ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Freeman Fang (Commented) (JIRA)" <>
Subject [jira] [Commented] (WSS-339) OCSP support
Date Thu, 16 Feb 2012 02:29:00 GMT


Freeman Fang commented on WSS-339:

Hi Dan, Colm,

I can get your guys point that both and ocsp.enable should be
global settings, but I can also see the scenario that we should support those properties per
service, for example in same application(that's could be the standalone CXF but not even in
container), one service don't want to use OCSP but the other one want to use OCSP, as different
services can use different certificates from different CA. In this case the global settings
can't meet the requirement. We actually can make those properties per service context wide
effective, in the verifyTrust(certs, enableRevocation, enableOCSP) method,  before the real

validator.validate(path, param); // check if certificate is still valid
we set the properties, and after that we restore the properties, so each invocation for certificates
validation won't pollute the global context.
We need 
synchronized (A Globel Lock Object from WSS4J) {
    set properties,
    validator.validate(path, param); // check if certificate is still valid
    restore properties
ensure the properties not changed in one validation invocation.
The synchronized may affect the performance little bit, but IMO it's worth of adding certificates
revocation check per service context(We can add a extra WSHandler flag which can control if
we want per service context or not so that by default it's still old behavior and not impact
the performance).
This is my 2 cents, and if team agree it I can come up with new patch accordingly.

Best Regards
> OCSP support
> ------------
>                 Key: WSS-339
>                 URL:
>             Project: WSS4J
>          Issue Type: Improvement
>            Reporter: Freeman Fang
>            Assignee: Colm O hEigeartaigh
>         Attachments: WSS-339.patch
> currently WSS4J already support CRL for revocation check, it would be better that we
can also support OCSP through WSS4J configuration.
> Though we can set ocsp.enable property in $JAVA_HOME/jre/lib/security/ to
enable OCSP but it's effect JVM wide, I'd like to introduce a property in WSHandlerConstants
like enableOCSP which can trigger code like
> Security.setProperty("ocsp.enable", enableOCSP);
> This should be similar with the property enableRevocation,  the logic is
> if (enableRevocation && enableOCSP) {
>     //use OCSP to do revocation check.
> }

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message