Thursday, December 9, 2010

First post...

I'm planning to use this blog to detail the security-related work I'm doing and planning to do on various open source projects.

I am the lead-developer on the forthcoming WSS4J 1.6 release, which has a (very) tentative release date of the end of Q1 2011. WSS4J 1.5.x has successfully provided the Web Service Security layer that underpins several Web Services Stacks, such as CXF and AXIS. However, WSS4J 1.5.x is showing its age, both in terms of functionality and performance, both problems which will be addressed in the forthcoming 1.6 release. Although WSS4J 1.6 will not be 100% backwards compatible with 1.5.x, a general goal for the release is to restrict the API changes to those that are strictly necessary. The WS-Security module in CXF has already been ported to use WSS4J 1.6-SNAPSHOT, you can see this code here.

The best way to keep track of what has already been done for WSS4J 1.6, and what remains to be done, is to take a look at the JIRA. There are three main areas of improvement. Firstly, WSS4J has been ported to use the JSR 105 API for XML Digital Signature. This task is more or less complete, although WSS4J retains some compile-time dependencies on XML Security for some of the trickier manipulations (such as Security Token Reference transforms), as well as for encryption/decryption. Secondly, WSS4J 1.6 will include the port to Opensaml 2, thus giving WSS4J the ability to create, parse and manipulate SAML 2 assertions. Thirdly, a huge amount of work has gone into a general code-rewrite with a focus on performance. The JDK 1.4 requirement has been dropped as part of this work, along with the old Axis1 dependencies.

As part of the JSR-105 port for WSS4J 1.6, it is possible to use the implementation in the JDK 1.6 with WSS4J to provide signature creation/verification functionality. However, WSS4J still relies on the Santuario (aka XML Security) project for some of the more advanced signature functionality, as well as in other areas (outlined above). Santuario 1.4.4 was recently released, and a 1.5 release is scheduled for next year (possibly Q2). There is ongoing debate among the Santuario team as to what features 1.5 will provide. A main focus will definitely be a code rewrite to improve performance.

3 comments:

  1. I read today on one of blog post that WSS4J 1.6 is successfully ported to use the JSR 105 API for XML Digital Signature.When this WSS4J 1.6 is expected to be released I am looking forward to use it.Can you give some idea about target release date.For those who never used digital signature can get from what is a digital signature

    ReplyDelete
  2. > Can you give some idea about target release date.

    Pretty soon, in a few weeks time.

    Colm.

    ReplyDelete