Hi,
I am interested in carrying out a GSoC project for Apache Rampart which is
focused on improving the existing Rampart Tests. I wrote about this to
Rampart-dev list and I have been given some feedback regarding this.
I am appending the suggestions I got from the Rampart-dev list herewith and
I would like to know the areas which are important in Axis2 perspective.
---------------------------------------------------------------------------------------------------------------------------------------------------------
On Sat, Mar 28, 2009 at 11:40 PM, Nandana Mihindukulasooriya <
nandana....@gmail.com> wrote:
Hi Thilina,
Yes, That is one area in Rampart which needs improvements. These
are some of areas I see which needs more tests.
1.) Binding level policy configuration
If you are familiar with Axis2 you must probably know that Axis2
added the ability to apply binding level policies via services.xml in
Axis2. According to WS - Security Policy specification, security
policies should be at binding level and not in port type (service)
level. But all the Rampart tests currently uses older configuration
which applies policies at service level. So one improvements would be
add tests which uses binding / binding operation / binding message
level policies. This tutorial will provide more information on how to
configure policies at these levels [1].
2.) Tests for negative scenarios
Rampart has very few tests for negative scenarios. As this is a
major part of security testing, I think we need lot more test cases
for negative scenarios.Some test cases would be, for no security
header, empty security headers, wrong encrypted parts / signed parts
etc.
3.) Improve tests to use code generated stubs, rather than service client
Most of the tests use service client directly and not the stub
generated from WSDL. I think we should have test which uses
dynamically generates stubs from the WSDL. This will cover both WSDL
generation aspect and code generation aspect when security policies
are attached to the service.
4.) Test for policies attached at different levels
This is extension to point 1.). In addition to binding level
policies we need to add test cases for message level and operation
level policies.
5.) Test cases for Secure MTOM scenarios
This is also an area which is lacking test cases.
------------------------------------------------------------------------------------------------------------------------------------------------
Your feedback about this idea is highly appreciated.
Thanks in advance.
best regards,
/ thilina
