hi, thanks for all your comments. I seem to have discovered a prerequisite to this feature. Locally, I added this encryption option and it was working for some examples. However, when I ran the entire CXF build using the -D props to enforce this mode everywhere, I saw some test errors. Then, I reverted my local change and reran the build only with setting the COS's threshold prop and I already saw these errors. So, I will fix these errors first before adding the encryption option. regards, aki
2012/10/18 Aki Yoshida <[email protected]>: > Hi, > but using a bus or EP prop, we will need a new method in COS to pass > this encryption option. And we will need to change the current code in > many places to make sure that this new method is used to prevent an > unintended plain output written from somewhere. So, I see some > drawbacks. Maybe, we can have a global option plus an instance level > overwriting option? This would be similar to how the temp root > directory is currently set in COS. > > @Dan > we can add that option too. > thanks. > > aki > > 2012/10/18 Freeman Fang <[email protected]>: >> Yeah, endpoint property should be good. >> ------------- >> Freeman(Yue) Fang >> >> Red Hat, Inc. >> FuseSource is now part of Red Hat >> Web: http://fusesource.com | http://www.redhat.com/ >> Twitter: freemanfang >> Blog: http://freemanfang.blogspot.com >> http://blog.sina.com.cn/u/1473905042 >> weibo: http://weibo.com/u/1473905042 >> >> On 2012-10-18, at 下午9:22, Willem jiang wrote: >> >>> Using the system property will effect CXF instance across the JVM. >>> It could be good if we can do it on the bus level. >>> >>> -- >>> Willem Jiang >>> >>> Red Hat, Inc. >>> FuseSource is now part of Red Hat >>> Web: http://www.fusesource.com | http://www.redhat.com >>> Blog: http://willemjiang.blogspot.com (http://willemjiang.blogspot.com/) >>> (English) >>> http://jnn.javaeye.com (http://jnn.javaeye.com/) (Chinese) >>> Twitter: willemjiang >>> Weibo: willemjiang >>> >>> >>> >>> >>> On Thursday, October 18, 2012 at 9:05 PM, Aki Yoshida wrote: >>> >>>> Hi Freeman, >>>> yes. This should be an option and disabled by default. >>>> I am thinking about introducing a system property >>>> org.apache.cxf.io.CachedOutputStream.something to set the cipher >>>> transformation name to enable this option. >>>> >>>> regards, aki >>>> >>>> 2012/10/18 Freeman Fang <[email protected] >>>> (mailto:[email protected])>: >>>>> Hi Aki, >>>>> >>>>> Basically I'm +1 for this good idea. Just a little bit concern about the >>>>> performance impact. >>>>> Could we add a flag to enable this encryption behavior? By default the >>>>> value is false, so keep same behavior as is, and users can explicitly >>>>> enable it if they need a higher secure runtime. >>>>> >>>>> My 2 cents. >>>>> Best Regards >>>>> Freeman >>>>> ------------- >>>>> Freeman(Yue) Fang >>>>> >>>>> Red Hat, Inc. >>>>> FuseSource is now part of Red Hat >>>>> Web: http://fusesource.com | http://www.redhat.com/ >>>>> Twitter: freemanfang >>>>> Blog: http://freemanfang.blogspot.com >>>>> http://blog.sina.com.cn/u/1473905042 >>>>> weibo: http://weibo.com/u/1473905042 >>>>> >>>>> On 2012-10-18, at 下午8:31, Aki Yoshida wrote: >>>>> >>>>>> Hi, >>>>>> There is a concern that these temporary files are written out to the >>>>>> file system without any protection. And I was wondering if we can add >>>>>> an option to enable encryption for the stream output and keep the key >>>>>> in the COS instance so that only that COS instance can later read the >>>>>> data from the file system. >>>>>> >>>>>> Is there any security concern to this approach? If none, I will go >>>>>> ahead and add this option. >>>>>> >>>>>> thanks. >>>>>> regards, aki >>>>> >>>> >>> >>> >>> >>
