You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by IL GON KIM <ik...@irisa.fr> on 2006/03/14 14:24:02 UTC
Question about WS-Security
I am studying on WS-Security and have a question about it.
As far as I understand it, WS-Security defines security elements in
header part of the SOAP messages, by combining WS-Signature and
WS-Encryption standards.
I think it is possible to define security elements in body part of the
SOAP message, not in header part.
In my opinon, there would be a reason why security elment is described
in header part in WS-Security.
If there is anyone who knows this reason or trade-off between two
approaches, please give me your opinion.
Regards
Il-Gon Kim
Re: Question about WS-Security
Posted by Tech Rams <te...@yahoo.com>.
You will have to look at the feasibility of putting
everything in the body as well as achieving SOAP
intermediary functionality.
WS-Security is an elegant and generalized solution.
The concept of security tokens pertains to username ,
X.509, or SAML tokens. For encryption, having
EncryptedKey separate from EncryptedData is also an
elegant and required feature. For Signature also,
having signature separate from content makes sense.
And think of what you can do once you have separated
out tokens, EncryptedKey, and Signature - you can
perform operations on them without damaging the
original content - for example, you can sign the
tokens, or encrypt them - tokens can be referred to in
encryption or signatures - all these offer the
advantages of brevity that you claim can be achieved
by putting things directly in the body!
And, of course, you still have to address SOAP
intermediary functionality even if you have achieved
elegance and generalization.
-rams
> *question 1) * Is there other reasons why
> WS-Security defines
> especially security elments in header part of SOAP
> message.
>
> As I mentioned in an original e-mail, I believe that
> security element
> defined with XML-Signature and XML-Encryption could
> be located in
> either header part or body part in SOAP messages.
>
> If it is possible, the former approach(using
> WS-Security) could contain
> more information in header and the latter would be
> reverse.
>
> In web services applications, the flow of message
> transactions could be
> passed to an intended recipient by way of several
> intemediaries.
> In this case, which approach would be better from
> the viewpoints of
> message processing and decryption ?
>
> *question 2)* trade-off between two approaches(from
> the viewpoints of
> implementation or performance) ?
>
> Il-Gon Kim
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Re: Question about WS-Security
Posted by IL GON KIM <ik...@irisa.fr>.
Davanum Srinivas wrote:
>my 2 cents, whatever is in the soap body is destined for the
>application that consumes/needs the soap request/response. the header
>is a location where intermediate nodes or the soap engine(s) at the
>end can add custom information independent of the application that
>sends/receives the soap request/response.
>
>-- dims
>
>
Thanks for your good opinion.
I agree with your idea that header where any supplementary information
such as address and id/passwd is generally located .
So, I think this might be one reason why security element is included in
header part of SOAP messages, in WS-Security.
*question 1) * Is there other reasons why WS-Security defines
especially security elments in header part of SOAP message.
As I mentioned in an original e-mail, I believe that security element
defined with XML-Signature and XML-Encryption could be located in
either header part or body part in SOAP messages.
If it is possible, the former approach(using WS-Security) could contain
more information in header and the latter would be reverse.
In web services applications, the flow of message transactions could be
passed to an intended recipient by way of several intemediaries.
In this case, which approach would be better from the viewpoints of
message processing and decryption ?
*question 2)* trade-off between two approaches(from the viewpoints of
implementation or performance) ?
Il-Gon Kim
>On 3/14/06, IL GON KIM <ik...@irisa.fr> wrote:
>
>
>>I am studying on WS-Security and have a question about it.
>>As far as I understand it, WS-Security defines security elements in
>>header part of the SOAP messages, by combining WS-Signature and
>>WS-Encryption standards.
>>
>>I think it is possible to define security elements in body part of the
>>SOAP message, not in header part.
>>In my opinon, there would be a reason why security elment is described
>>in header part in WS-Security.
>>
>>If there is anyone who knows this reason or trade-off between two
>>approaches, please give me your opinion.
>>
>>
>>Regards
>>Il-Gon Kim
>>
>>
>>
>>
>
>
>--
>Davanum Srinivas : http://wso2.com/blogs/
>
>
>
>
Re: Question about WS-Security
Posted by Davanum Srinivas <da...@gmail.com>.
my 2 cents, whatever is in the soap body is destined for the
application that consumes/needs the soap request/response. the header
is a location where intermediate nodes or the soap engine(s) at the
end can add custom information independent of the application that
sends/receives the soap request/response.
-- dims
On 3/14/06, IL GON KIM <ik...@irisa.fr> wrote:
> I am studying on WS-Security and have a question about it.
> As far as I understand it, WS-Security defines security elements in
> header part of the SOAP messages, by combining WS-Signature and
> WS-Encryption standards.
>
> I think it is possible to define security elements in body part of the
> SOAP message, not in header part.
> In my opinon, there would be a reason why security elment is described
> in header part in WS-Security.
>
> If there is anyone who knows this reason or trade-off between two
> approaches, please give me your opinion.
>
>
> Regards
> Il-Gon Kim
>
>
--
Davanum Srinivas : http://wso2.com/blogs/
Re: Question about WS-Security
Posted by William Bathurst <wi...@oracle.com>.
IL GON KIM wrote:
> I am studying on WS-Security and have a question about it.
> As far as I understand it, WS-Security defines security elements in
> header part of the SOAP messages, by combining WS-Signature and
> WS-Encryption standards.
>
> I think it is possible to define security elements in body part of the
> SOAP message, not in header part.
> In my opinon, there would be a reason why security elment is described
> in header part in WS-Security.
>
> If there is anyone who knows this reason or trade-off between two
> approaches, please give me your opinion.
If you look at the history of messaging, there has always been the need
to separate metadata from the actual payload. MQSeries and JMS are prime
examples. They leverage information in the message headers for message
correlation, priority, etc... This normalizes the message, and provides
the ability to optimize message processing. The reasons are the same for
SOAP where one can reduce the the amount of clutter that could go into
the actual payload, and normalize the message content for ease of
processing.
When it comes to WS-Security, there are many reasons for using SOAP
headers. For example, if you wish to sign the message body, would you
put the wsse element into the message body or header? What if there are
multiple signatures within the body. Seems to me that putting the
WS-Security wsse elements into the message body is a nightmare.
Finally, there is performance. If there isn't any headers, there is no
need to process WS-Security, WS-Addressing, etc... If everything is in
the body, it is more difficult to determine whether metadata processing
will need to be made or not.
Regards,
Bill