You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by Fred Dushin <fr...@dushin.net> on 2007/04/13 19:16:14 UTC
WSSecurityEngine.setWssConfig()
Is there any reason for this? I'm really puzzled as to why there is
a static mutator on this class, and my the (non-static) process
results operations are using statically configured data.
Anyone care if I remove this (in a patch)? The sources compile and
the tests pass without it.
Thanks,
-Fred
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WSSecurityEngine.setWssConfig()
Posted by Fred Dushin <fr...@dushin.net>.
I've been working on a patch that would allow end-users to do a few
things, notably, in this context, to add, remove, or replace the
built-in WSS4J Processors.
I figured the way to do this was to modify the WSSConfig object to
allow a setProcessor operation, which basically lets you key your own
processor off a Qname. When the WSSecurityEngine walks through the
security header, it can then dispatch out to application code to do
the processing, if necessary.
One of the issues I had with the WSSecurityEngine, though, is that it
uses a static WSSConfig instance to get its processors. If I were to
change the WSSConfig instance to be in any way stateful (vis a vis
its processors), I need to make the WSSConfig instance on the
WSSecurityEngine non-static. Otherwise you'd run into all sorts of
weird behavior, e.g., if you have more than one WSSecurityEngine in
process.
I think by removing the operation (or better, my current thinking is
to make it non-static), we'd potentially break some code downstream,
which presumably we don't have a test for. The projects that need
this could be retooled use the non-static call, but it may be a bad
thing to make this change on a point release. I presume there are
source and binary compatibility constraints between 1.5.1 and 1.5.2, no?
BTW, I submitted a patch for http://issues.apache.org/jira/browse/
WSS-74, but I'd like to hold off for the time being on anyone
applying it. I ran into some other issues that I'd like to address
first.
Thanks,
-Fred
On Apr 18, 2007, at 2:41 PM, Werner Dittmann wrote:
> Ruchith Fernando wrote:
>> IIRC this was originally added to support older ws-sec specs. The
>> only
>> use of this I can see right now is to be able to dynamically
>> configure
>> wss4j to disable strict timestamp handling. (See
>> WSSConfig#timeStampStrict and TimestampProcessor#handleTimestamp()).
>> Not sure whether there's anyone who is using this.
>>
>> I'm 0 on removing this.
>>
> AFAIK some projects used this to disable timestamp handling (.Net
> didn't or doesn't support the millisecond feature). This can be set
> using a parameter. Otherweise I don't see any further usage anymore.
>
> Regards,
> Werner
>
>> Thanks,
>> Ruchith
>>
>> On 4/13/07, Fred Dushin <fr...@dushin.net> wrote:
>>> Is there any reason for this? I'm really puzzled as to why there is
>>> a static mutator on this class, and my the (non-static) process
>>> results operations are using statically configured data.
>>>
>>> Anyone care if I remove this (in a patch)? The sources compile and
>>> the tests pass without it.
>>>
>>> Thanks,
>>> -Fred
>>>
>>> --------------------------------------------------------------------
>>> -
>>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>>
>>>
>>
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WSSecurityEngine.setWssConfig()
Posted by Fred Dushin <fr...@dushin.net>.
I've been working on a patch that would allow end-users to do a few
things, notably, in this context, to add, remove, or replace the
built-in WSS4J Processors.
I figured the way to do this was to modify the WSSConfig object to
allow a setProcessor operation, which basically lets you key your own
processor off a Qname. When the WSSecurityEngine walks through the
security header, it can then dispatch out to application code to do
the processing, if necessary.
One of the issues I had with the WSSecurityEngine, though, is that it
uses a static WSSConfig instance to get its processors. If I were to
change the WSSConfig instance to be in any way stateful (vis a vis
its processors), I need to make the WSSConfig instance on the
WSSecurityEngine non-static. Otherwise you'd run into all sorts of
weird behavior, e.g., if you have more than one WSSecurityEngine in
process.
I think by removing the operation (or better, my current thinking is
to make it non-static), we'd potentially break some code downstream,
which presumably we don't have a test for. The projects that need
this could be retooled use the non-static call, but it may be a bad
thing to make this change on a point release. I presume there are
source and binary compatibility constraints between 1.5.1 and 1.5.2, no?
BTW, I submitted a patch for http://issues.apache.org/jira/browse/
WSS-74, but I'd like to hold off for the time being on anyone
applying it. I ran into some other issues that I'd like to address
first.
Thanks,
-Fred
On Apr 18, 2007, at 2:41 PM, Werner Dittmann wrote:
> Ruchith Fernando wrote:
>> IIRC this was originally added to support older ws-sec specs. The
>> only
>> use of this I can see right now is to be able to dynamically
>> configure
>> wss4j to disable strict timestamp handling. (See
>> WSSConfig#timeStampStrict and TimestampProcessor#handleTimestamp()).
>> Not sure whether there's anyone who is using this.
>>
>> I'm 0 on removing this.
>>
> AFAIK some projects used this to disable timestamp handling (.Net
> didn't or doesn't support the millisecond feature). This can be set
> using a parameter. Otherweise I don't see any further usage anymore.
>
> Regards,
> Werner
>
>> Thanks,
>> Ruchith
>>
>> On 4/13/07, Fred Dushin <fr...@dushin.net> wrote:
>>> Is there any reason for this? I'm really puzzled as to why there is
>>> a static mutator on this class, and my the (non-static) process
>>> results operations are using statically configured data.
>>>
>>> Anyone care if I remove this (in a patch)? The sources compile and
>>> the tests pass without it.
>>>
>>> Thanks,
>>> -Fred
>>>
>>> --------------------------------------------------------------------
>>> -
>>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>>
>>>
>>
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WSSecurityEngine.setWssConfig()
Posted by Werner Dittmann <We...@t-online.de>.
Ruchith Fernando wrote:
> IIRC this was originally added to support older ws-sec specs. The only
> use of this I can see right now is to be able to dynamically configure
> wss4j to disable strict timestamp handling. (See
> WSSConfig#timeStampStrict and TimestampProcessor#handleTimestamp()).
> Not sure whether there's anyone who is using this.
>
> I'm 0 on removing this.
>
AFAIK some projects used this to disable timestamp handling (.Net
didn't or doesn't support the millisecond feature). This can be set
using a parameter. Otherweise I don't see any further usage anymore.
Regards,
Werner
> Thanks,
> Ruchith
>
> On 4/13/07, Fred Dushin <fr...@dushin.net> wrote:
>> Is there any reason for this? I'm really puzzled as to why there is
>> a static mutator on this class, and my the (non-static) process
>> results operations are using statically configured data.
>>
>> Anyone care if I remove this (in a patch)? The sources compile and
>> the tests pass without it.
>>
>> Thanks,
>> -Fred
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WSSecurityEngine.setWssConfig()
Posted by Werner Dittmann <We...@t-online.de>.
Ruchith Fernando wrote:
> IIRC this was originally added to support older ws-sec specs. The only
> use of this I can see right now is to be able to dynamically configure
> wss4j to disable strict timestamp handling. (See
> WSSConfig#timeStampStrict and TimestampProcessor#handleTimestamp()).
> Not sure whether there's anyone who is using this.
>
> I'm 0 on removing this.
>
AFAIK some projects used this to disable timestamp handling (.Net
didn't or doesn't support the millisecond feature). This can be set
using a parameter. Otherweise I don't see any further usage anymore.
Regards,
Werner
> Thanks,
> Ruchith
>
> On 4/13/07, Fred Dushin <fr...@dushin.net> wrote:
>> Is there any reason for this? I'm really puzzled as to why there is
>> a static mutator on this class, and my the (non-static) process
>> results operations are using statically configured data.
>>
>> Anyone care if I remove this (in a patch)? The sources compile and
>> the tests pass without it.
>>
>> Thanks,
>> -Fred
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WSSecurityEngine.setWssConfig()
Posted by Ruchith Fernando <ru...@gmail.com>.
IIRC this was originally added to support older ws-sec specs. The only
use of this I can see right now is to be able to dynamically configure
wss4j to disable strict timestamp handling. (See
WSSConfig#timeStampStrict and TimestampProcessor#handleTimestamp()).
Not sure whether there's anyone who is using this.
I'm 0 on removing this.
Thanks,
Ruchith
On 4/13/07, Fred Dushin <fr...@dushin.net> wrote:
> Is there any reason for this? I'm really puzzled as to why there is
> a static mutator on this class, and my the (non-static) process
> results operations are using statically configured data.
>
> Anyone care if I remove this (in a patch)? The sources compile and
> the tests pass without it.
>
> Thanks,
> -Fred
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
--
www.ruchith.org
www.wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WSSecurityEngine.setWssConfig()
Posted by Ruchith Fernando <ru...@gmail.com>.
IIRC this was originally added to support older ws-sec specs. The only
use of this I can see right now is to be able to dynamically configure
wss4j to disable strict timestamp handling. (See
WSSConfig#timeStampStrict and TimestampProcessor#handleTimestamp()).
Not sure whether there's anyone who is using this.
I'm 0 on removing this.
Thanks,
Ruchith
On 4/13/07, Fred Dushin <fr...@dushin.net> wrote:
> Is there any reason for this? I'm really puzzled as to why there is
> a static mutator on this class, and my the (non-static) process
> results operations are using statically configured data.
>
> Anyone care if I remove this (in a patch)? The sources compile and
> the tests pass without it.
>
> Thanks,
> -Fred
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
--
www.ruchith.org
www.wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org