OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

was message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [was] WAS Protect update

Hi Ivan, Lawrence,

The design seems simple and straightforward, I like it.

I also think using scripting for program logic is preferable to XML.

BeanShell is another scripting option that fits well into any Java-based
architecture. It has some XML-friendly serialization support, i.e. it could
be saved inside an XML document in XML-compliant format (no '>' etc).

Also, "detect" element needs to deal with a similar problem.

Whatever the solution is, it makes sense to apply it uniformly across WAS
(to both detect and protect elements).


-----Original Message-----
From: Ivan Ristic [mailto:ivanr@webkreator.com] 
Sent: Monday, May 03, 2004 3:01 PM
To: Lawrence, Gabriel
Cc: was@lists.oasis-open.org
Subject: Re: [was] WAS Protect update

> This looks nice. Its along the lines of what I have been thinking, but
> havent had any time to convey to anyone. The only issue I might bring up
> is that instead of creating a whole new language to write the protection
> detectors in could we use something like JavaScript? The rhino engine
> from mozilla would make it pretty easy to create an engine for this in
> both Java and C...

  It's a valid point, and one I've been wrestling with myself. Here's
  how I see the problem (from the point of view of my previous


  * New language to learn. It is XML but still an engine needs to
    be developed.

  * XML syntax is not quite suitable for a programming language. In
    order to keep it simple I've tried to limit the number of
    constructs. This makes Javascript much more powerful. Will
    these construct be enough to satisfy our future needs?


  * Is it realistic to have a JS interpreter embedded in a Web
    server? I have doubts about the size and doubts about the
    speed of execution. The simplicity of the new language works
    for us because rules can be translated into fast p-code.

  * I don't think Javascript is something web servers administrators
    will want to use (then again, the XML syntax isn't much better

  * It's likely vendors will have their own proprietary signatures.
    Converting among them will probably not be possible with


  The points above convinced me to go with the XML syntax. They
  didn't make me happy, though.

ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]