On Tuesday, August 30, 2011 6:51:38 PM Marc Giger wrote: > swssf emits policy-relevant events just in time. So as example, if swssf > finds a X509Token it will be emitted immediately, the Policy-Engine > picks it up and throws an exception if it detects that it doesn't meet > the policy.
We DO need to be careful about this though. In some cases, this can be an attack vector based on timing. If it fails fast in some cases and fails slow in others, that is potential information that an attacker can use. I just wanted to mention this. :-) > But I don't see any reason why not to use Rampart for this job when > it supports the just in time evaluation. Also I did use the Rampart > and Neethi classes as a starting point. Oi.... OK. The CXF WS-SecurityPolicy Neethi classes are much further along than the Rampart equivalents. Something we can reconcile later though. The nice thing about Neethi 3 though is that we should be able to create a collection of policies classes that are actually shareable. That was part of the goal. > It would be nice if the just in time evaluation could be kept. Agreed, but keep in mind the attack vectors. Dan > > I have more questions related to streaming behaviour of SWSSF. But i > > will ask them once i get a high-level overview on how SWSSF works. > > I hope my explanations helps a bit to understand swssf. I will be glad > to answer further questions you may have. > > Kind regards > > Marc > > > Thanks in advance. > > > > > > > > AmilaJ > > > > On Wed, Aug 24, 2011 at 2:05 AM, Daniel Kulp <[email protected]> wrote: > > > On Tuesday, August 23, 2011 9:01:27 PM Marc Giger wrote: > > >> Hi Dan, > > >> > > >> On Tue, 23 Aug 2011 13:04:40 -0400 > > >> > > >> Daniel Kulp <[email protected]> wrote: > > >> > Actually, one more grant related things... > > >> > > > >> > The ip-clearance form mentions making sure the granted files > > >> > have the proper Apache license header which the current files > > >> > do > > >> > not. I'm not sure if that can be done after the vote and > > >> > import > > >> > or not. It would be simpler if the granted dump and > > >> > checksums > > >> > and all pointed to a version that had the headers already > > >> > updated. > > >> > > >> The latest revision of the files in the svndump attached in the > > >> jira have the following header: > > >> > > >> /** > > >> * Licensed to the Apache Software Foundation (ASF) under one > > >> * or more contributor license agreements. See the NOTICE file > > >> * distributed with this work for additional information > > >> * regarding copyright ownership. The ASF licenses this file > > >> * to you under the Apache License, Version 2.0 (the > > >> * "License"); you may not use this file except in compliance > > >> * with the License. You may obtain a copy of the License at > > >> * > > >> * http://www.apache.org/licenses/LICENSE-2.0 > > >> * > > >> * Unless required by applicable law or agreed to in writing, > > >> * software distributed under the License is distributed on an > > >> * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY > > >> * KIND, either express or implied. See the License for the > > >> * specific language governing permissions and limitations > > >> * under the License. > > >> */ > > >> > > >> AFAIK this should be the correct one, right? Also I added the > > >> NOTICE file to the tree. > > > > > > Ah. OK. I was just looking at the raw dump and I guess was > > > ending up looking at previous versions of files. > > > > > > > > > Looks fine. > > > > > > Thanks! > > > Dan > > > > > >> Kind regards > > >> > > >> Marc > > >> > > >> > Dan > > >> > > > >> > On Tuesday, August 23, 2011 12:50:20 PM Daniel Kulp wrote: > > >> > > On Sunday, August 21, 2011 9:41:42 PM Marc Giger wrote: > > >> > > > > There are a few other things to think about with > > >> > > > > it as well > > >> > > > > like > > >> > > > > interactions with FastInfoset (which CXF can > > >> > > > > currently > > >> > > > > support, > > >> > > > > but this wouldn't due to operating on the > > >> > > > > OutputStream > > >> > > > > directly > > >> > > > > instead of an XMLStream/EventWriter). Mapping all > > >> > > > > the > > >> > > > > current > > >> > > > > CXF configs in may take a bit as well, but nothing > > >> > > > > too > > >> > > > > major I > > >> > > > > would expect. > > >> > > > > > >> > > > I was just to lazy and had no time left to implement > > >> > > > the > > >> > > > XMLStreamWriter. At the time, I noticed that a simple > > >> > > > OutputStream > > >> > > > matches perfectly for the CXF integration. But you are > > >> > > > right, > > >> > > > this > > >> > > > will be a requirement. For the FastInfoset case, maybe > > >> > > > we > > >> > > > find a more efficient way as writing to an > > >> > > > XMLStreamWriter > > >> > > > and then translate to FastInfoset... > > >> > > > > >> > > That's pretty much how fastinfoset works. We have an > > >> > > XMLStreamWriter that writes fastinfoset instead of regular > > >> > > XML. > > >> > > Thus instead of creating a normal Woodstox (or other Stax) > > >> > > XMLStreamWriter that wrappers the OutputStream, we create > > >> > > an FI > > >> > > version of an XMLStreamWriter that wrappers the > > >> > > OutputStream. > > >> > > It's pretty simple if things can be set to write/read to > > >> > > the > > >> > > Stax things instead of raw streams. > > >> > > > > >> > > > > Filing a grant requires an Apache member to help > > >> > > > > out, but > > >> > > > > Colm > > >> > > > > and I are both members (and there are other around > > >> > > > > here as > > >> > > > > well) that would > > >> > > > > be more than happy to help out. If you have any > > >> > > > > questions > > >> > > > > about it, > > >> > > > > let me know and I'd be happy to help. > > >> > > > > > >> > > > I prepared the form as far as I could. Please have a > > >> > > > look at > > >> > > > http://gigerstyle.homelinux.com/downloads/swssf/swssf. > > >> > > > xml > > >> > > > > >> > > OK. I've started with this. Major thanks. I'll get > > >> > > this > > >> > > added to the ip- clearance page shortly. > > >> > > > > >> > > > Also I filled out the grants.txt : > > >> > > > > > >> > > > http://gigerstyle.homelinux.com/downloads/swssf/grants > > >> > > > .txt > > >> > > > http://gigerstyle.homelinux.com/downloads/swssf/grants > > >> > > > .txt.asc > > >> > > > > > >> > > > You will find my gpg public key for > > >> > > > signature-verification on > > >> > > > the > > >> > > > key-servers or under the following URL: > > >> > > > > > >> > > > http://gigerstyle.homelinux.com/?page_id=28 > > >> > > > > > >> > > > It's not entirely clear to me: Do I have to send some > > >> > > > documents to the apache office or secretary? > > >> > > > > >> > > You need to send the grants.txt file to secretary@ , > > >> > > digitally > > >> > > signed. Once they process that, I think we can proceed > > >> > > with the > > >> > > rest of the grant. > > >> > > > > >> > > > Did I everything correctly so far? What are the next > > >> > > > steps? > > >> > > > > >> > > So far, so good. > > >> > > > > >> > > > > Also, you should file an Apache ICLA: > > >> > > > > http://www.apache.org/licenses/#clas > > >> > > > > > > >> > > > > That's the first step in getting an account > > >> > > > > created for you > > >> > > > > to > > >> > > > > become > > >> > > > > a committer. Doing that sooner can help speed > > >> > > > > things up. > > >> > > > > > >> > > > Also done. I already got an ack from secretary. Should > > >> > > > I > > >> > > > forward the acknowledgment to you? > > >> > > > > >> > > I see your name now listed at: > > >> > > http://people.apache.org/committer-index.html#unlistedclas > > >> > > > > >> > > That's all I need. :-) > > >> > > > > >> > > > > > Do you have some more questions? > > >> > > > > > > >> > > > > I think that's it for me. Let me just say "very > > >> > > > > nice > > >> > > > > job". :-) > > >> > > > > > >> > > > Thank you Dan! > > >> > > > > > >> > > > Kind regards > > >> > > > > > >> > > > Marc > > >> > > > > > >> > > > > Dan > > >> > > >> ------------------------------------------------------------------ > > >> --- > > >> To unsubscribe, e-mail: [email protected] > > >> For additional commands, e-mail: [email protected] > > > > > > -- > > > Daniel Kulp > > > [email protected] > > > http://dankulp.com/blog > > > Talend - http://www.talend.com > > > > > > -------------------------------------------------------------------- > > > - > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] -- Daniel Kulp [email protected] http://dankulp.com/blog Talend - http://www.talend.com --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
