cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: encrypting tmp files generated by CachedOutputStream?
Date Thu, 18 Oct 2012 15:24:03 GMT
On 18/10/12 15:38, Aki Yoshida wrote:
> Hi,
> but using a bus or EP prop, we will need a new method in COS to pass
> this encryption option. And we will need to change the current code in
> many places to make sure that this new method is used to prevent an
> unintended plain output written from somewhere. So, I see some
> drawbacks.


>Maybe, we can have a global option plus an instance level
> overwriting option? This would be similar to how the temp root
> directory is currently set in COS.

+1

Cheers, Sergey

>
> @Dan
> we can add that option too.
> thanks.
>
> aki
>
> 2012/10/18 Freeman Fang<freeman.fang@gmail.com>:
>> Yeah, endpoint property should be good.
>> -------------
>> Freeman(Yue) Fang
>>
>> Red Hat, Inc.
>> FuseSource is now part of Red Hat
>> Web: http://fusesource.com | http://www.redhat.com/
>> Twitter: freemanfang
>> Blog: http://freemanfang.blogspot.com
>> http://blog.sina.com.cn/u/1473905042
>> weibo: http://weibo.com/u/1473905042
>>
>> On 2012-10-18, at 下午9:22, Willem jiang wrote:
>>
>>> Using the system property will effect CXF instance across the JVM.
>>> It could be good if we can do it on the bus level.
>>>
>>> --
>>> Willem Jiang
>>>
>>> Red Hat, Inc.
>>> FuseSource is now part of Red Hat
>>> Web: http://www.fusesource.com | http://www.redhat.com
>>> Blog: http://willemjiang.blogspot.com (http://willemjiang.blogspot.com/) (English)
>>>           http://jnn.javaeye.com (http://jnn.javaeye.com/) (Chinese)
>>> Twitter: willemjiang
>>> Weibo: willemjiang
>>>
>>>
>>>
>>>
>>> On Thursday, October 18, 2012 at 9:05 PM, Aki Yoshida wrote:
>>>
>>>> Hi Freeman,
>>>> yes. This should be an option and disabled by default.
>>>> I am thinking about introducing a system property
>>>> org.apache.cxf.io.CachedOutputStream.something to set the cipher
>>>> transformation name to enable this option.
>>>>
>>>> regards, aki
>>>>
>>>> 2012/10/18 Freeman Fang<freeman.fang@gmail.com (mailto:freeman.fang@gmail.com)>:
>>>>> Hi Aki,
>>>>>
>>>>> Basically I'm +1 for this good idea. Just a little bit concern about
the performance impact.
>>>>> Could we add a flag to enable this encryption behavior? By default the
value is false, so keep same behavior as is, and users can explicitly enable it if they need
a higher secure runtime.
>>>>>
>>>>> My 2 cents.
>>>>> Best Regards
>>>>> Freeman
>>>>> -------------
>>>>> Freeman(Yue) Fang
>>>>>
>>>>> Red Hat, Inc.
>>>>> FuseSource is now part of Red Hat
>>>>> Web: http://fusesource.com | http://www.redhat.com/
>>>>> Twitter: freemanfang
>>>>> Blog: http://freemanfang.blogspot.com
>>>>> http://blog.sina.com.cn/u/1473905042
>>>>> weibo: http://weibo.com/u/1473905042
>>>>>
>>>>> On 2012-10-18, at 下午8:31, Aki Yoshida wrote:
>>>>>
>>>>>> Hi,
>>>>>> There is a concern that these temporary files are written out to
the
>>>>>> file system without any protection. And I was wondering if we can
add
>>>>>> an option to enable encryption for the stream output and keep the
key
>>>>>> in the COS instance so that only that COS instance can later read
the
>>>>>> data from the file system.
>>>>>>
>>>>>> Is there any security concern to this approach? If none, I will go
>>>>>> ahead and add this option.
>>>>>>
>>>>>> thanks.
>>>>>> regards, aki
>>>>>
>>>>
>>>
>>>
>>>
>>



Mime
View raw message