wiki:SecurityIssues

Version 3 (modified by pjkersha, 13 years ago) (diff)

--

Security Software Issues

  1. We currently make heavy use of ServiceProxy, but we think ServiceProxy is not in a useable state in general though. ( e.g.). Not an issue for ZSI 2.0_rc2 and later - ServiceProxy class is not needed.
  2.  pyGridWare Issues
    1. Client Issues. Even the java version of the Globus clients seems to be difficult to configure in a light weight manner: See this  thread.
    2.  Future of WSRF issues.
  3. WS-Security and WSDL. It's not trivial to get this working. We will need to understand WS-policy. Possibly too much for the moment: the standards are available in draft but there is still some catching up to do for the development tools to support it. It will be possible to use WS-Security but more difficult to tie the security policy used into WSDL.
  4. ZSI Performance.
    1. See the  thread in ZSI mailing list entitled “ZSI performance” kicked off by Joshua on the 31st March, 2006.
    2. “Moreover - if I understand your figures right, the ZSI client is quite efficient whereas the server is relatively slow.” ( link) “So it would seem serialization is taking much longer than parsing.”, Joshua
    3. Any big payload should probably go as an attachment, can ZSI do that?
    4. Lots of talk about using celementtree, but no one has done it? Joshua and others have done some work with this but the current system uses pyXML + 4Suite. 4Suite gives some improvement in performance. The main issues with cElementTree is that it doesn't support XPath. Searches on elements are possible but not on attributes. The latter is important for WS-Security as these are used for locating elements for signature/encryption. lxml is an alternative. It's built on libxml2 and so supports XPath but implements a cElementTree style interface. A big task for cElementTree + ZSI + WS-Security would be a cElementTree Canonicalization algorithm - not for the faint hearted :).

Actions

  1. Need a Java Interface to the smClient library
  2. Migrate internal web service communication to WS-Security. See T12_Security/WS-Security
    1. but note that WSDL and WS-Security imply the necessity for  WS-PolicyAttachment. ( for example)
    2. Could we use pyGridWare?
      1. Huge list of dependencies? Yes, but noted pyGridWare has an Egg installation interface which should make the process less painful.
      2. What about client dependencies?
      3. But maybe we'd get ibm-websphere integration for free?
  3. Need to package things better for simpler installation
  4. Need to build better and cleaner interfaces for application integration.