions with FastInfoset (which CXF can currently support, but
> > > this wouldn't due to operating on the OutputStream directly instead
> > > of an XMLStream/EventWriter). Mapping all the current CXF configs in
> > > may take a bit as well, but nothing too major I would expect.
> >
> > I was just to lazy and had no time left to implement the
> > XMLStreamWriter. At the time, I noticed that a simple OutputStream
> > matches perfectly for the CXF integration. But you are right, this
> > will be a requirement. For the FastInfoset case, maybe we find a
> > more efficient way as writing to an XMLStreamWriter and then translate
> > to FastInfoset...
>
> That's pretty much how fastinfoset works. We have an XMLStreamWriter that
> writes fastinfoset instead of regular XML. Thus instead of creating a
> normal Woodstox (or other Stax) XMLStreamWriter that wrappers the
> OutputStream, we create an FI version of an XMLStreamWriter that wrappers
> the OutputStream. It's pretty simple if things can be set to write/read to
> the Stax things instead of raw streams.
>
> > > Filing a grant requires an Apache member to help out, but Colm and I
> > > are both members (and there are other around here as well) that
> > > would
> > > be more than happy to help out. If you have any questions about
> > > it,
> > > let me know and I'd be happy to help.
> >
> > I prepared the form as far as I could. Please have a look at
> > http://gigerstyle.homelinux.com/downloads/swssf/swssf.xml
>
> OK. I've started with this. Major thanks. I'll get this added to the
> ip- clearance page shortly.
>
> > Also I filled out the grants.txt :
> >
> > http://gigerstyle.homelinux.com/downloads/swssf/grants.txt
> > http://gigerstyle.homelinux.com/downloads/swssf/grants.txt.asc
> >
> > You will find my gpg public key for signature-verification on the
> > key-servers or under the following URL:
> >
> > http://gigerstyle.homelinux.com/?page_id=28
> >
> > It's not entirely clear to me: Do I have to send some documents
> > to the apache office or secretary?
>
> You need to send the grants.txt file to secretary@ , digitally signed.
> Once they process that, I think we can proceed with the rest of the grant.
> > Did I everything correctly so far? What are the next steps?
>
> So far, so good.
>
> > > Also, you should file an Apache ICLA:
> > > http://www.apache.org/licenses/#clas
> > >
> > > That's the first step in getting an account created for you to
> > > become
> > > a committer. Doing that sooner can help speed things up.
> >
> > Also done. I already got an ack from secretary. Should I forward
> > the acknowledgment to you?
>
> I see your name now listed at:
> http://people.apache.org/committer-index.html#unlistedclas
>
> That's all I need. :-)
>
> > > > Do you have some more questions?
> > >
> > > I think that's it for me. Let me just say "very nice job". :-)
> >
> > Thank you Dan!
> >
> > Kind regards
> >
> > Marc
> >
> > > Dan
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
Talend - http://www.talend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: Streaming-WebServices-Security-Framework inclusion into WSS4J
Posted by Daniel Kulp <dk...@apache.org>.
On Sunday, August 21, 2011 9:41:42 PM Marc Giger wrote:
> > There are a few other things to think about with it as well like
> > interactions with FastInfoset (which CXF can currently support, but
> > this wouldn't due to operating on the OutputStream directly instead
> > of an XMLStream/EventWriter). Mapping all the current CXF configs in
> > may take a bit as well, but nothing too major I would expect.
>
> I was just to lazy and had no time left to implement the
> XMLStreamWriter. At the time, I noticed that a simple OutputStream
> matches perfectly for the CXF integration. But you are right, this
> will be a requirement. For the FastInfoset case, maybe we find a
> more efficient way as writing to an XMLStreamWriter and then translate
> to FastInfoset...
That's pretty much how fastinfoset works. We have an XMLStreamWriter that
writes fastinfoset instead of regular XML. Thus instead of creating a normal
Woodstox (or other Stax) XMLStreamWriter that wrappers the OutputStream, we
create an FI version of an XMLStreamWriter that wrappers the OutputStream.
It's pretty simple if things can be set to write/read to the Stax things
instead of raw streams.
> > Filing a grant requires an Apache member to help out, but Colm and I
> > are both members (and there are other around here as well) that would
> > be more than happy to help out. If you have any questions about it,
> > let me know and I'd be happy to help.
>
> I prepared the form as far as I could. Please have a look at
> http://gigerstyle.homelinux.com/downloads/swssf/swssf.xml
OK. I've started with this. Major thanks. I'll get this added to the ip-
clearance page shortly.
> Also I filled out the grants.txt :
>
> http://gigerstyle.homelinux.com/downloads/swssf/grants.txt
> http://gigerstyle.homelinux.com/downloads/swssf/grants.txt.asc
>
> You will find my gpg public key for signature-verification on the
> key-servers or under the following URL:
>
> http://gigerstyle.homelinux.com/?page_id=28
>
> It's not entirely clear to me: Do I have to send some documents
> to the apache office or secretary?
You need to send the grants.txt file to secretary@ , digitally signed. Once
they process that, I think we can proceed with the rest of the grant.
> Did I everything correctly so far? What are the next steps?
So far, so good.
> > Also, you should file an Apache ICLA:
> > http://www.apache.org/licenses/#clas
> >
> > That's the first step in getting an account created for you to become
> > a committer. Doing that sooner can help speed things up.
>
> Also done. I already got an ack from secretary. Should I forward
> the acknowledgment to you?
I see your name now listed at:
http://people.apache.org/committer-index.html#unlistedclas
That's all I need. :-)
> > > Do you have some more questions?
> >
> > I think that's it for me. Let me just say "very nice job". :-)
>
> Thank you Dan!
>
> Kind regards
>
> Marc
>
> > Dan
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
Talend - http://www.talend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: Streaming-WebServices-Security-Framework inclusion into WSS4J
Posted by Marc Giger <gi...@gmx.ch>.
Hi Dan,
Hi Colm,
On Fri, 19 Aug 2011 14:58:04 -0400
Daniel Kulp <dk...@apache.org> wrote:
>
> Yep. From a quick look, there is definitely a bit of work to do with
> it. Obviously separating out the CXF and non-CXF parts would also be
> a requirement and moving the CXF specific stuff to CXF. (so we don't
> end up with a circular dependency between CXF and wss4j) Updating
There is no real dependency to CXF. CXF was just used as demonstration
how easy it is to integrate. Therefore I wrote an SecurityIn- and
Out-Interceptor. Of course, these classes have to be moved to CXF if
my framework will be accepted.
> to the latest Neethi, etc.... Colm and I have also added a lot of
> stuff to CXF and WSS4J lately that we'd definitely like to make sure
> get ported over. Kerberos is one, but there are a bunch of other
> things as well.
Yes, I had not enough man power to follow the releases. Also there were
some fixes between the WSS4J releases which must be ported over (I
think all tickets in WSS4J since 1.5.8 must be verified in swssf. As
I already said, swssf is feature and bug compatible;-)
>
> There are a few other things to think about with it as well like
> interactions with FastInfoset (which CXF can currently support, but
> this wouldn't due to operating on the OutputStream directly instead
> of an XMLStream/EventWriter). Mapping all the current CXF configs in
> may take a bit as well, but nothing too major I would expect.
I was just to lazy and had no time left to implement the
XMLStreamWriter. At the time, I noticed that a simple OutputStream
matches perfectly for the CXF integration. But you are right, this
will be a requirement. For the FastInfoset case, maybe we find a
more efficient way as writing to an XMLStreamWriter and then translate
to FastInfoset...
I think the configuration of WSS4J and swssf also needs some
refactoring. I already have some ideas, but this can be discussed later.
All the mentioned things are from my point of view relatively easy to
solve. A lot more work needs to be done in finishing the policy
verification and its tests. Also if requested the whole client setup via
policy should/must be implemented.
And of course there are other issues to solve too...
>
> .... snip .....
>
> > > What do you think?
> >
> > Fine.
> > Some questions:
> > - In which format do you expect the source? tar? svn dump? Access
> > to my repo? ...?
>
> And svndump would be preferred. Infra can import that directly into
> an area of our svn and not lose any history. Basically, you would
> need to create a svndump, create a md5 hash (and ideally a gpg
> signature) and make those available someplace. Then file a JIRA at
> apache pointing to it (or attaching if it's not too big) and record
> the md5 in the JIRA to make sure it identifies the right bits.
I opened a ticket and attached the svn dump:
https://issues.apache.org/jira/browse/WSS-311
>
> We would then need to vote to accept the contribution (mostly a
> formality). Ideally, we'd vote to make you a committer at the same
> time. When the vote passes, we get infra to import it.
>
> > - Is anything else to do from my side (separating, ...), aside
> > re-licensing under the apache license?
> > - Whom should I send the (of course re-licensed) code?
>
> See above. Since this is a sizable contribution (more than a simple
> bug patch), it will likely need an official code grant. See:
>
> http://incubator.apache.org/ip-clearance/index.html
>
> Filing a grant requires an Apache member to help out, but Colm and I
> are both members (and there are other around here as well) that would
> be more than happy to help out. If you have any questions about it,
> let me know and I'd be happy to help.
I prepared the form as far as I could. Please have a look at
http://gigerstyle.homelinux.com/downloads/swssf/swssf.xml
Also I filled out the grants.txt :
http://gigerstyle.homelinux.com/downloads/swssf/grants.txt
http://gigerstyle.homelinux.com/downloads/swssf/grants.txt.asc
You will find my gpg public key for signature-verification on the
key-servers or under the following URL:
http://gigerstyle.homelinux.com/?page_id=28
It's not entirely clear to me: Do I have to send some documents
to the apache office or secretary?
Did I everything correctly so far? What are the next steps?
>
> Also, you should file an Apache ICLA:
> http://www.apache.org/licenses/#clas
>
> That's the first step in getting an account created for you to become
> a committer. Doing that sooner can help speed things up.
Also done. I already got an ack from secretary. Should I forward
the acknowledgment to you?
>
>
> > Do you have some more questions?
>
> I think that's it for me. Let me just say "very nice job". :-)
Thank you Dan!
Kind regards
Marc
>
> Dan
>
--
Lesson 1: Cryptographic protocols should not be developed by a
committee. -- Niels Ferguson and Bruce Schneier --
Re: Streaming-WebServices-Security-Framework inclusion into WSS4J
Posted by Daniel Kulp <dk...@apache.org>.
On Thursday, August 18, 2011 9:06:42 PM Marc Giger wrote:
> Hi Colm,
>
> On Thu, 18 Aug 2011 15:18:02 +0100
>
> Colm O hEigeartaigh <co...@apache.org> wrote:
> > Hi Marc,
> >
> > > So what do you think? Are you interested in it?
> >
> > Absolutely :-)
>
> Cool :-)
I agree. Definitely a cool upgrade.
> > WSS4J currently has two branches, 1.5.x (current release 1.5.12) that
> > is essentially deprecated but still maintained for bug-fixes (and used
> > by Rampart), and trunk (current release 1.6.2) which involved the
> > Opensaml2 update. Once I finish the Kerberos support trunk will be
> > more or less feature complete I think.
LOL. "feature complete".... until a customer comes along demanding
something else.... ;-)
> > I think we could use your project as the basis for a WSS4J 2.0 release
> > next year. You would need to submit the code under an Apache License,
> > and we could subsequently grant you commit rights for the project.
>
> Sounds good to me
Yep. From a quick look, there is definitely a bit of work to do with it.
Obviously separating out the CXF and non-CXF parts would also be a requirement
and moving the CXF specific stuff to CXF. (so we don't end up with a circular
dependency between CXF and wss4j) Updating to the latest Neethi, etc....
Colm and I have also added a lot of stuff to CXF and WSS4J lately that we'd
definitely like to make sure get ported over. Kerberos is one, but there are
a bunch of other things as well.
There are a few other things to think about with it as well like interactions
with FastInfoset (which CXF can currently support, but this wouldn't due to
operating on the OutputStream directly instead of an XMLStream/EventWriter).
Mapping all the current CXF configs in may take a bit as well, but nothing too
major I would expect.
.... snip .....
> > What do you think?
>
> Fine.
> Some questions:
> - In which format do you expect the source? tar? svn dump? Access
> to my repo? ...?
And svndump would be preferred. Infra can import that directly into an area
of our svn and not lose any history. Basically, you would need to create a
svndump, create a md5 hash (and ideally a gpg signature) and make those
available someplace. Then file a JIRA at apache pointing to it (or attaching
if it's not too big) and record the md5 in the JIRA to make sure it identifies
the right bits.
We would then need to vote to accept the contribution (mostly a formality).
Ideally, we'd vote to make you a committer at the same time. When the vote
passes, we get infra to import it.
> - Is anything else to do from my side (separating, ...), aside
> re-licensing under the apache license?
> - Whom should I send the (of course re-licensed) code?
See above. Since this is a sizable contribution (more than a simple bug
patch), it will likely need an official code grant. See:
http://incubator.apache.org/ip-clearance/index.html
Filing a grant requires an Apache member to help out, but Colm and I are both
members (and there are other around here as well) that would be more than
happy to help out. If you have any questions about it, let me know and I'd
be happy to help.
Also, you should file an Apache ICLA:
http://www.apache.org/licenses/#clas
That's the first step in getting an account created for you to become a
committer. Doing that sooner can help speed things up.
> Do you have some more questions?
I think that's it for me. Let me just say "very nice job". :-)
Dan
>
> Kind regards
>
> Marc
>
> > Colm.
> >
> >
> >
> >
> > On Tue, Aug 16, 2011 at 11:56 AM, Marc Giger <gi...@gmx.ch>
> >
> > wrote:
> > > Hello All
> > >
> > > Back in january i wrote an email
> > > (http://mail-archives.apache.org/mod_mbox/incubator-general/201101.m
> > > box/%3C20110111222249.17e837d3@mgi.gigerstyle.ch%3E) to the
> > > incubator mailing list to discuss the inclusion of
> > > swssf as a new incubator project. The feedback was positive but
> > > the people suggested as alternative way the inclusion into WSS4J.
> > >
> > > So here I am again:-)
> > >
> > > It would be a pity when all of the code fizzles out.
> > > Details to the project and the code can be found on
> > > http://gigerstyle.homelinux.com/?page_id=76
> > >
> > > If you find the code or parts of it useful, I'm willing to
> > > re-license it under the Apache License.
> > >
> > > It is not my intention to leave the code the ASF and forget
> > > about it. Further development from my side is guaranteed.
> > >
> > > So what do you think? Are you interested in it?
> > > One of the open discussion points will be the integration: Should /
> > > Can it be integrated as it is or must be done some adaptions?
> > > Or probably you don't like the concept? Tell me please!
> > >
> > > Thank you.
> > >
> > > Kind regards
> > >
> > > Marc
> > >
> > > --
> > > Lesson 1: Cryptographic protocols should not be developed by a
> > > committee. -- Niels Ferguson and Bruce Schneier --
> > >
> > > --------------------------------------------------------------------
> > > -
> > > To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> > > For additional commands, e-mail: dev-help@ws.apache.org
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
Talend - http://www.talend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: Streaming-WebServices-Security-Framework inclusion into WSS4J
Posted by Marc Giger <gi...@gmx.ch>.
Hi Colm,
On Thu, 18 Aug 2011 15:18:02 +0100
Colm O hEigeartaigh <co...@apache.org> wrote:
> Hi Marc,
>
> > So what do you think? Are you interested in it?
>
> Absolutely :-)
Cool :-)
>
> WSS4J currently has two branches, 1.5.x (current release 1.5.12) that
> is essentially deprecated but still maintained for bug-fixes (and used
> by Rampart), and trunk (current release 1.6.2) which involved the
> Opensaml2 update. Once I finish the Kerberos support trunk will be
> more or less feature complete I think.
>
> I think we could use your project as the basis for a WSS4J 2.0 release
> next year. You would need to submit the code under an Apache License,
> and we could subsequently grant you commit rights for the project.
Sounds good to me.
>
> I think the code as is would likely need quite a lot of work, but we
> would start by just dumping the code in svn and discussing what needs
> to be done with it etc. For example, your project is coupled with
> WS-SecurityPolicy support which WSS4J does not currently do, so we
> could discuss whether it should stay like this, or whether we could
> separate it out into a separate module etc.
Yes, at first glance it seems like the WS-SecurityPolicy is hard coupled
with the rest. But this not the case. WS-SecurityPolicy is very loosely
coupled. All what you have to do when you want policy verification is
to add the PolicyProcessor to the chain and registering of the
PolicyEnforcer. That's it. The loose coupling was one of my primary
goals. Moving WS-SecurityPolicy into a separate module is done in 5,
ok, say in 10 minutes:-)
Complete separation from swssf doesn't make sense to me, because the
policy verification is optimized for streaming processing (fail-fast
behavior)
>
> How many cases does it actually create a DOM tree - just for SAML
> creation/processing?
Yes and in the PolicyEnforcerFactory to parse and validate the WSDL and
its policy.
>
> I took a quick look at the source-code - I couldn't compile the latest
> snapshot code, it looks like it is not compiling the schemas by
> default?
Unfortunately not all files have made it into the tar. A fixed tarball
is ready to be downloaded.
Probably you have to lower the heap settings in the pom before you
execute maven.
>
> What do you think?
Fine.
Some questions:
- In which format do you expect the source? tar? svn dump? Access
to my repo? ...?
- Is anything else to do from my side (separating, ...), aside
re-licensing under the apache license?
- Whom should I send the (of course re-licensed) code?
Do you have some more questions?
Kind regards
Marc
>
> Colm.
>
>
>
>
> On Tue, Aug 16, 2011 at 11:56 AM, Marc Giger <gi...@gmx.ch>
> wrote:
> > Hello All
> >
> > Back in january i wrote an email
> > (http://mail-archives.apache.org/mod_mbox/incubator-general/201101.mbox/%3C20110111222249.17e837d3@mgi.gigerstyle.ch%3E)
> > to the incubator mailing list to discuss the inclusion of
> > swssf as a new incubator project. The feedback was positive but
> > the people suggested as alternative way the inclusion into WSS4J.
> >
> > So here I am again:-)
> >
> > It would be a pity when all of the code fizzles out.
> > Details to the project and the code can be found on
> > http://gigerstyle.homelinux.com/?page_id=76
> >
> > If you find the code or parts of it useful, I'm willing to
> > re-license it under the Apache License.
> >
> > It is not my intention to leave the code the ASF and forget
> > about it. Further development from my side is guaranteed.
> >
> > So what do you think? Are you interested in it?
> > One of the open discussion points will be the integration: Should /
> > Can it be integrated as it is or must be done some adaptions?
> > Or probably you don't like the concept? Tell me please!
> >
> > Thank you.
> >
> > Kind regards
> >
> > Marc
> >
> > --
> > Lesson 1: Cryptographic protocols should not be developed by a
> > committee. -- Niels Ferguson and Bruce Schneier --
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: dev-help@ws.apache.org
> >
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> http://coheigea.blogspot.com/
> Talend - http://www.talend.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: dev-help@ws.apache.org
>
--
Lesson 1: Cryptographic protocols should not be developed by a
committee. -- Niels Ferguson and Bruce Schneier --
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: Streaming-WebServices-Security-Framework inclusion into WSS4J
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Marc,
> So what do you think? Are you interested in it?
Absolutely :-)
WSS4J currently has two branches, 1.5.x (current release 1.5.12) that
is essentially deprecated but still maintained for bug-fixes (and used
by Rampart), and trunk (current release 1.6.2) which involved the
Opensaml2 update. Once I finish the Kerberos support trunk will be
more or less feature complete I think.
I think we could use your project as the basis for a WSS4J 2.0 release
next year. You would need to submit the code under an Apache License,
and we could subsequently grant you commit rights for the project.
I think the code as is would likely need quite a lot of work, but we
would start by just dumping the code in svn and discussing what needs
to be done with it etc. For example, your project is coupled with
WS-SecurityPolicy support which WSS4J does not currently do, so we
could discuss whether it should stay like this, or whether we could
separate it out into a separate module etc.
How many cases does it actually create a DOM tree - just for SAML
creation/processing?
I took a quick look at the source-code - I couldn't compile the latest
snapshot code, it looks like it is not compiling the schemas by
default?
What do you think?
Colm.
On Tue, Aug 16, 2011 at 11:56 AM, Marc Giger <gi...@gmx.ch> wrote:
> Hello All
>
> Back in january i wrote an email
> (http://mail-archives.apache.org/mod_mbox/incubator-general/201101.mbox/%3C20110111222249.17e837d3@mgi.gigerstyle.ch%3E)
> to the incubator mailing list to discuss the inclusion of
> swssf as a new incubator project. The feedback was positive but
> the people suggested as alternative way the inclusion into WSS4J.
>
> So here I am again:-)
>
> It would be a pity when all of the code fizzles out.
> Details to the project and the code can be found on
> http://gigerstyle.homelinux.com/?page_id=76
>
> If you find the code or parts of it useful, I'm willing to
> re-license it under the Apache License.
>
> It is not my intention to leave the code the ASF and forget
> about it. Further development from my side is guaranteed.
>
> So what do you think? Are you interested in it?
> One of the open discussion points will be the integration: Should /
> Can it be integrated as it is or must be done some adaptions?
> Or probably you don't like the concept? Tell me please!
>
> Thank you.
>
> Kind regards
>
> Marc
>
> --
> Lesson 1: Cryptographic protocols should not be developed by a
> committee. -- Niels Ferguson and Bruce Schneier --
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: dev-help@ws.apache.org
>
>
--
Colm O hEigeartaigh
http://coheigea.blogspot.com/
Talend - http://www.talend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org