Hi Dennis;
Nice analysis...
Does Metro do policy based validations?
Rampart does validations at two levels - first validation at the message
level with info gathered from the message it self - and then validate
the entire message with the defined policy.
If somebody skips the second step - it could open up holes for attacks
like XML wrapping attacks.
I found few occasions that Metro doesn't do policy based validations.
Would be glad if you could please confirm it.
Thanks & regards.
-Prabath
Dennis Sosnoski wrote:
Following up on some earlier discussions of Axis2/Rampart WS-Security
performance, devWorks has now published my latest article in the Java
Web Services series, comparing Axis2/Rampart with Metro WS-Security
performance: http://www.ibm.com/developerworks/java/library/j-jws11/
The results are very bad for Axis2/Rampart, with Metro more than twice
as fast overall in the WS-Security tests.
As mentioned in the article, some timing tests with
org.apache.rampart.TIME logging seemed to indicate that a lot of the
overhead is actually occurring outside the Rampart handler. I suspect
that Axis2 has fallen into the same performance pit as Axis in doing
conversions to and from different forms of the message.
If anyone is interested in investigating further, the full source code
for the performance comparison is available as a download from the
article.
- Dennis
