You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Bruce Edge <br...@gmail.com> on 2009/06/16 00:29:09 UTC

Adding secure authentication, SSL and Basic Authentication or WS-Security with public key certificates

Can someone give me a short description of the differences between these 2
methods:

http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the

http://www.jroller.com/gmazza/entry/setting_up_ssl_and_basic

Thanks

-Bruce

Re: Adding secure authentication, SSL and Basic Authentication or WS-Security with public key certificates

Posted by Mayank Mishra <ma...@gmail.com>.

Bruce Edge wrote:
> Can someone give me a short description of the differences between these 2
> methods:
>
> http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the
>   
Hi Bruce,

Above is using Message level security provided by WS-Security to secure 
the web service communication.
Below is using Transport level security provided by HTTPS to secure web 
service communication.

> http://www.jroller.com/gmazza/entry/setting_up_ssl_and_basic
>
> Thanks
>
> -Bruce
>
>   
Transport layer security handles underlying transport, i.e. it cares 
from the point when you data comes onto the transport pipe and leaves 
the transport pipe. If you have multiple hops in between producer and 
consumer, then there could be data flow pipes where your message is not 
secured. Like, in the cases where you have Producer on System 1, 
intermediate consumer on System 2 and Final Consumer at System 2. Then, 
there is leak between Intermediate consumer and final consumer.

Also, another deficiency with *Transport layer* security is that you 
don't have control over securing specific data. For example, if you are 
sending Customer Information (name, address, product-purchased, delivery 
address of customer and Credit card information), then in this case you 
can't control securing only Credit Card Information, all the other 
customer information would also be secured by channel, i.e. an extra 
overhead in processing and data transferred.

Whereas in *Message Layer* Security you can secure your message 
'end-to-end', i.e. from Initial Source to Final Destination. You can 
also customize what need to be secured and what can be passed as plain text.

With Regards.
Mayank
>