You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by Wally Dennis <Wa...@Hewitt.com> on 2009/10/22 18:21:23 UTC
Crypto object management in Rampart
Rampart Devs,
Is there a reason why the RampartEngine always loads the Crypto object
(specifically the signatureCypto) instead of maintaining a cache of these
objects like WSS4J? Unless I am mistaken, in the WSHandler object in
WSS4J, there is a Hashtable that basically caches these Crypto objects so
they don't have to be reloaded for each and every request. Reloading the
object for every request (and in some cases multiple times per request)
seems to be very inefficient.
Thanks,
Wally Dennis
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
Re: Crypto object management in Rampart
Posted by Prabath Siriwardena <pr...@wso2.com>.
Prabath Siriwardena wrote:
> Hi;
>
> Thilina fixed this in the Rampart trunk and I guess also included in
> Rampart 1.5.1
Correction - Rampart 1.5
Thanks & regards.
-Prabath
>
> To enable caching of Crypto objects, two attributes should be added to
> the crypto elements of "signatureCrypto"/"encryptionCrypto" of
> RampartConfig.
>
> 1.cryptoKey - As the value of this attribute, specify the property of
> a Crypto implementation which points to the location of the keystore.
> For example in Merlin, the property
> "org.apache.ws.security.crypto.merlin.file" is unique and its pointing
> to the location of the keystore. Absence of this attribute will not
> enable caching.
>
> 2.cacheRefreshInterval - This is the cache refresh interval specified
> in milliseconds. Any object that resides in the cache longer than this
> period will be considered as expired. Cache will not be refreshed if
> this attribute is not present in the configuration. If you do not want
> to refresh the cache, provide only the "cryptoKey" attribute.
>
> A sample configuration is provided below. It uses the Merlin crypto
> implementation for signing and encryption. Here, the value of the
> cryptoKey attribute is eqaul to
> "org.apache.ws.security.crypto.merlin.file" and the cache refresh
> interval is 300000 milliseconds.
>
> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
> <ramp:signatureCrypto>
> <ramp:crypto
> provider="org.apache.ws.security.components.crypto.Merlin"
> cryptoKey="org.apache.ws.security.crypto.merlin.file"
> cacheRefreshInterval="300000">
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.password">servicePW</ramp:property>
>
> </ramp:crypto>
> </ramp:signatureCrypto>
> <ramp:encryptionCypto>
> <ramp:crypto
> provider="org.apache.ws.security.components.crypto.Merlin"
> cryptoKey="org.apache.ws.security.crypto.merlin.file"
> cacheRefreshInterval="300000>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
>
> </ramp:crypto>
> </ramp:encryptionCypto>
> </ramp:RampartConfig>
>
> Thanks & regards.
> -Prabath
>
> Wally Dennis wrote:
>> Rampart Devs,
>>
>> Is there a reason why the RampartEngine always loads the Crypto
>> object (specifically the signatureCypto) instead of maintaining a
>> cache of these objects like WSS4J? Unless I am mistaken, in the
>> WSHandler object in WSS4J, there is a Hashtable that basically caches
>> these Crypto objects so they don't have to be reloaded for each and
>> every request. Reloading the object for every request (and in some
>> cases multiple times per request) seems to be very inefficient.
>>
>> Thanks,
>> Wally Dennis
>>
>>
>> The information contained in this e-mail and any accompanying
>> documents may contain information that is confidential or otherwise
>> protected from disclosure. If you are not the intended recipient of
>> this message, or if this message has been addressed to you in error,
>> please immediately alert the sender by reply e-mail and then delete
>> this message, including any attachments. Any dissemination,
>> distribution or other use of the contents of this message by anyone
>> other than the intended recipient is strictly prohibited. All
>> messages sent to and from this e-mail address may be monitored as
>> permitted by applicable law and regulations to ensure compliance with
>> our internal policies and to protect our business. E-mails are not
>> secure and cannot be guaranteed to be error free as they can be
>> intercepted, amended, lost or destroyed, or contain viruses. You are
>> deemed to have accepted these risks if you communicate with us by
>> e-mail.
>>
>>
>>
>
>
>
Re: Crypto object management in Rampart
Posted by Prabath Siriwardena <pr...@wso2.com>.
Hi;
Thilina fixed this in the Rampart trunk and I guess also included in
Rampart 1.5.1
To enable caching of Crypto objects, two attributes should be added to
the crypto elements of "signatureCrypto"/"encryptionCrypto" of
RampartConfig.
1.cryptoKey - As the value of this attribute, specify the property of a
Crypto implementation which points to the location of the keystore. For
example in Merlin, the property
"org.apache.ws.security.crypto.merlin.file" is unique and its pointing
to the location of the keystore. Absence of this attribute will not
enable caching.
2.cacheRefreshInterval - This is the cache refresh interval specified in
milliseconds. Any object that resides in the cache longer than this
period will be considered as expired. Cache will not be refreshed if
this attribute is not present in the configuration. If you do not want
to refresh the cache, provide only the "cryptoKey" attribute.
A sample configuration is provided below. It uses the Merlin crypto
implementation for signing and encryption. Here, the value of the
cryptoKey attribute is eqaul to
"org.apache.ws.security.crypto.merlin.file" and the cache refresh
interval is 300000 milliseconds.
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:signatureCrypto>
<ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin"
cryptoKey="org.apache.ws.security.crypto.merlin.file"
cacheRefreshInterval="300000">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">servicePW</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin"
cryptoKey="org.apache.ws.security.crypto.merlin.file"
cacheRefreshInterval="300000>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
Thanks & regards.
-Prabath
Wally Dennis wrote:
> Rampart Devs,
>
> Is there a reason why the RampartEngine always loads the Crypto object
> (specifically the signatureCypto) instead of maintaining a cache of these
> objects like WSS4J? Unless I am mistaken, in the WSHandler object in
> WSS4J, there is a Hashtable that basically caches these Crypto objects so
> they don't have to be reloaded for each and every request. Reloading the
> object for every request (and in some cases multiple times per request)
> seems to be very inefficient.
>
> Thanks,
> Wally Dennis
>
>
>
> The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
>
>
>
>