Changes between Version 2 and Version 3 of SecurityIssues


Ignore:
Timestamp:
10/10/06 11:51:23 (13 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • SecurityIssues

    v2 v3  
    11== Security Software Issues == 
    22 
    3  1. We currently make heavy use of !ServiceProxy, but we think !ServiceProxy is not in a useable state in general though. ([http://article.gmane.org/gmane.comp.python.pywebsvcs.general/1274 e.g.]). 
    4  2. [http://dsd.lbl.gov/gtg/projects/pyGlobus/ PyGlobus] Issues 
    5    1. Client Issues. Even the java version of the globus clients seems to be difficult to configure in a light weight manner: See this [http://www-unix.globus.org/mail_archive/discuss/2006/05/msg00112.html thread]. 
     3 1. We currently make heavy use of !ServiceProxy, but we think !ServiceProxy is not in a useable state in general though. ([http://article.gmane.org/gmane.comp.python.pywebsvcs.general/1274 e.g.]).  Not an issue for ZSI 2.0_rc2 and later - !ServiceProxy class is not needed. 
     4 2. [http://dsd.lbl.gov/gtg/projects/pyGridWare/ pyGridWare] Issues 
     5   1. Client Issues. Even the java version of the Globus clients seems to be difficult to configure in a light weight manner: See this [http://www-unix.globus.org/mail_archive/discuss/2006/05/msg00112.html thread]. 
    66   2. [http://www.globus.org/wsrf/convergence.php Future] of WSRF issues. 
    7  3. WS-Security and WSDL. It's not trivial to get this working. We will need to understand WS-policy.  
     7 3. WS-Security and WSDL. It's not trivial to get this working. We will need to understand WS-policy.  Possibly too much for the moment: the standards are available in draft but there is still some catching up to do for the development tools to support it.  It will be possible to use WS-Security but more difficult to tie the security policy used into WSDL.  
    88 4. ZSI Performance.  
    99   1. See the [http://article.gmane.org/gmane.comp.python.pywebsvcs.general/850 thread] in ZSI mailing list entitled “ZSI performance” kicked off by Joshua on the 31st March, 2006. 
    1010   2. “Moreover - if I understand your figures right, the ZSI client is quite efficient whereas the server is relatively slow.” ([http://article.gmane.org/gmane.comp.python.pywebsvcs.general/1123 link]) “So it would seem serialization is taking much longer than parsing.”, Joshua 
    1111   3. Any big payload should probably go as an attachment, can ZSI do that? 
    12    4. Lots of talk about using celementtree, but no one has done it? 
     12   4. Lots of talk about using celementtree, but no one has done it?  Joshua and others have done some work with this but the current system uses pyXML + 4Suite.  4Suite gives some improvement in performance.  The main issues with cElementTree is that it doesn't support XPath.  Searches on elements are possible but not on attributes.  The latter is important for WS-Security as these are used for locating elements for signature/encryption.  lxml is an alternative.  It's built on libxml2 and so supports XPath but implements a cElementTree style interface.  A big task for cElementTree + ZSI + WS-Security would be a cElementTree Canonicalization algorithm - not for the faint hearted :). 
    1313 
    1414==== Actions ====  
    1515 1. Need a Java Interface to the smClient library 
    16  1. Migrate internal web service communication to WS-Security 
     16 1. Migrate internal web service communication to WS-Security.  See [wiki:T12_Security/WS-Security] 
    1717   1. but note that WSDL and WS-Security imply the necessity for [http://www-128.ibm.com/developerworks/library/specification/ws-polatt/ WS-PolicyAttachment]. ([http://mail-archives.apache.org/mod_mbox/ws-fx-dev/200606.mbox/<449C0117.1060507%40iona.com> for example]) 
    18    1. Could we use pyGlobus?  
    19      1. Huge list of dependencies? 
     18   1. Could we use pyGridWare?  
     19     1. Huge list of dependencies?  Yes, but noted pyGridWare has an Egg installation interface which should make the process less painful. 
    2020     1. What about client dependencies? 
    2121     1. But maybe we'd get ibm-websphere integration for free?