Versions Compared

Old Version 4

changes.mady.by.user Daniel Kulp

Saved on

compared with

New Version Current

changes.mady.by.user Colm O hEigeartaigh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

WS-SecureConversation

WS-SecureConversation support in CXF builds apon upon the WS-SecurityPolicy implementation to handle the SecureConverstationToken SecureConversationToken policy assertions that could be found in the WS-SecurityPolicy fragment.

...

One of the "problems" of WS-Security is that the use of strong encryption keys for all communication extracts a hefty performance penalty on the communication. WS-SecureConversation helps to aleviate alleviate that somewhat by allowing the client and service to use the strong encryption at the start to negotiatate a set of new security keys that will be used for furthur communication. This can be a huge benefit if the client needs to send many requests to the service. However, if the client only needs to send a single request and then is discarded, WS-SecureConversation is actually slower as the key negotiation requires and an extra request/response to the server.

With WS-SecureConversation, there are two Security policies that come into affecteffect:

  1. The "outer" policy that describes the security requirements for interacting with the actual endpoint. This will contain a SecureConversationToken in it someplace.
  2. The "bootstrap" policy that is contained in the SecureConverstationTokenSecureConversationToken. This policy is the policy in affect when the client is negotiating the SecureConversation keys.

...

Code Block
xml
xml
<jaxws:client name="{http://InteropBaseAddress/interop}XDC-SEES_IPingService" 
    createdFromAPI="true">
    <jaxws:properties>
        <!-- properties for the external policy -->
        <entry key="ws-security.username" value="abcd"/>

        <!-- properties for the SecureConversationToken bootstrap policy -->
        <entry key="ws-security.username.sct" value="efgh"/>
        <entry key="ws-security.callback-handler.sct" 
               value="interop.client.KeystorePasswordCallback"/>
        <entry key="ws-security.encryption.properties.sct" 
               value="etc/bob.properties"/> 
    </jaxws:properties>
</jaxws:client>

Via the Java API, use code similar to the following:

Code Block

org.apache.cxf.endpoint.Client client;
client.getRequestContext().put("ws-security.username.sct", username);
client.getRequestContext().put("ws-security.password.sct", password);

Via the Java API, use code similar to the following:

Code Block

org.apache.cxf.endpoint.Client client;
client.getRequestContext().put("ws-security.username.sct", username);
client.getRequestContext().put("ws-security.password.sct", password);

Note: In most common cases of WS-SecureConversation, you won't need any configuration for the service policy. All of the "hard" stuff is used for the bootstrap policy and the service provides new keys for use by the service policy. This keeps the communication with the service itself as simple and efficient as possible.