You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Bruce Edge <br...@gmail.com> on 2009/06/16 00:29:09 UTC
Adding secure authentication, SSL and Basic Authentication or
WS-Security with public key certificates
Can someone give me a short description of the differences between these 2
methods:
http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the
http://www.jroller.com/gmazza/entry/setting_up_ssl_and_basic
Thanks
-Bruce
Re: Adding secure authentication, SSL and Basic Authentication or
WS-Security with public key certificates
Posted by Mayank Mishra <ma...@gmail.com>.
Bruce Edge wrote:
> Can someone give me a short description of the differences between these 2
> methods:
>
> http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the
>
Hi Bruce,
Above is using Message level security provided by WS-Security to secure
the web service communication.
Below is using Transport level security provided by HTTPS to secure web
service communication.
> http://www.jroller.com/gmazza/entry/setting_up_ssl_and_basic
>
> Thanks
>
> -Bruce
>
>
Transport layer security handles underlying transport, i.e. it cares
from the point when you data comes onto the transport pipe and leaves
the transport pipe. If you have multiple hops in between producer and
consumer, then there could be data flow pipes where your message is not
secured. Like, in the cases where you have Producer on System 1,
intermediate consumer on System 2 and Final Consumer at System 2. Then,
there is leak between Intermediate consumer and final consumer.
Also, another deficiency with *Transport layer* security is that you
don't have control over securing specific data. For example, if you are
sending Customer Information (name, address, product-purchased, delivery
address of customer and Credit card information), then in this case you
can't control securing only Credit Card Information, all the other
customer information would also be secured by channel, i.e. an extra
overhead in processing and data transferred.
Whereas in *Message Layer* Security you can secure your message
'end-to-end', i.e. from Initial Source to Final Destination. You can
also customize what need to be secured and what can be passed as plain text.
With Regards.
Mayank
>