cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dennis Sosnoski <>
Subject Re: Passing session key through soap header
Date Thu, 26 Aug 2010 09:25:13 GMT
Public key (asymmetric) encryption is slower than secret key (symmetric)
encryption. But unless I'm misunderstanding your original post, you're
saying you would encrypt the secret key using the server's public key,
so you'd be using asymmetric encryption anyway. That being the case,
you're better off skipping the extra layer and instead just directly
encrypting the UsernameToken with the server's public key.

If you're going to be doing multiple message exchanges and are concerned
about the overhead, you can use WS-SecureConversation to set up a
session using a secret key. You should be able to set up the
WS-SecureConversation STS to require the UsernameToken on the request
and do the authorization in the STS, so that the UsernameToken only
needs to be sent once.

How does that sound?

  - Dennis

On 08/26/2010 06:42 PM, wservarch wrote:
> Isn't encrypting usernameToken with publickey encryption slower? Hence I took
> the approach of digital envelope, I wanted to use the power of secret key
> with public key and couldn't find a way to send the encrypted session key
> through every soap request. Any help?

View raw message