[prev in list] [next in list] [prev in thread] [next in thread] 

List:       axis-dev
Subject:    Re: Axis2/Rampart WS-Security performance
From:       Prabath Siriwardena <prabath () wso2 ! com>
Date:       2010-01-31 2:57:26
Message-ID: 4B64EEC6.2090102 () wso2 ! com
[Download RAW message or body]

Hi Dennis;

Nice analysis...

Does Metro do policy based validations?

Rampart does validations at two levels - first validation at the message 
level with info gathered from the message it self - and then validate 
the entire message with the defined policy.

If somebody skips the second step - it could open up holes for attacks 
like XML wrapping attacks.

I found few occasions that Metro doesn't do policy based validations. 
Would be glad if you could please confirm it.

Thanks & regards.
-Prabath

Dennis Sosnoski wrote:
> Following up on some earlier discussions of Axis2/Rampart WS-Security 
> performance, devWorks has now published my latest article in the Java 
> Web Services series, comparing Axis2/Rampart with Metro WS-Security 
> performance: http://www.ibm.com/developerworks/java/library/j-jws11/ 
> The results are very bad for Axis2/Rampart, with Metro more than twice 
> as fast overall in the WS-Security tests.
>
> As mentioned in the article, some timing tests with 
> org.apache.rampart.TIME logging seemed to indicate that a lot of the 
> overhead is actually occurring outside the Rampart handler. I suspect 
> that Axis2 has fallen into the same performance pit as Axis in doing 
> conversions to and from different forms of the message.
>
> If anyone is interested in investigating further, the full source code 
> for the performance comparison is available as a download from the 
> article.
>
>  - Dennis
>

[prev in list] [next in list] [prev in thread] [next in thread]