blob: 955c6990f8dac5607f83f8eeb47606f059ef827e [file] [log] [blame]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="stylesheet" href="../style/bootstrap-1-3-0-min.css" type="text/css" />
<link rel="stylesheet" href="../style/style.css" type="text/css" />
<title>Streaming-WebService-Security-Framework (swssf) Codebase Intellectual Property (IP) Clearance Status - Apache Incubator</title>
</head>
<body>
<div class="container">
<div class="row"><div class="span6"><a href="https://www.apache.org/"><img src="http://www.apache.org/img/asf_logo.png" alt="The Apache Software Foundation" border="0" style="margin-top: 2px" height="88"/></a></div>
<div class="span7"><a href="/"><img src="https://incubator.apache.org/images/incubator_feather_egg_logo_sm.png" alt="The Apache Software Foundation Incubator" border="0" style="margin-top: 2px" height="88"/></a></div>
<div class="span2"><a href="https://www.apache.org/foundation/contributing.html"><img src="https://www.apache.org/images/SupportApache-small.png" height="100" width="100"/></a></div>
</div>
<div class="row"><div class="span16"><hr noshade="noshade" size="1"/></div></div>
<div class="row">
<div class="span4">
<form action="http://www.google.com/search" method="get">
<input value="incubator.apache.org" name="sitesearch" type="hidden"/>
<input size="20" name="q" id="query" type="text" value="search..."
onclick="if(this.value == 'search...') {this.value = ''}"/>
<input name="Search" value="Go" type="submit"/>
</form>
<div class="menuheader">General</div>
<menu compact="compact">
<li><a href="../index.html">Welcome</a></li>
<li><a href="../cookbook/">Incubator Cookbook</a></li>
<li><a href="../policy/incubation.html">Incubation Policy</a></li>
<li><a href="../guides/roles_and_responsibilities.html">Roles and Responsibilities</a></li>
<li><a href="../faq.html">General FAQ</a></li>
<li><a href="http://wiki.apache.org/incubator">Incubator Wiki</a></li>
<li><a href="../whoweare.html">Who We Are</a></li>
</menu>
<div class="menuheader">Status</div>
<menu compact="compact">
<li><a href="../projects">Project List</a></li>
<li><a href="../clutch">Clutch Report</a></li>
<li><a href="../ip-clearance">IP Clearance</a></li>
</menu>
<div class="menuheader">Entry Guides</div>
<menu compact="compact">
<li><a href="../guides/proposal.html">Proposal Guide</a></li>
</menu>
<div class="menuheader">Podling Guides</div>
<menu compact="compact">
<li><a href="../guides/committer.html">Podling Committers</a></li>
<li><a href="../guides/ppmc.html">Podling PMC (PPMC)</a></li>
<li><a href="../guides/mentor.html">Podling Mentor</a></li>
<li><a href="../guides/releasemanagement.html">Podling Releases</a></li>
<li><a href="../guides/branding.html">Podling Branding/Publicity</a></li>
<li><a href="../guides/sites.html">Podling Websites</a></li>
<li><a href="../guides/graduation.html">Graduation</a></li>
<li><a href="../guides/retirement.html">Retirement</a></li>
</menu>
<div class="menuheader">Other Guides</div>
<menu compact="compact">
<li><a href="../guides/participation.html">Participation</a></li>
<li><a href="../faq.html">General FAQ</a></li>
<li><a href="../guides/pmc.html">Incubator PMC (IPMC)</a></li>
<li><a href="../guides/chair.html">IPMC Chair</a></li>
<li><a href="../guides/lists.html">Mailing Lists</a></li>
<li><a href="../guides/website.html">Incubator Website</a></li>
</menu>
<div class="menuheader">ASF</div>
<menu compact="compact">
<li><a href="http://www.apache.org/foundation/how-it-works.html">How Apache Works</a></li>
<li><a href="http://www.apache.org/dev/">Developer Documentation</a></li>
<li><a href="http://www.apache.org/foundation/">Foundation</a></li>
<li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsor Apache</a></li>
<li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
</menu>
<!-- start Ads Server -->
<iframe src="http://www.apache.org/ads/buttonbar.html"
style="border-width:0; float: left" frameborder="0" scrolling="no"
width="135" height="265"></iframe>
<!-- end Ads Server -->
</div>
<div class="span12">
<h2 id='Codebase+IP+Clearance+TEMPLATE'><img src="../images/redarrow.gif" />Codebase IP Clearance TEMPLATE</h2>
<div class="section-content">
</div>
<h2 id='Streaming-WebService-Security-Framework+(swssf)+Codebase+Intellectual+Property+%28IP%29+Clearance+Status'><img src="../images/redarrow.gif" />Streaming-WebService-Security-Framework (swssf) Codebase Intellectual Property (IP) Clearance Status</h2>
<div class="section-content">
</div>
<h2 id='Description'><img src="../images/redarrow.gif" />Description</h2>
<div class="section-content">
<p>
In order to be able to use WS-Security, typically the DOM processing model will be applied.
For further processing, the XML document must be fully read into an object-tree by
the DOM parser. The whole object-tree is hold in the computer memory during the processing. This requires
a lot of processor and memory resources. Now, if an attacker sends over-sized SOAP documents, it can lead
to a Denial-of-Service (DoS) attack. For encrypted documents the memory consumption is even higher.
Firstly, the entire SOAP Message must be read into memory, then the decryption can be performed.
The decrypted XML part must be read in an object-tree again. At this time, both the encrypted and decrypted
XML part is present in the memory. Afterwards the encrypted XML part can be replaced with the decrypted one.
</p>
<p>
WS-Security provides integrity, authenticity and confidentiality at the message level. But which parts of
the SOAP message must be secured and how is not defined in the WS-Security standard. What are the
requirements for a SOAP client to access a Web Service successfully? Must the entire SOAP body to be encrypted?
Is a timestamp expected? Must the message be signed? Which keys must be used and in which format are they
expected? In order to express such requirements, the WS-SecurityPolicy standard was introduced.
</p>
<p>
If WS-SecurityPolicy is applied in an DOM environment and the client sends a message which does not
correspond to the policy, a lot of computer resources are unnecessarily wasted again. The DOM parser fully
reads the message into memory, the WS-Security framework processes the document using the security header
and as last the WS-SecurityPolicy framework notes that the document was not protected as the policy it demanded.
</p>
<p>
This work presents a streaming-based WebService-Security-Framework with the ability to process large SOAP
documents efficiently. The streaming-based processing of the messages is done via the StAX-API. With the
streaming-oriented approach it is possible to gradually read and process the messages without keeping the
entire message in the memory. If it is not possible to process the message, for example because the used keys
are not known, the process can be aborted immediately.
</p>
<p>
The integration of WS-SecurityPolicy makes it possible to achieve the wished "fail-fast" behavior. This is,
because policy relevant events can and will be evaluated immediately.
</p>
<p>
Me, Marc Giger &lt;gigerstyle@gmx.ch&gt; contributes/donates my Streaming-WebService-Security-Framework (swssf) to
the WSS4J project. A part of this work (encryption, decryption and policy-verification) was developed for
my master-thesis in Applied IT Security. The swssf codebase consists of about 26396 lines java code and
additionally about 9263 lines of test code (526 Tests).
</p>
<p>
The contributed code is attached to issue WSS-311
</p>
</div>
<h2 id='Project+info'><img src="../images/redarrow.gif" />Project info</h2>
<div class="section-content">
<ul>
<li>Which PMC will be responsible for the code: Apache Web Services</li>
</ul>
<ul>
<li>Into which existing project/module: WSS4J</li>
</ul>
<ul>
<li>Officer or member managing donation: Daniel Kulp</li>
</ul>
<p>
<em>Completed tasks are shown by the completion date (YYYY-MM-dd).</em>
</p>
<h3 id='Identify+the+codebase'>Identify the codebase</h3>
<div class="section-content">
<table class="colortable" width="100%">
<tr>
<th>date</th>
<th>item</th>
</tr>
<tr>
<td>2011-08-23</td>
<td>If applicable, make sure that any associated name does not
already exist and is not already trademarked for an existing software
product.<br />
The framework will be integrated into WSS4J-2 and most probably renamed accordingly</td>
</tr>
</table>
<p>
MD5 or SHA1 sum for donated software: The svn dump is attached to https://issues.apache.org/jira/browse/WSS-311
and has an md5 of 9cd87d1ae47029f37fc4e30f7c185ebd and is digitally signed by the original author with a signature of:
<pre>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
iQEcBAABAgAGBQJOUQOgAAoJEF8Zt+R9dfyulyoIAKCQKQVvqNPC45j/MufbKs67
J+7vK8hooJ8A3IaxRx0b5iIZwbWN1rX367yKniEMulkW9mNeu+VKj8d6JZcZuLkF
I9IqNUrNG8o+u1LKD+84jdni8NVha584UXWJELG3I7000zX2AnTe6M3ePlOltj1G
G7luUoMBLmsxTt4LIST+W1AAGlbwslRCe98CnWeYSrVDp+MFqd4z084ZkPTYLEJH
bGFMWPIRtJpAp1mBUkykBHSp94g1blmYEZsqAQWivOZWRibYCEMMZ+bNqdt6QBrP
imgQXercKOaXWbc2x37/1bSouGoBLel/l/PWeRzxjGF4Ol/OUKeqkHp1YBdzQcE=
=6WD3
-----END PGP SIGNATURE-----
</pre>
</p>
<h4 id='Copyright'>Copyright</h4>
<div class="section-content">
<table class="colortable" width="100%">
<tr>
<th>date</th>
<th>item</th>
</tr>
<tr>
<td>2011-08-29</td>
<td>Check and make sure that the papers that transfer rights to
the ASF been received. It is only necessary to transfer
rights for the package, the core code, and any new code
produced by the project.</td>
</tr>
<tr>
<td>2011-08-24</td>
<td>Check and make sure that the files that have been donated
have been updated to reflect the new ASF copyright.</td>
</tr>
</table>
<p>
Identify name recorded for software grant: <em>the name of the grant as record
in the grants.txt document so that the grant can be easily identified</em>
</p>
</div>
<h4 id='Verify+distribution+rights'>Verify distribution rights</h4>
<div class="section-content">
<p>
Corporations and individuals holding existing distribution rights: Marc Giger
</p>
<ul>
<li>
<em>For individuals, use the name as recorded on the committers page</em>
</li>
</ul>
<table class="colortable" width="100%">
<tr>
<th>date</th>
<th>item</th>
</tr>
<tr>
<td>2011-08-23</td>
<td>Check that all active committers have a signed CLA on
record.</td>
</tr>
<tr>
<td>2011-08-23</td>
<td>Remind active committers that they are responsible for
ensuring that a Corporate CLA is recorded if such is
required to authorize their contributions under their
individual CLA.</td>
</tr>
<tr>
<td>2011-08-23</td>
<td>Check and make sure that for all items included with the
distribution that is not under the Apache license, we have
the right to combine with Apache-licensed code and
redistribute.</td>
</tr>
<tr>
<td>2011-08-23</td>
<td>Check and make sure that all items depended upon by the
project is covered by one or more of the following approved
licenses: Apache, BSD, Artistic, MIT/X, MIT/W3C, MPL 1.1, or
something with essentially the same terms.</td>
</tr>
</table>
<p>Generally, the result of checking off these items will be a
Software Grant, CLA, and Corporate CLA for ASF licensed code,
which must have no dependencies upon items whose licenses that
are incompatible with the Apache License.</p>
</div>
</div>
<h3 id='Organizational+acceptance+of+responsibility+for+the+project'>Organizational acceptance of responsibility for the project</h3>
<div class="section-content">
<p>
Related VOTEs:
</p>
<ul>
<li><a href="https://mail-search.apache.org/members/private-arch/ws-private/201108.mbox/%3C8221192.ACzd2zs93s@dilbert.dankulp.com%3E">Vote thread on the WebServices PMC</a> (private list, ASF members only)</li>
</ul>
</div>
</div>
</div>
</div>
<div class="row"><div class="span16"><hr noshade="noshade" size="1"/></div></div>
<div class="row">
<div class="span16 footer">
Copyright &#169; 2009-2021 The Apache Software Foundation<br />
Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.<br/>
Apache Incubator, Apache, the Apache feather logo, and the Apache Incubator project logo are trademarks of The Apache Software Foundation.
</div>
</div>
</div>
</body>
</html>