Security Architecture

[Yuhichi Nakamura <NA...@jp.ibm.com>]

Folks,
I have been looking at the current code base to add security features.
However, I feel that the current code is very messy, and not comprehensive.
I would propose to clean up the code.

For the security architecture, I would suggest to rely on platform features
rather than our own proprietory stuff.  For example, before developing
authentication handlers, we should consider how to utilize security
functions
provided by servlet engines (and J2EE).

We have a big security issue in Apache SOAP.  Deployment and service
execution
are perfomed via a "same" servlet.  Therefore, once you provide a servlet
for services,
anyone can perform deployment with the same servlet.  Axis seems to inherit
this bad nature.

I would suggest to define service groups, and each group is mapped to a
particular
servlet.  A single servlet for handling all services is not a good idea.
For deployment,
I would never use AdminClient, rather would prepare configuration files
that are
loaded when AxisEngine or Registory is instantiated.

Note that as for EJB, a single servlet approach is ok because "role
assignment" can be
shared between Web and EJB containers.

Anyway, I want to experiment such security architecture based on the
codebase.  But I
almost gave up because I could not understand it.  Someone can tell me the
mechanism
of deployment and service look-up?

Any comment/suggestion is appreciated.

Best regards,

Yuhichi Nakamura
IBM Tokyo Research Laboratory
Tel: +81-462-73-4668