[
https://issues.apache.org/jira/browse/WSS-339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13209389#comment-13209389
]
Daniel Kulp commented on WSS-339:
---------------------------------
Freeman, as global settings in the VM, there is no possible way to use them to
mimic per-request/per-service without affect other parts of the system. With
the synchronized block like you describe, you run into 2 major issues:
1) Performance - CRLDP and OCSP both involve network connections, data
transfers, etc... Even on a local net with caching ocsp results and such,
you'll likly add a millisecond or two. If it needs to go off to the internet
to check the certs, it's more likely to be in the 10's of milliseconds. Your
immediately limiting the entire system to less than 1000 req/sec (best case)
and no amount of additional hardware or anything can help. I'm -1 just on
that.
2) It doesn't solve the problem. There are other users of the security certs
and such besides WSS4J. The SSL stuff (used for things like ActiveMQ ssl
connections, HttpsURLConnections, Jetty, etc...) use it as does a lot of other
things. There is no way you can create a synchronized lock and change the
global settings that would not impact the other users of the API's. So I'm -1
on this as well.
If you need per-request/service checks, you'll need to find another solution
that does not involve the built in stuff controlled by system properties/global
settings. I believe BouncyCastle has some OCSP stuff built in (they have an
oscp package in the jar) that might be usable. I don't really know as I
haven't looked at it.
> OCSP support
> ------------
>
> Key: WSS-339
> URL: https://issues.apache.org/jira/browse/WSS-339
> Project: WSS4J
> Issue Type: Improvement
> Reporter: Freeman Fang
> Assignee: Colm O hEigeartaigh
> Attachments: WSS-339.patch
>
>
> currently WSS4J already support CRL for revocation check, it would be better
> that we can also support OCSP through WSS4J configuration.
> Though we can set ocsp.enable property in
> $JAVA_HOME/jre/lib/security/java.security to enable OCSP but it's effect JVM
> wide, I'd like to introduce a property in WSHandlerConstants like enableOCSP
> which can trigger code like
> Security.setProperty("ocsp.enable", enableOCSP);
> This should be similar with the property enableRevocation, the logic is
> if (enableRevocation && enableOCSP) {
> //use OCSP to do revocation check.
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
