ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Freeman Fang (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WSS-338) should set com....security.enableCRLDP when enableRevocation is true
Date Thu, 16 Feb 2012 05:28:59 GMT

    [ https://issues.apache.org/jira/browse/WSS-338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13209119#comment-13209119
] 

Freeman Fang commented on WSS-338:
----------------------------------

Hi colm,

Thanks for the reply.
But as I commented in WSS-339, we need enableCRLDP per service context, as different service
may use different certificates issued by different CA, thus it's possible that use different
certificates revocation check policies.

I'm going to introduce a new property enableCRLDP for WSHandler so that we can configure it
per serivce easily, and use the solution I suggest in WSS-339, something like
synchronized (A Globel Lock Object from WSS4J) {
    set properties,
    validator.validate(path, param); // check if certificate is still valid
    restore properties
} 
in verifyTrust method, so that the property won't pollute the whole JVM context, this solution
works by my test.

WDYT?

Best Regards
Freeman
                
> should set com....security.enableCRLDP when enableRevocation is true
> --------------------------------------------------------------------
>
>                 Key: WSS-338
>                 URL: https://issues.apache.org/jira/browse/WSS-338
>             Project: WSS4J
>          Issue Type: Improvement
>    Affects Versions: 1.6.4
>            Reporter: Freeman Fang
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.6.5
>
>         Attachments: WSS-338.patch
>
>
> When we use CRL to do revocation certificate check, generally the certificates can carry
CRLDistributionPoints extension(which is http or ldap url), but currently we can't use this
CRLDistributionPoints in certificates out of the box. It would be better that we can use CRLDistributionPoints
out of box. Simply set com.sun|ibm.security.enableCRLDP property as true when enableRevocation
ensure that we get chance to use the CRLDistributionPoints in certificates and no necessary
to specify org.apache.ws.security.crypto.merlin.x509crl.file explicitly and whatnot for Crypto
instance.
> Set this property won't affect current logic, e.g., if there is no CRLDistributionPoints
in certificates then it still can use the crl file specified by  org.apache.ws.security.crypto.merlin.x509crl.file

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message