Hi!
I'm writing a master thesis about security concerns and input validation
in web services. I've looked at several different soap frameworks
(axis2, xfire,jax-ws++) and their support for doing proper input
validation. It seems like none of them provides more validation than
what is supported through the types defined in the WSDL. Validation
against XML-Schema types within WSDL documents is more or less supported
in the various projects.
My thesis is focused on making it easier to create secure applications
and i've been thinking about creating some kind of framework that
enables validation outside of the WSDL-document. The rationale behind
this is that for non-'contract-first' developers, it is inconvenient and
takes a lot of time to create a WSDL-document instead of using the built
-in autogenerated WSDL. Often the developers of the web service don't
think much of the security issues either, so it would be nice for a
security team to be able to add security later without needing to change
the wsdl (that might already have been published to 3rd parties).
I would love to get some opinions or suggestions about this.
Would the xfire-team be interested in incorporating an eventual outcome
of this project into the xfire project?
--
Regards
Henning Jensen
Department of Computer and Information Science
Norwegian University of Science and Technology (NTNU)
---------------------------------------------------------------------
To unsubscribe from this list please visit:
http://xircles.codehaus.org/manage_email
