[EI 6.1.1] WS-Security UsernameToken performance with large messages

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[EI 6.1.1] WS-Security UsernameToken performance with large messages

Lahiru Sandaruwan
Hi Devs,

Got a question on $subject. Concern is, if the username token is retrieved by building the whole message with DOM or it is read up to security header as in SAX(see [1] for difference) when parsing for authentication.

[2] says,
"Part of this performance hit from WS-Security is due to a flaw in the Rampart handler implementation, which causes it to convert each request and response message to Document Object Model (DOM) form any time Rampart is engaged (even if no security processing is to be done for the message). This particular issue should be fixed in time for a Rampart 1.5 release to go along with Axis2 1.5. Depending on how the fix is implemented, it may substantially improve the times for the UsernameToken test.".

Difference is, when the messages get bigger, DOM model will cause more latency than SAX.
Anyone can confirm if this was fixed in latest Rampart/Axis2 versions?


Thanks.

--
--

Lahiru Sandaruwan
Associate Technical Lead,
WSO2 Inc., http://wso2.com


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: [EI 6.1.1] WS-Security UsernameToken performance with large messages

Afkham Azeez-2
IIRC, Rampart uses WSS4J and WSS4J works with DOM. So when Rampart kicks in, it will convert OM (Axiom) to DOM. Actually we implemented a hybrid object model called DOOM (DOM-OM) which supports both models because Axis2 knows only Axiom and WSS4J knows only OM. So we can't avoid the cost of creating the DOM. Even with SAX, once the events start firing, you cannot stop and SAX doesn't support deferred building. That is why we used the StAX parser in Axiom. The issue in Dennis Sosnoski's article refers to a bug and should have been fixed a long time ago.

Thanks
Azeez

On Tue, Jan 9, 2018 at 11:55 PM, Lahiru Sandaruwan <[hidden email]> wrote:
Hi Devs,

Got a question on $subject. Concern is, if the username token is retrieved by building the whole message with DOM or it is read up to security header as in SAX(see [1] for difference) when parsing for authentication.

[2] says,
"Part of this performance hit from WS-Security is due to a flaw in the Rampart handler implementation, which causes it to convert each request and response message to Document Object Model (DOM) form any time Rampart is engaged (even if no security processing is to be done for the message). This particular issue should be fixed in time for a Rampart 1.5 release to go along with Axis2 1.5. Depending on how the fix is implemented, it may substantially improve the times for the UsernameToken test.".

Difference is, when the messages get bigger, DOM model will cause more latency than SAX.
Anyone can confirm if this was fixed in latest Rampart/Axis2 versions?


Thanks.

--
--

Lahiru Sandaruwan
Associate Technical Lead,
WSO2 Inc., http://wso2.com

lean.enterprise.middleware

m: <a href="tel:+1%20901-530-2379" value="+19015302379" target="_blank">+1 901 530 2379
e: [hidden email] b: https://medium.com/@lahirugmg



--
Afkham Azeez
Senior Director, Platform ArchitectureWSO2, Inc.; http://wso2.com
Member; Apache Software Foundation; http://www.apache.org/

email:
[hidden email] cell: +94 77 3320919
blog:
http://blog.afkham.org
twitter:
http://twitter.com/afkham_azeez
linked-in:
http://lk.linkedin.com/in/afkhamazeez

Lean . Enterprise . Middleware

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: [EI 6.1.1] WS-Security UsernameToken performance with large messages

Lahiru Sandaruwan
I see. Looks like there would be a some hit on performance then. 
Thanks Azeez for the explanation. 

On Tue, Jan 9, 2018 at 11:22 PM, Afkham Azeez <[hidden email]> wrote:
IIRC, Rampart uses WSS4J and WSS4J works with DOM. So when Rampart kicks in, it will convert OM (Axiom) to DOM. Actually we implemented a hybrid object model called DOOM (DOM-OM) which supports both models because Axis2 knows only Axiom and WSS4J knows only OM. So we can't avoid the cost of creating the DOM. Even with SAX, once the events start firing, you cannot stop and SAX doesn't support deferred building. That is why we used the StAX parser in Axiom. The issue in Dennis Sosnoski's article refers to a bug and should have been fixed a long time ago.

Thanks
Azeez

On Tue, Jan 9, 2018 at 11:55 PM, Lahiru Sandaruwan <[hidden email]> wrote:
Hi Devs,

Got a question on $subject. Concern is, if the username token is retrieved by building the whole message with DOM or it is read up to security header as in SAX(see [1] for difference) when parsing for authentication.

[2] says,
"Part of this performance hit from WS-Security is due to a flaw in the Rampart handler implementation, which causes it to convert each request and response message to Document Object Model (DOM) form any time Rampart is engaged (even if no security processing is to be done for the message). This particular issue should be fixed in time for a Rampart 1.5 release to go along with Axis2 1.5. Depending on how the fix is implemented, it may substantially improve the times for the UsernameToken test.".

Difference is, when the messages get bigger, DOM model will cause more latency than SAX.
Anyone can confirm if this was fixed in latest Rampart/Axis2 versions?


Thanks.

--
--

Lahiru Sandaruwan
Associate Technical Lead,
WSO2 Inc., http://wso2.com

lean.enterprise.middleware

m: <a href="tel:+1%20901-530-2379" value="+19015302379" target="_blank">+1 901 530 2379
e: [hidden email] b: https://medium.com/@lahirugmg



--
Afkham Azeez
Senior Director, Platform ArchitectureWSO2, Inc.; http://wso2.com
Member; Apache Software Foundation; http://www.apache.org/

email:
[hidden email] cell: <a href="tel:077%20332%200919" value="+94773320919" target="_blank">+94 77 3320919
blog:
http://blog.afkham.org
twitter:
http://twitter.com/afkham_azeez
linked-in:
http://lk.linkedin.com/in/afkhamazeez

Lean . Enterprise . Middleware



--
--

Lahiru Sandaruwan
Associate Technical Lead,
WSO2 Inc., http://wso2.com


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev