You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by Richard Sitze <rs...@us.ibm.com> on 2002/10/09 20:25:35 UTC
JSSE Security - change direction...
I'd appreciate Dim's opinions on this:
Problem:
JSSE is/was bound to sun implementation, in code.
JSSE can be configured by code (considered 'dynamic'), or configured
during install/registration ('static') with the JDK (see
http://java.sun.com/products/jsse/doc/guide/API_users_guide.html#InstallationAndCustomization).
** the use of the terms dynamic/static in this context may be
misleading if you don't take the time to grok it **
Current code uses dynamic (in-line code), introducing a hard
dependency on com.sun.*.
Proposal:
Remove hard dependencies, replace with static binding (configure your
JDK externally, NOT by AXIS).
Eliminate 'attribute' overrides with default values. Could go ahead
with override (maybe), but the default should fall-back to JDK settings,
NOT axis defined defaults.
If attribute overrides are not specified, then fall back to JDK
default. Currently we only use JDK default if attributes==null.
Justification:
AXIS should not be defining or changing the security providers.
Basis of concern is that AXIS should run WITHIN an environment, NOT
define the environment
Particularly with J2EE in mind.
Concerns:
Change of current behaviour
Out-of-box experience...
*******************************************
Richard A. Sitze
IBM WebSphere WebServices Development