cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF Documentation > WS-SecureConversation
Date Sun, 22 Nov 2009 22:34:00 GMT
<html>
<head>
    <base href="http://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1519/1/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background-color: white" bgcolor="white">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
     <h2><a href="http://cwiki.apache.org/confluence/display/CXF20DOC/WS-SecureConversation">WS-SecureConversation</a></h2>
     <h4>Page <b>edited</b> by             <a href="http://cwiki.apache.org/confluence/display/~mazzag">Glen
Mazza</a>
    </h4>
     Adding comment at the bottom of WS-SecurityPolicy page to better location here.
          <div id="versionComment" class="noteMacro" style="display:none; padding: 5px;">
     Adding comment at the bottom of WS-SecurityPolicy page to better location here.<br
/>
     </div>
          <br/>
     <div class="notificationGreySide">
         <p>WS-SecureConversation support in CXF builds upon the <a href="/confluence/display/CXF20DOC/WS-SecurityPolicy"
title="WS-SecurityPolicy">WS&#45;SecurityPolicy</a> implementation to handle
the SecureConverstationToken policy assertions that could be found in the WS-SecurityPolicy
fragment.  </p>

<p><b>Note:</b> Because the WS-SecureConversation support builds on the
WS-SecurityPolicy support, this is currently only available to "wsdl first" projects.</p>

<p>One of the "problems" of WS-Security is that the use of strong encryption keys for
all communication extracts a hefty performance penalty on the communication.  WS-SecureConversation
helps to aleviate that somewhat by allowing the client and service to use the strong encryption
at the start to negotiatate a set of new security keys that will be used for furthur communication.
  This can be a huge benefit if the client needs to send many requests to the service.   However,
if the client only needs to send a single request and then is discarded, WS-SecureConversation
is actually slower as the key negotiation requires and extra request/response to the server.</p>


<p>With WS-SecureConversation, there are two Security policies that come into affect:</p>
<ol>
	<li>The "outer" policy that describes the security requirements for interacting with
the actual endpoint.  This will contain a SecureConversationToken in it someplace.</li>
	<li>The "bootstrap" policy that is contained in the SecureConverstationToken.   This
policy is the policy in affect when the client is negotiating the SecureConversation keys.</li>
</ol>



<p>Configuring the WS-SecurityPolicy properties for WS-SecureConversation works exactly
like the configuration for straight WS-SecurityPolicy.  The only difference is that there
needs to be a way to specify which properties are intended for the bootstrap policy in the
SecureConversationToken and which are intended for the actual service policy.    To accomplish
this, properties intended for the SecureConversationToken bootstrap policy are appended with
".sct".    For example:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml"><span class="code-tag">&lt;jaxws:client name=<span
class="code-quote">"{http://InteropBaseAddress/interop}XDC-SEES_IPingService"</span>
createdFromAPI=<span class="code-quote">"true"</span>&gt;</span>
    <span class="code-tag">&lt;jaxws:properties&gt;</span>
        <span class="code-tag"><span class="code-comment">&lt;!-- properties
for the external policy --&gt;</span></span>
        <span class="code-tag">&lt;entry key=<span class="code-quote">"ws-security.username"</span>
value=<span class="code-quote">"abcd"</span>/&gt;</span>

        <span class="code-tag"><span class="code-comment">&lt;!-- properties
for the SecureConversationToken bootstrap policy --&gt;</span></span>
        <span class="code-tag">&lt;entry key=<span class="code-quote">"ws-security.username.sct"</span>
value=<span class="code-quote">"efgh"</span>/&gt;</span>
        <span class="code-tag">&lt;entry key=<span class="code-quote">"ws-security.callback-handler.sct"</span>
value=<span class="code-quote">"interop.client.KeystorePasswordCallback"</span>/&gt;</span>
        <span class="code-tag">&lt;entry key=<span class="code-quote">"ws-security.encryption.properties.sct"</span>
value=<span class="code-quote">"etc/bob.properties"</span>/&gt;</span>

    <span class="code-tag">&lt;/jaxws:properties&gt;</span>
<span class="code-tag">&lt;/jaxws:client&gt;</span>   
</pre>
</div></div>

<p>Via the Java API, use code similar to the following:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">org.apache.cxf.endpoint.Client client;
client.getRequestContext().put(<span class="code-quote">"ws-security.username.sct"</span>,
username);
client.getRequestContext().put(<span class="code-quote">"ws-security.password.sct"</span>,
password);
</pre>
</div></div>

<p>Via the Java API, use code similar to the following:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">org.apache.cxf.endpoint.Client client;
client.getRequestContext().put(<span class="code-quote">"ws-security.username.sct"</span>,
username);
client.getRequestContext().put(<span class="code-quote">"ws-security.password.sct"</span>,
password);
</pre>
</div></div>

<p><b>Note:</b> In most common cases of WS-SecureConversation, you won't
need any configuration for the service policy.  All of the "hard" stuff is used for the bootstrap
policy and the service provides new keys for use by the service policy.   This keeps the communication
with the service itself as simple and efficient as possible.</p>



     </div>
     <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="http://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>

       <a href="http://cwiki.apache.org/confluence/display/CXF20DOC/WS-SecureConversation">View
Online</a>
       |
       <a href="http://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=112640&revisedVersion=7&originalVersion=6">View
Change</a>
              |
       <a href="http://cwiki.apache.org/confluence/display/CXF20DOC/WS-SecureConversation?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message