You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by Richard Sitze <rs...@us.ibm.com> on 2002/10/09 20:25:35 UTC

JSSE Security - change direction...

I'd appreciate Dim's opinions on this:

Problem:
     JSSE is/was bound to sun implementation, in code.
     JSSE can be configured by code (considered 'dynamic'), or configured 
during install/registration ('static') with the JDK (see 
http://java.sun.com/products/jsse/doc/guide/API_users_guide.html#InstallationAndCustomization).
     ** the use of the terms dynamic/static in this context may be 
misleading if you don't take the time to grok it  **
     Current code uses dynamic (in-line code), introducing a hard 
dependency on com.sun.*.

Proposal:
     Remove hard dependencies, replace with static binding (configure your 
JDK externally, NOT by AXIS).
     Eliminate 'attribute' overrides with default values.  Could go ahead 
with override (maybe), but the default should fall-back to JDK settings, 
NOT axis defined defaults.
     If attribute overrides are not specified, then fall back to JDK 
default.  Currently we only use JDK default if attributes==null.

Justification:
     AXIS should not be defining or changing the security providers.
     Basis of concern is that AXIS should run WITHIN an environment, NOT 
define the environment
     Particularly with J2EE in mind.

Concerns:
     Change of current behaviour
     Out-of-box experience...

*******************************************
Richard A. Sitze
IBM WebSphere WebServices Development