axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sanjiva Weerawarana <sanj...@opensource.lk>
Subject Re: WSS4J 1.5.4 Encryption Performance Question
Date Fri, 17 Oct 2008 14:36:53 GMT
Plus .. JAXB is a data binding standard - a way to map XML to Java 
objects. AXIOM is an XML Infoset representation, which is what's needed 
for WS-Sec etc. and not a data bound set of objects. In fact, you can't do 
it with the data bound stuff because you lose information items in the 
binding.

Sanjiva.

Isuru Suriarachchi wrote:
> Hi Oliver,
> 
> On Thu, Oct 16, 2008 at 5:58 PM, Oliver Wulff <oliver.wulff@zurich.ch> 
> wrote:
> 
>     Hi Isuru
> 
>     What was the reason to use Axiom instead of the JAXB standard?
> 
> 
> First I have to say that I'm not much familiar with JAXB standard. But 
> as we are developing a security module for Axis2, it is the best to use 
> the same object model as Axis2. Because it will avoid overheads of 
> object model conversions (like DOOM). Axis2 uses Axiom and also Axiom is 
> pull based and light weight. So it was a straight forward decision for 
> us to use Axiom.
> 
> Thanks,
> Isuru
>  
> 
> 
> 
>     Thanks
>     Oliver
> 
> 
> 
> 
>                          "Isuru
>                          Suriarachchi"            An:      
>     axis-dev@ws.apache.org <mailto:axis-dev@ws.apache.org>
>                          <isurues@gmail.co <mailto:isurues@gmail.co>    
>        Kopie:    "Dittmann, Werner (NSN - DE/Munich)"
>     <werner.dittmann@nsn.com <mailto:werner.dittmann@nsn.com>>, "Dennis
>                          m>                        Sosnoski"
>     <dms@sosnoski.com <mailto:dms@sosnoski.com>>, "Colm O hEigeartaigh"
>     <coheigea@progress.com <mailto:coheigea@progress.com>>, "Werner
>                                                    Dittmann"
>     <Werner.Dittmann@t-online.de <mailto:Werner.Dittmann@t-online.de>>,
>     "jimmy Zhang" <jzhang@ximpleware.com <mailto:jzhang@ximpleware.com>>,
>                          16.10.2008 13:46          smmtech@sbcglobal.net
>     <mailto:smmtech@sbcglobal.net>, wss4j-dev@ws.apache.org
>     <mailto:wss4j-dev@ws.apache.org>, saliya@wso2.com
>     <mailto:saliya@wso2.com>, sameera@wso2.com <mailto:sameera@wso2.com>,
>                                                    kalani@wso2.com
>     <mailto:kalani@wso2.com>, (Blindkopie: Oliver Wulff/CHK/External/Zurich)
>                                                   Thema:    Re: WSS4J
>     1.5.4 Encryption Performance Question
> 
> 
> 
> 
> 
>     Hi,
> 
>     As paul has explained, we have developed a new WS-Security
>     implementation
>     totally on Axiom. Our intention was to find a solution for the well
>     known
>     performance drawbacks of Rampart. According to performance results we
>     obtained at the end of our project, I can say that we have achieved our
>     goal.
>     One of the main reasons for Rampart performacne drawbacks is the
>     usage of
>     DOM as the object model in WSS4J and XML-Sec implementations. As top
>     Rampart layer uses Axiom, DOOM conversion is done to convert the object
>     model into DOM. So we have implemented WS-Security and XML-Security
>     entirely using Axiom and that removes the requirement for DOOM. And
>     also as
>     Axiom is pull based, it saves lot of memory when it comes to invalid
>     messages if they are rejected without building the whole message.
>     The other major problem with Rampart is that WSS4J is not
>     WS-SecurityPolicy
>     aware. So the policy based validations of secured SOAP messages are done
>     after going through all the WS-Security validations steps in WSS4J. This
>     wastes both memory and processing power if the message is not
>     according to
>     policy. In order to remove this drawback, we have made our WS-Security
>     implementation policy aware. So the token proccessors can do policy
>     validations themselves.
>     In addition to above mentioned improvements, we have done various code
>     level improvements as well. Specially in invalid message cases like DOS
>     attacks, our implementation performs extremely efficiently than
>     Rampart. In
>     other words, it rejects the messages far earlier than Rampart.
>     I have explained our WS-Security model in the article at
>     http://wso2.org/library/articles/ws-security-processing-models-along-ws-securitypolicy-1
>     .
> 
>     Thanks,
>     Isuru
> 
>     On Thu, Oct 16, 2008 at 2:19 PM, Paul Fremantle <pzfreo@gmail.com
>     <mailto:pzfreo@gmail.com>> wrote:
>      Werner
> 
>      A group of four students from the University of Morutuwa built a
>      WS-Security implementation architected directly on top of Axiom as
>      their final year project. Saliya (copied) is one of them, plus
>      Sameera, Isuru and Kalani. (Forgive me for excluding their surnames).
>      They called this "Rampart2" as a code-name, but of course naming would
>      need to be decided by the community. AFAIK they intend to contribute
>      this to the WS project - and the contribution of canonicalization into
>      Axiom is the first step they have taken.
> 
>      My understanding is that they have submitted a paper on this to the
>      IITC conference, so the paper will be published at the end of the
>      month. In the meantime, if you contact Saliya, I'm sure he can share a
>      pre-press version. Saliya also mentioned he is planning to share some
>      results in a blog.
> 
>      Paul
> 
> 
>      On Thu, Oct 16, 2008 at 7:49 AM, Dittmann, Werner (NSN - DE/Munich)
>      <werner.dittmann@nsn.com <mailto:werner.dittmann@nsn.com>> wrote:
>      > Paul,
>      >
>      > a link to this work would be nice :-) ,
>      >
>      > Regards,
>      > Werner
>      >
>      >> -----Original Message-----
>      >> From: ext Paul Fremantle [mailto:pzfreo@gmail.com
>     <mailto:pzfreo@gmail.com>]
>      >> Sent: Thursday, October 16, 2008 8:37 AM
>      >> To: Dennis Sosnoski
>      >> Cc: Colm O hEigeartaigh; Werner Dittmann; jimmy Zhang;
>      >> smmtech@sbcglobal.net <mailto:smmtech@sbcglobal.net>;
>     wss4j-dev@ws.apache.org <mailto:wss4j-dev@ws.apache.org>;
>     saliya@wso2.com <mailto:saliya@wso2.com>
>      >> Subject: Re: WSS4J 1.5.4 Encryption Performance Question
>      >>
>      >> Dennis
>      >>
>      >> I don't know about *just* canonicalization, but the team built a
>      >> complete version of WS-Security on top of Axiom and in their
>     tests the
>      >> overall speedup ranged from 1.7-3x faster on various scenarios and
>      >> message sizes.
>      >>
>      >> Paul
>      >>
>      >> On Thu, Oct 16, 2008 at 7:29 AM, Dennis Sosnoski
>      >> <dms@sosnoski.com <mailto:dms@sosnoski.com>> wrote:
>      >> > Hi Paul,
>      >> >
>      >> > I don't think that C14N support in Axiom is likely to be of
>      >> much direct
>      >> > benefit for performance. Axiom is slower and more
>      >> memory-intensive than
>      >> > standard DOM implementations when a document model needs to
>      >> be build - its
>      >> > advantage is that barring signing and such, most times you
>      >> can get away
>      >> > without the need for a document model - so I don't see that
>      >> using Axiom
>      >> > rather than a standard DOM is really going to help.
>      >> >
>      >> > The exception would be cases where only some tokens in the
>      >> header are being
>      >> > signed, which is actually the case that started this
>      >> discussion. If the
>      >> > Axiom+Rampart+WSS4J combination is smart enough to only
>      >> build the Axiom DOM
>      >> > for the header tokens that are being signed, this should
>      >> give much better
>      >> > performance than when the entire message has to be
>      >> converted to a DOM.
>      >> >
>      >> > I look forward to comparing the performance using Axiom
>      >> C14N vs. using
>      >> > standard DOM, and will give this a try as soon as it
>      >> becomes an option in
>      >> > the configuration.
>      >> >
>      >> >  - Dennis
>      >> >
>      >> >
>      >> > Paul Fremantle wrote:
>      >> >>>
>      >> >>> IMO
>      >> >>> C14N (in the case of signature) and DOM are the main
>     culprits for
>      >> >>> performance as far as WSS4J is concerned, not PKC.
>      >> >>>
>      >> >>
>      >> >> I believe that some students have built out C14N directly
>      >> in Axiom and
>      >> >> are planning to contribute it to Axiom shortly. That
>      >> should make a big
>      >> >> difference.
>      >> >>
>      >> >> Paul
>      >> >>
>      >> >>
>      >> >
>      >>
>      >>
>      >>
>      >> --
>      >> Paul Fremantle
>      >> Co-Founder and CTO, WSO2
>      >> Apache Synapse PMC Chair
>      >> OASIS WS-RX TC Co-chair
>      >>
>      >> blog: http://pzf.fremantle.org
>      >> paul@wso2.com <mailto:paul@wso2.com>
>      >>
>      >> "Oxygenating the Web Service Platform", www.wso2.com
>     <http://www.wso2.com>
>      >>
>      >>
>     ---------------------------------------------------------------------
>      >> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>     <mailto:wss4j-dev-unsubscribe@ws.apache.org>
>      >> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>     <mailto:wss4j-dev-help@ws.apache.org>
>      >>
>      >>
>      >
> 
> 
> 
>      --
>      Paul Fremantle
>      Co-Founder and CTO, WSO2
>      Apache Synapse PMC Chair
>      OASIS WS-RX TC Co-chair
> 
>      blog: http://pzf.fremantle.org
>      paul@wso2.com <mailto:paul@wso2.com>
> 
>      "Oxygenating the Web Service Platform", www.wso2.com
>     <http://www.wso2.com>
> 
>      ---------------------------------------------------------------------
>      To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
>     <mailto:axis-dev-unsubscribe@ws.apache.org>
>      For additional commands, e-mail: axis-dev-help@ws.apache.org
>     <mailto:axis-dev-help@ws.apache.org>
> 
> 
> 
> 
> 
> 
> 
> 
> 
>     ******************* BITTE BEACHTEN *******************
>     Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
>     möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
>     Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
>     genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
>     irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
>     Ausschluss jeder Reproduktion zu zerstören und die absendende Person
>     umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.


-- 
Sanjiva Weerawarana, Ph.D.
Founder & Director; Lanka Software Foundation; http://www.opensource.lk/
Founder, Chairman & CEO; WSO2, Inc.; http://www.wso2.com/
Member; Apache Software Foundation; http://www.apache.org/
Visiting Lecturer; University of Moratuwa; http://www.cse.mrt.ac.lk/

Blog: http://sanjiva.weerawarana.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-dev-help@ws.apache.org


Mime
View raw message