【正文】 works with the outdated submission version from 2021, rather than the standard W3C version released in 2021. For WSSecureConversation, Axis2 implements a canned configuration, ignoring any policy configuration you supply. Scores: Axis2 — 6。ve only considered problems experienced directly in the course of these articles. Checking the bugtracking systems for the stacks will show other, potentially more significant, problems. You need to use care when looking at these — some of the problems reported may be caused by user errors — but it39。ve broken the ranking down into four factors and assigned a numeric rating in the classic 1to10 (worsttobest) range for each stack: ? Correctness: How many implementation errors are known, and how serious are the errors? ? Completeness: How plete is the security implementation? ? Performance: How much overhead does the security handling add? ? Usability: How easy is it to configure the security code? Correctness Axis2 has some significant problems, and the disconnect between the core code and the Rampart security module is an issue of concern, but overall it seems fairly solid. Score: Axis2 — 6. Metro has some major issues, in particular the incorrect handling of si gnatures when used withoutsp:OnlySignEntireHeadersAndBody/. Like Axis2, though, it generally seems fairly solid, and the integration of the security code into the main release makes plete failures less likely than with Axis2. Score: Metro — 7. CXF has only relatively minor known issues, and the fast responses to problems and quick release cycle mean problems generally are corrected soon after they39。s little reason to use two different algorithm suites in practice, but it39。s handling of signing message bodies. If the policy includes a OnlySignEntireHeadersAndBody assertion, everything is fine, but if this assertion isn39。s only patible with other stacks using that same configuration. In terms of the security runtime, Axis2 has a major issue with clientside handling of symmetric bindings (as discussed in WSSecurity without client certificates). The client runs progressively slower as more requests are made. I consider this a hard bug, rather than a performance issue, because of the progressive nature of the problem. Axis2 security handling is also plagued by consistently slow operation any time security is used (see CXF performance parison for some results). This performance issue appears to be rooted in inpatibilities between the AXIOM object model used by Axis2 and the standard DOM used by the security code, so the problems are likely to continue until and unless AXIOM is enhanced to provide full DOM patibility. 年級 2021 級 專業(yè) 軟件工程 學(xué)號(hào) 312021080611322 姓名 周進(jìn) 5 Finally, in my opinion, Axis2 tends to suffer from a disconnect between the core web services engine (the actual Axis2 code) and the security code (the Rampart and Rahas security modules). Early on we (the Axis2 mitters) decided to separate the security code from the core code, allowing these ponents to be separately enhanced and released. Unfortunately, this has resulted in the security code being treated as an optional ponent, and Axis2 releases have been made that do not work with the thencurrent Rampart release. The recent Axis2 release is an example: the binary distribution is missing a JAR file required for security handling, so there39。ve tested a variety of security configurations on three web services stacks, finding several issues with each stack. Limited interoperability testing (using one stack for the client and another for the server, only tried for the WSSecureConversation tests) demonstrated even more issues. In the case of one stack, Apache Axis2, I also found significant performance problems. All these issues have been reported to the developers for each stack, and some have been fixed in the latest releases. In this section, I39。t done anything toward reducing the plexity of securityconfiguration choices. An updated version of the BSP that was morespecifically oriented toward WSSecurityPolicy configurations would be very useful to help establish best practices for security architects using modern policybased configurations, but unfortunately the WSI has not shown interest in such an update. Interoperability tests Vendordriven interoperability testing across stacks has been a more significant factor in improving the quality of web service security implementations. Microsoft174。s not in the mainstream. Even in the relatively small number of security configurations tested for the security discussions and performance parisons in the articles of this series, I found several problems of this type. Some efforts to improve the quality of web services security code have been made, including the work of an industrywide anization and vendordriven interoperability testing. The latter, in particular, has helped establish a basic level of patibility among stacks, but the benefits have been limited because of the small number of configurations tested. WSI Basic Security Profile From the start, SOAP web service specifications have