Learn how ws-secureconversation can improve the security performance of WEB services
Introduction: Ws-security adds Enterprise-class security features to SOAP message exchange, but it has a significant performance penalty. Based on Ws-security, Ws-trust provides a way to exchange security tokens, ws-secureconversation based on ws-security and Ws-trust, improves the performance of the message exchange in progress. Dennis Sosnoski will continue his series of Java Web services columns, and this installment will introduce Ws-trust and ws-secureconversation.
Based on sophisticated cryptography and industry standards for XML encryption and signing, Ws-security provides a full set of security features for WEB service applications. For many applications, ws-security features are essential, but often at the expense of performance. Previous articles in this series explored how common ws-security configurations affect the performance of the main open source Java™web service stack (Apache Axis2, Metro, and Apache CXF).
Ws-security often accompanies performance losses mainly because of the large use of asymmetric encryption. As discussed in the "Axis2 ws-security signature and Encryption" article, asymmetric cryptography is a useful tool because it handles key pairs. A key in a key pair is used to encrypt a message that another key can decrypt. The owner of the key pair can make a key publicly available so that anyone can use it to encrypt messages sent to this owner, and also decrypt messages from this owner (this verifies the identity of the sender). One disadvantage of asymmetric encryption is that it requires a larger key size and more processing load than symmetric encryption because symmetric encryption is based on a single private key known only to the parties involved in this exchange.
Ws-secureconversation is a standard that allows symmetric encryption to be used for message exchange between client and server in progress, thereby eliminating the increased load of asymmetric encryption. In order to secure the security exchange of the secret key information required for symmetric encryption, Ws-secureconversation is constructed on the basis of ws-security and another standard ws-trust. The ws-trust itself is based on ws-security, which defines the interface to the WEB service that emits and processes security tokens.
Ws-trust
The Ws-trust combines two related functions. The first function is to support handling of security tokens-specifically, issuing, replacing, and canceling security tokens. The second function is to support the mediation trust relationship. These two functions look different, but they are interrelated, requiring that the security token must be trustworthy and that the trust must be represented in some form of token.
The core of Ws-trust is a set of messages that are used to issue, replace, Cancel, and authenticate security tokens. These messages can be exchanged by the client by invoking a specific type of SOAP Web service called the Security Token Service (STS). They can also be delivered in other ways (for example, in the form of a secure head for a request to another service).