You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by wservarch <ws...@gmail.com> on 2010/08/26 06:13:19 UTC
Passing session key through soap header
Instead of password digest in username token, 'am taking slightly different
approach in sending username token to receiver end through soap header.
Using a session key I am encrypting my password_text, then encrypting the
session key with public key of the receiver (or endpoint).
Receiver receives both my encrypted session key and encrypted password_text.
Receiver uses it's private key to decrypt the session key, which in turn can
be used to decrypt the actual password_text.
Now the question is how to send the encrypted session key through SOAP
Header along with encrypted password_text?
If i go with username token policy, i can send encrypted password, there is
no field in it through which I can send my encrypted key.
Can some body help me know how the policy xml in wsdl going to look like?
--
View this message in context: http://cxf.547215.n5.nabble.com/Passing-session-key-through-soap-header-tp2668876p2668876.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Passing session key through soap header
Posted by Dennis Sosnoski <dm...@sosnoski.com>.
I'd suggest you encrypt the complete UsernameToken, since the
performance difference between doing only part and the whole token would
probably be minor and encrypting the whole token is better for
interoperability. As Dan pointed out in a recent exchange
(http://mail-archives.apache.org/mod_mbox/cxf-users/201008.mbox/browser), .Net
*always* wants to encrypt UsernameToken, one way or another, and so most
of the Java stacks are likely to do the same.
- Dennis
On 08/26/2010 10:20 PM, wservarch wrote:
> Yes makes sense. Thanks for the help, right now 'am not looking at multiple
> message exchanges. I've one more query, when you say encrypting
> UserNameToken with public key you mean to say encrypting only password of
> the token or complete UserNameToken?
>
Re: Passing session key through soap header
Posted by wservarch <ws...@gmail.com>.
Yes makes sense. Thanks for the help, right now 'am not looking at multiple
message exchanges. I've one more query, when you say encrypting
UserNameToken with public key you mean to say encrypting only password of
the token or complete UserNameToken?
--
View this message in context: http://cxf.547215.n5.nabble.com/Passing-session-key-through-soap-header-tp2668876p2695658.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Passing session key through soap header
Posted by Dennis Sosnoski <dm...@sosnoski.com>.
Public key (asymmetric) encryption is slower than secret key (symmetric)
encryption. But unless I'm misunderstanding your original post, you're
saying you would encrypt the secret key using the server's public key,
so you'd be using asymmetric encryption anyway. That being the case,
you're better off skipping the extra layer and instead just directly
encrypting the UsernameToken with the server's public key.
If you're going to be doing multiple message exchanges and are concerned
about the overhead, you can use WS-SecureConversation to set up a
session using a secret key. You should be able to set up the
WS-SecureConversation STS to require the UsernameToken on the request
and do the authorization in the STS, so that the UsernameToken only
needs to be sent once.
How does that sound?
- Dennis
On 08/26/2010 06:42 PM, wservarch wrote:
> Isn't encrypting usernameToken with publickey encryption slower? Hence I took
> the approach of digital envelope, I wanted to use the power of secret key
> with public key and couldn't find a way to send the encrypted session key
> through every soap request. Any help?
>
Re: Passing session key through soap header
Posted by wservarch <ws...@gmail.com>.
Isn't encrypting usernameToken with publickey encryption slower? Hence I took
the approach of digital envelope, I wanted to use the power of secret key
with public key and couldn't find a way to send the encrypted session key
through every soap request. Any help?
--
View this message in context: http://cxf.547215.n5.nabble.com/Passing-session-key-through-soap-header-tp2668876p2680984.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Passing session key through soap header
Posted by Dennis Sosnoski <dm...@sosnoski.com>.
It's hard to see much benefit from using a session key in this case,
since it sounds like you're sending it with each request. Why don't you
just encrypt the UsernameToken directly with the server's public key?
- Dennis
On 08/26/2010 04:13 PM, wservarch wrote:
> Instead of password digest in username token, 'am taking slightly different
> approach in sending username token to receiver end through soap header.
>
> Using a session key I am encrypting my password_text, then encrypting the
> session key with public key of the receiver (or endpoint).
> Receiver receives both my encrypted session key and encrypted password_text.
> Receiver uses it's private key to decrypt the session key, which in turn can
> be used to decrypt the actual password_text.
>
> Now the question is how to send the encrypted session key through SOAP
> Header along with encrypted password_text?
>
> If i go with username token policy, i can send encrypted password, there is
> no field in it through which I can send my encrypted key.
>
> Can some body help me know how the policy xml in wsdl going to look like?
>