[prev in list] [next in list] [prev in thread] [next in thread]
List: axis-dev
Subject: Re: Axis2/Rampart WS-Security performance
From: Prabath Siriwardena <prabath () wso2 ! com>
Date: 2010-01-31 2:57:26
Message-ID: 4B64EEC6.2090102 () wso2 ! com
[Download RAW message or body]
Hi Dennis;
Nice analysis...
Does Metro do policy based validations?
Rampart does validations at two levels - first validation at the message
level with info gathered from the message it self - and then validate
the entire message with the defined policy.
If somebody skips the second step - it could open up holes for attacks
like XML wrapping attacks.
I found few occasions that Metro doesn't do policy based validations.
Would be glad if you could please confirm it.
Thanks & regards.
-Prabath
Dennis Sosnoski wrote:
> Following up on some earlier discussions of Axis2/Rampart WS-Security
> performance, devWorks has now published my latest article in the Java
> Web Services series, comparing Axis2/Rampart with Metro WS-Security
> performance: http://www.ibm.com/developerworks/java/library/j-jws11/
> The results are very bad for Axis2/Rampart, with Metro more than twice
> as fast overall in the WS-Security tests.
>
> As mentioned in the article, some timing tests with
> org.apache.rampart.TIME logging seemed to indicate that a lot of the
> overhead is actually occurring outside the Rampart handler. I suspect
> that Axis2 has fallen into the same performance pit as Axis in doing
> conversions to and from different forms of the message.
>
> If anyone is interested in investigating further, the full source code
> for the performance comparison is available as a download from the
> article.
>
> - Dennis
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic