axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul Fremantle" <>
Subject Re: WS-Security, SSL or both
Date Mon, 18 Feb 2008 22:30:34 GMT
I'm copying Ruchith... he's the real guru. But here are some answers:

> The web method implementations must be aware of the client identity... so
> authentication information must be available to the web method..

Would username/token do? Or do you need the authentication to be based
on certificates?

> 1) Is it possible to access two-way SSL authentication information from a
> web service? (assuming SSL is setup on the axis server - no reverse proxy)

You can always access the Tomcat/Servlet/HTTP context, so if the SSL
client cert information is available from the servlet context (which
it is) you can get at it in your Axis2 service.

> 2) if not.. would it make sense to have one-way SSL for encryption and
> XML-Signature for authentication? how would that perform? Would
> XML-Signature increase the message size drastically? Any alternatives?

Unfortunately its not just encryption that is slow. Basically the
signature has to do the following:

A) create a hash of the message
B) Encrypt the hash with the private key (which is how signatures work)

The hash uses an xml algorithm called DOMHash, which is not very fast.
The public/private key signature isn't very efficient either.
So, the result is you'll still have a performance hit.

The alternative is to use Username/Token for authentication, or if
that is no good, you can use X509Token for authentication. So
effectively you can use SSL for encryption and use a client cert to
authenticate, but no message signature.

There is another alternative, which is to use WS-Trust and
WS-SecureConversation. This makes life more efficient if you have more
than one message exchange (which I'm guessing you will if this is a
B2B sort of situation). Basically, the client uses UserName token or
the X509 cert to set up the session. Then the server issues a token.
The token acts as an ephemeral key which can be used for traditional
symmetric encryption and signature. So now the conversation can
proceed much more efficiently.

> 3) I also read that PK encryption is too intensive for message encryption..
> and is normally used to to exchange a session key - does the performance
> problem apply to digital signatures? is the session key exchange part of the
> Ws-Security spec or do I have to develop a web method that generates the
> session key?

Basically this is the model I described with WS-Trust and SecureConv.
Effectively this models the session startup that SSL does in XML. The
upside is the efficiency. The downside is that you need more "stuff".
So for example, you can interoperate with .NET, but some older stacks
don't do WS-SecConv and Trust.


Paul Fremantle
Co-Founder and VP of Technical Sales, WSO2


"Oxygenating the Web Service Platform",

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message