santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William Bathurst <william.bathu...@oracle.com>
Subject Re: Question about WS-Security
Date Tue, 14 Mar 2006 18:28:40 GMT
IL GON KIM wrote:

> I am studying on WS-Security and have a question about it.
> As far as I understand it, WS-Security defines security elements in 
> header part of the SOAP messages, by combining WS-Signature and 
> WS-Encryption standards.
>
> I think it is possible to define security elements in body part of the 
> SOAP message, not in header part.
> In my opinon, there would be a reason why security elment is described 
> in header part in WS-Security.
>
> If there is anyone who knows this reason or trade-off between two 
> approaches, please give me your opinion.

If you look at the history of messaging, there has always been the need 
to separate metadata from the actual payload. MQSeries and JMS are prime 
examples. They leverage information in the message headers for message 
correlation, priority, etc... This normalizes the message, and provides 
the ability to optimize message processing. The reasons are the same for 
SOAP where one can reduce the the amount of clutter that could go into 
the actual payload, and normalize the message content for ease of 
processing.

When it comes to WS-Security, there are many reasons for using SOAP 
headers. For example, if you wish to sign the message body, would you 
put the wsse element into the message body or header? What if there are 
multiple signatures within the body. Seems to me that putting the 
WS-Security wsse elements into the message body is a nightmare.

Finally, there is performance. If there isn't any headers, there is no 
need to process WS-Security, WS-Addressing, etc... If everything is in 
the body, it is more difficult to determine whether metadata processing 
will need to be made or not.

Regards,
Bill

Mime
View raw message