[
https://issues.apache.org/jira/browse/WSS-339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13209078#comment-13209078
]
Freeman Fang commented on WSS-339:
----------------------------------
Hi Dan, Colm,
I can get your guys point that both com.sun.security.enableCRLDP and
ocsp.enable should be global settings, but I can also see the scenario that we
should support those properties per service, for example in same
application(that's could be the standalone CXF but not even in container), one
service don't want to use OCSP but the other one want to use OCSP, as different
services can use different certificates from different CA. In this case the
global settings can't meet the requirement. We actually can make those
properties per service context wide effective, in the verifyTrust(certs,
enableRevocation, enableOCSP) method, before the real
validator.validate(path, param); // check if certificate is still valid
we set the properties, and after that we restore the properties, so each
invocation for certificates validation won't pollute the global context.
We need
synchronized (A Globel Lock Object from WSS4J) {
set properties,
validator.validate(path, param); // check if certificate is still valid
restore properties
}
ensure the properties not changed in one validation invocation.
The synchronized may affect the performance little bit, but IMO it's worth of
adding certificates revocation check per service context(We can add a extra
WSHandler flag which can control if we want per service context or not so that
by default it's still old behavior and not impact the performance).
This is my 2 cents, and if team agree it I can come up with new patch
accordingly.
Best Regards
Freeman
> OCSP support
> ------------
>
> Key: WSS-339
> URL: https://issues.apache.org/jira/browse/WSS-339
> Project: WSS4J
> Issue Type: Improvement
> Reporter: Freeman Fang
> Assignee: Colm O hEigeartaigh
> Attachments: WSS-339.patch
>
>
> currently WSS4J already support CRL for revocation check, it would be better
> that we can also support OCSP through WSS4J configuration.
> Though we can set ocsp.enable property in
> $JAVA_HOME/jre/lib/security/java.security to enable OCSP but it's effect JVM
> wide, I'd like to introduce a property in WSHandlerConstants like enableOCSP
> which can trigger code like
> Security.setProperty("ocsp.enable", enableOCSP);
> This should be similar with the property enableRevocation, the logic is
> if (enableRevocation && enableOCSP) {
> //use OCSP to do revocation check.
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
