cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin" <sergey.beryoz...@iona.com>
Subject Re: Policies and features (Was : WS-SX)
Date Mon, 24 Sep 2007 17:27:20 GMT
Hi Fred

Only true security expert can express this concern :-)
I agree that putting a private stuff inside a public policy may not be desirable. As I said,
I'm not trying to suggest that
"private stuff in public policies" is the only true way to go. I just feel it might be handy
sometimes to be able to do so. We can put the private stuff into features. I'm not certain
it will guarantee that no leakage will occur though :-) though it will be user's responsibility
to keep that private info safe which is better for runtime :-)

Cheers, Sergey


----- Original Message ----- 
From: "Fred Dushin" <fred@dushin.net>
To: <cxf-dev@incubator.apache.org>
Sent: Monday, September 24, 2007 4:35 PM
Subject: Re: Policies and features (Was : WS-SX)


> Another is information "leakage".  I am uncomfortable with putting  
> sensitive security information in a service contract (such as a  
> private key password), and just trusting the runtime to not publish  
> it.  How would an auditor be assured this information is not disclosed?
> 
> -Fred
> 
> On Sep 24, 2007, at 10:43 AM, Glynn, Eoghan wrote:
> 
>> Now one advantage of the alternative approach (public stuff in the
>> policy, private stuff in the feature, merge at runtime) is that  
>> this is
>> pretty close to what we have right now. We don't enforce the
>> distinction, but for certain policies/features it is possible to  
>> follow
>> that pattern.

----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message