cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF Documentation > WS-SecureConversation
Date Tue, 26 Feb 2013 21:35:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF20DOC/WS-SecureConversation">WS-SecureConversation</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~coheigea@apache.org">Colm
O hEigeartaigh</a>
    </h4>
        <br/>
                         <h4>Changes (4)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-unchanged" >h1. WS-SecureConversation <br>
<br></td></tr>
            <tr><td class="diff-changed-lines" >WS-SecureConversation support
in CXF builds upon the [WS-SecurityPolicy] implementation to handle the <span class="diff-changed-words">SecureConvers<span
class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">t</span>ationToken</span>
policy assertions that could be found in the WS-SecurityPolicy fragment. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>*Note:* Because the WS-SecureConversation
support builds on the WS-SecurityPolicy support, this is currently only available to &quot;wsdl
first&quot; projects. <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >One of the &quot;problems&quot;
of WS-Security is that the use of strong encryption keys for all communication extracts a
hefty performance penalty on the communication.  WS-SecureConversation helps to <span class="diff-changed-words">al<span
class="diff-added-chars"style="background-color: #dfd;">l</span>eviate</span>
that somewhat by allowing the client and service to use the strong encryption at the start
to negotiatate a set of new security keys that will be used for furthur communication.   This
can be a huge benefit if the client needs to send many requests to the service.   However,
if the client only needs to send a single request and then is discarded, WS-SecureConversation
is actually slower as the key negotiation requires <span class="diff-changed-words">an<span
class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">d</span></span>
extra request/response to the server. <br></!
 td></tr>
            <tr><td class="diff-unchanged" > <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >With WS-SecureConversation, there
are two Security policies that come into <span class="diff-changed-words"><span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">a</span><span
class="diff-added-chars"style="background-color: #dfd;">e</span>ffect:</span>
<br></td></tr>
            <tr><td class="diff-unchanged" ># The &quot;outer&quot; policy
that describes the security requirements for interacting with the actual endpoint.  This will
contain a SecureConversationToken in it someplace. <br></td></tr>
            <tr><td class="diff-changed-lines" ># The &quot;bootstrap&quot;
policy that is contained in the <span class="diff-changed-words">SecureConvers<span
class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">t</span>ationToken.</span>
  This policy is the policy in affect when the client is negotiating the SecureConversation
keys. <br></td></tr>
            <tr><td class="diff-unchanged" > <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="WS-SecureConversation-WSSecureConversation"></a>WS-SecureConversation</h1>

<p>WS-SecureConversation support in CXF builds upon the <a href="/confluence/display/CXF20DOC/WS-SecurityPolicy"
title="WS-SecurityPolicy">WS&#45;SecurityPolicy</a> implementation to handle
the SecureConversationToken policy assertions that could be found in the WS-SecurityPolicy
fragment.  </p>

<p><b>Note:</b> Because the WS-SecureConversation support builds on the
WS-SecurityPolicy support, this is currently only available to "wsdl first" projects.</p>

<p>One of the "problems" of WS-Security is that the use of strong encryption keys for
all communication extracts a hefty performance penalty on the communication.  WS-SecureConversation
helps to alleviate that somewhat by allowing the client and service to use the strong encryption
at the start to negotiatate a set of new security keys that will be used for furthur communication.
  This can be a huge benefit if the client needs to send many requests to the service.   However,
if the client only needs to send a single request and then is discarded, WS-SecureConversation
is actually slower as the key negotiation requires an extra request/response to the server.</p>


<p>With WS-SecureConversation, there are two Security policies that come into effect:</p>
<ol>
	<li>The "outer" policy that describes the security requirements for interacting with
the actual endpoint.  This will contain a SecureConversationToken in it someplace.</li>
	<li>The "bootstrap" policy that is contained in the SecureConversationToken.   This
policy is the policy in affect when the client is negotiating the SecureConversation keys.</li>
</ol>



<p>Configuring the WS-SecurityPolicy properties for WS-SecureConversation works exactly
like the configuration for straight WS-SecurityPolicy.  The only difference is that there
needs to be a way to specify which properties are intended for the bootstrap policy in the
SecureConversationToken and which are intended for the actual service policy.    To accomplish
this, properties intended for the SecureConversationToken bootstrap policy are appended with
".sct".    For example:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
&lt;jaxws:client name=<span class="code-quote">"{http://InteropBaseAddress/interop}XDC-SEES_IPingService"</span>

    createdFromAPI=<span class="code-quote">"true"</span>&gt;
    <span class="code-tag">&lt;jaxws:properties&gt;</span>
        <span class="code-tag"><span class="code-comment">&lt;!-- properties
for the external policy --&gt;</span></span>
        <span class="code-tag">&lt;entry key=<span class="code-quote">"ws-security.username"</span>
value=<span class="code-quote">"abcd"</span>/&gt;</span>

        <span class="code-tag"><span class="code-comment">&lt;!-- properties
for the SecureConversationToken bootstrap policy --&gt;</span></span>
        <span class="code-tag">&lt;entry key=<span class="code-quote">"ws-security.username.sct"</span>
value=<span class="code-quote">"efgh"</span>/&gt;</span>
        &lt;entry key=<span class="code-quote">"ws-security.callback-handler.sct"</span>

               value=<span class="code-quote">"interop.client.KeystorePasswordCallback"</span>/&gt;
        &lt;entry key=<span class="code-quote">"ws-security.encryption.properties.sct"</span>

               value=<span class="code-quote">"etc/bob.properties"</span>/&gt;

    <span class="code-tag">&lt;/jaxws:properties&gt;</span>
<span class="code-tag">&lt;/jaxws:client&gt;</span>   
</pre>
</div></div>

<p>Via the Java API, use code similar to the following:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
org.apache.cxf.endpoint.Client client;
client.getRequestContext().put(<span class="code-quote">"ws-security.username.sct"</span>,
username);
client.getRequestContext().put(<span class="code-quote">"ws-security.password.sct"</span>,
password);
</pre>
</div></div>

<p>Via the Java API, use code similar to the following:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
org.apache.cxf.endpoint.Client client;
client.getRequestContext().put(<span class="code-quote">"ws-security.username.sct"</span>,
username);
client.getRequestContext().put(<span class="code-quote">"ws-security.password.sct"</span>,
password);
</pre>
</div></div>

<p><b>Note:</b> In most common cases of WS-SecureConversation, you won't
need any configuration for the service policy.  All of the "hard" stuff is used for the bootstrap
policy and the service provides new keys for use by the service policy.   This keeps the communication
with the service itself as simple and efficient as possible.</p>



    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/WS-SecureConversation">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=112640&revisedVersion=10&originalVersion=9">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/WS-SecureConversation?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message