exchangemandriva
mandriva 时间:2021-04-01 阅读:()
CopyrightIBMCorporation2010TrademarksJavawebservices:WS-SecuritywithoutclientcertificatesPage1of9Javawebservices:WS-SecuritywithoutclientcertificatesLearnhowtouseWS-SecuritysymmetricencryptionforsecureexchangeswithoutclientcertificatesDennisSosnoski03August2010WS-Securitysymmetricencryptionletsyousecuremessageexchangesbetweenclientandserverwithoutrequiringclientcertificates,simplifyingyourwebserviceconfigurationwhilealsoprovidingperformancebenefits.
YoucanuseitdirectlyorinthebootstrapforWS-SecureConversationexchanges.
Inthisarticle,you'lllearnhowtoconfigureandusesymmetricencryptionwiththethreemainopensourceJavawebservicesstacks:Axis2,Metro,andCXF.
You'llalsoseehowplainWS-SecuritysymmetricencryptionperformancecomparestoWS-SecureConversationperformance.
ViewmorecontentinthisseriesAboutthisseriesWebservicesareacrucialpartofJavatechnology'sroleinenterprisecomputing.
Inthisseriesofarticles,XMLandwebservicesconsultantDennisSosnoskicoversthemajorframeworksandtechnologiesthatareimportanttoJavadevelopersusingwebservices.
Followtheseriestostayinformedofthelatestdevelopmentsinthefieldandawareofhowyoucanusethemtoaidyourprogrammingprojects.
ManyWS-Securityconfigurationsrequirebothclientandservertousepublic/privatekeypairs,withX.
509certificatestovouchfortheownershipofthepublickeys.
ThisisprobablythemostwidelyusedtechniqueforsigningorencryptingmessageswithWS-Security,anditdoeshavesomeadvantages.
Inparticular,clientcertificatesprovidestrongclientidentityverificationandstrongsignatureguaranteesonrequests.
Butitalsohasdrawbacks,includingtheperformanceoverheadofasymmetricencryptionandthemanagementheadachesofobtainingandmaintainingcertificatesforeachclient.
"WS-SecureConversationperformance"showedhowWS-SecureConversation—whilestillworkingwithclientcertificates—reducesperformanceoverheadforongoingmessageexchangesbetweenclientandserverbyusingsymmetricencryption.
Inthisarticle,you'llseehowyoucangoastepfurtherandbreakfreeoftheneedforclientcertificatesinbothplainWS-SecurityandWS-SecureConversationexchanges.
developerWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage2of9EncryptingandsigningwithoutclientcertificatesUsingasymmetricencryptionwithpublic/privatekeypairsforsigningandencryptingmessagesissimple(atleastconceptually!
).
Asdiscussedin"Axis2WS-Securitysigningandencryption,"youuseyourprivatekeytosignmessagesandtherecipient'spublickeytoencryptmessages.
Anyonewithaccesstoyourpublickey(whichisgenerallywrappedwithinlayersofauthenticationintheformofanX.
509certificate)canverifythesignatureyougeneratedusingyourprivatekey,whereasonlytheownerofthecorrespondingprivatekeycandecryptamessageencryptedwithapublickey.
Iftheclientdoesn'thaveapublic/privatekeypair,youcan'tusefullasymmetricencryption.
Thealternativeissymmetricencryption,butwithsymmetricencryptionyoumusthaveasecretkeyknownonlytothepartiesinvolvedinamessageexchange.
HowcanyouestablishsuchasecretkeyThetechniquethatWS-Securityusesistohavetheclientgenerateasecret-keyvalue,whichisthenencryptedusingasymmetricencryptionwiththeserver'spublickeyandembeddedintherequestmessageinatoken.
Theclientcanusethissecretkey(orforbettersecurity,aseparatekeyderivedfromthesecretkey)toencryptand/orsigntherequestmessage,andtheservercandothesamewiththeresponsemessage.
There'snoneedfortheservertosendthesecretkeybacktotheclient,becausetheclientalreadyhasitavailable.
WS-SecurityPolicyconfigurationWS-Policy/WS-SecurityPolicyconfigurationforsymmetricencryptionusingaclient-generatedkeyissimple.
Listing1showstheversionusedinthisarticle.
Thispolicyspecifiesencryptionofmessagebodiessentinbothdirections,usingaclient-generatedsecretkey.
Listing1.
WS-Policyforencryptingallmessagebodiesibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage3of9TheassertionintheListing1policyiswhatconfigurestheuseofsymmetricencryptionwithasecretkey.
TheembeddedassertionsaysthataX.
509certificatewillbeusedtoprotectthetransmissionofthesecretkey(thatis,encryptthesecretkeyfortransmission),withthecertificateidentifiedusingathumbprintreference(essentiallyahashvalue).
Clientgenerationofthesecretkeyisimplicitintheuseofaassertionwithaprotectiontoken.
Theotherpolicyassertionsspecifydetailsoftheencryptionalgorithmandrequiredfeatures,andfinallytheassertionsaysthattheSOAPBodyistobeencryptedusingthesecretkey.
Asyou'veseeninearlierarticles,run-timeparametersforthesecurityhandling(suchaskeystoresandpasswords)mustbedefinedinanimplementation-dependentmanner.
Inthiscase,theparametersaresimple:theclientsideneedsaccesstoatruststorecontainingtheservercertificate,andtheserversideneedsaccesstoakeystorecontainingtheprivatekeymatchingthepublickeyinthecertificate.
Seeearlierarticlesinthisseriesfordetailsofhowtheparametersarepassedforeachofthestacks.
WS-SecureConversationwithoutclientcertificatesYoucanapplythesametechniqueforworkingwithoutclientcertificatestothemessageexchangebetweentheclientandtheSecurityTokenService(STS)whenusingWS-SecureConversation.
(See"WS-TrustandWS-SecureConversation"and"WS-SecureConversationperformance"fordetailsofWS-SecureConversation.
)Tousethisapproach,youbasicallysubstitutetheListing1policyintotheforthesecureconversation.
Listing2showshowthisworks,withtheshowninboldreplacingtheusedin"WS-SecureConversationperformance":Listing2.
WS-PolicyforWS-SecureConversationwithoutclientcertificatesdeveloperWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage4of9ibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage5of9Besidesusingaclient-generatedkeyforthemessageexchangewiththeSTS,theListing2policyalsodiffersfromthoseusedin"WS-SecureConversationperformance"byeliminatingtheassertion.
Intheory,thispolicyshouldworkonanyWS-SecurityandWS-SecureConversationimplementation.
Inpractice,someproblemsoccurredwhenItriedthisconfigurationwiththethreemainopensourceJavawebservicesstacks.
CXFwastheonlystackthatworkedwiththepolicyaswritten.
Axis2didn'tworkatall,failingwithaclient-sideexceptionwhenprocessingtheSTSresponsemessage.
WhenIchangedthebootstrappolicybacktoasymmetricencryption,Axis2workedbutusedWS-Addressingonallmessagesanyway.
Metroalsofailed;afterIaddedbackthe,itworkedwithaclient-generatedkeyforsymmetricencryptionintheSTSmessageexchange.
ComparingperformanceTheperformancecomparisonsusethesametestcodeasearlierarticles,aseismicdataretrievalservice.
Theserviceusesadatabaseofmorethan93,000earthquakesthatoccurredworldwideoveraperiodofyears.
Requeststotheservicespecifyatimerangeandageographiccoordinaterange,andtheservicereturnsallearthquakeswithinthespecifiedrange.
See"Thehighcostof(WS-)Security"forfulldetailsofthetestapplicationandasamplerequest/responsemessagepair.
Asinthepreviousarticles,twosetsofrequestsequencesareusedfortheperformancetests.
Thefirstsetuses1,000requests,withqueryparametersadjustedtomatchasmallportionoftheentireearthquakedatabase(returning816matchingearthquakesforthe1,000requests).
Thesecondsetuses100requests,adjustedtomatchalargerportionofthedatabase(returning176,745matchingearthquakesforthe100requests).
Thesetworequestsequencesemphasizedifferentperformancecharacteristicsofwebservicesstacks.
Thefirstoneshowshowquicklystacksprocessrequestswithlittledata,andthesecondemphasizesthespeedofprocessingdatavolumes.
Eachrequestsequencewasrunmultipletimesindifferentsecurityconfigurations,withonlythebesttimeforeachconfigurationkeptintheresults.
Thistime,onlytwosecurityconfigurationsweretested:WS-SecuritywithSymmetricBindingencryptingallrequest/responsemessagebodies(direct)WS-SecureConversationencryptingallrequest/responsemessagebodies(securconv)Thesecurconvconfigurationisessentiallythesameastheoneusedin"WS-SecureConversationperformance,"theonlydifferencebeingtheuseofaSymmetricBindingforthemessageexchangebetweentheclientandtheSTSwithMetroandCXF.
BecausethetestedSymmetricBindingSTSpolicydidn'tworkwithAxis2,theAxis2configurationusedforthetimingtestswasthesameasintheearlierarticle.
ThechangetousingaSymmetricBindingfortheSTSpolicyismorefordemonstrationpurposesthanforanysignificantimpactonperformance,sothisdifferenceisnotimportantintheresults.
ThetestswererunonaMandriva2009.
132-bitLinuxnotebookwithaTurionX2ZM-85processorand3GBofRAM,usingaSun(Oracle)Java1.
6.
0_1032-bitJVM.
(NotethatthisisadeveloperWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage6of9differentsystemfromtheoneusedforperformancetestsinearlierarticles.
)TheservercodewasrunonTomcat6.
0.
20,configuredtouse1024MBofheap,withtheclientcodeusing512MBofheap.
Thewebservicestackversionstestedwere:Axis21.
5.
1withthe1.
5releaseofRampartMetro2.
0CXF2.
1.
8IfyouwanttotrythetestsonyourownhardwareandJVM,seeDownloadtogetthecode.
PerformanceresultsFigure1showsthemeasuredtimesforthesmall-responsetestseries.
Asin"WS-SecureConversationperformance,"MetroisalittlefasterthanCXF(about10percent)intheWS-SecureConversationtimings.
MetrodoesevenbetterwithdirectuseofsymmetricencryptionwithWS-Security,runningabout30percentfaster.
(Inbothofthisarticle'scharts,shorterbarsarebetterbecausetheyindicatefastertimes.
)Figure1.
MeasuredtimeswithsmallresponsesAxis2resultsarenotincludedinFigure1becauseofabugthatshowedupinthecourseofthetest.
TheAxis2teststartedoutrunningatareasonablespeedbutthenprogressivelyslowedasthenumberofiterationsincreased.
ThetotaltimetorunthistestwithAxis2endedupmorethan40timestheMetrovalue.
Thistypeofprogressiveslowingusuallyindicatesanissuesuchaslinearlookupsofvaluesbeingstoredbycode,inthiscasewithintheAxis2securityhandlingforsymmetricencryption(perhapsdealingwiththeclient-generatedkeys,becauseanewsecretkeyisgeneratedforeachrequest).
Figure2showsthemeasuredtimesforthelarge-responsetestseries.
HereMetroisagainthefastestofthestacks,butCXFcomesclose—thedifferencebetweenthetwoisonlyabout10percent.
Axis2ismuchslowerthantheothertwostacks,aswasthecaseintheWS-SecurityandWS-SecureConversationtestsshowninearlierarticles.
ibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage7of9Figure2.
MeasuredtimeswithlargeresponsesTheseresults(exceptforAxis2)matchwhatyou'dexpecttoseebasedonthesecurityprocessingbeingdone.
Withbothsecurityconfigurations,symmetricencryptionisusedforthemessagesexchangedbetweentheclientandtheservice.
ThebigdifferencebetweenthetwoisthattheWS-Securitysymmetricencryptionconfigurationusesanewsecretkeygeneratedbytheclientforeachrequest/responsemessagepair.
Thissecretkeyneedstobeasymmetricallyencryptedusingtheserver'spublickeyandsentaspartoftherequestmessage,whereasWS-SecureConversationreusesasinglesecretkeyacrossmanymessagepairs.
ThismeanstheWS-Securityconfigurationaddssignificantper-requestoverhead,whichshowsupmainlyintheFigure1timings.
Thestacksdon'tsupportusingWS-Securityasymmetricencryptionforonlyencryptingamessage,insteadrequiringsigningtobedonealso.
Thismakesitdifficulttoprovideanydirectperformancecomparison,butyoucangetanideaofthedifferencebycomparingthesechartswiththosefrom"WS-SecureConversationperformance.
"TheearlierarticleshowedthatWS-SecureConversationsymmetricencryptionprovidesconsiderablybetterperformancethanWS-Securityasymmetricencryption,especiallyforencryptingmessages.
TheseresultsshowthatWS-Securitysymmetricencryptionwithclient-generatedkeysisnearlyasfastasWS-SecureConversation,especiallyforlargermessages.
WrappingupYou'veseeninthisarticlehowsymmetricencryption,usingclient-generatedsecretkeys,canbeusedtosecuremessageexchangeswithouttheneedforclientcertificates.
Thisapproachoffersgoodperformanceformessageexchanges—nearlyasgoodasWS-SecureConversation—whenthemessagesarerelativelylarge.
Ifonlyafewmessagesareexchangedbetweenaclientandserver,client-generatedsecretkeyscandeliverevenbetterperformancethanWS-SecureConversationsecretkeys(becauseWS-SecureConversationrequiresanextramessageexchange,betweentheclientandtheSTS).
Client-generatedsecretkeyscanalsobeusedforsigningmessages.
Thoughnotshowninthisarticle,thisuseofsecretkeysisessentiallythesameasthesigningexampleforWS-developerWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage8of9SecureConversationdiscussedin"WS-SecureConversationperformance.
"Signingwithsecretkeysinherentlyprovidesweakerguaranteesofauthenticitythansigningwithprivatekeys,butitcanstillbeusefulforensuringthatmessageshavenotbeentamperedwithintransit.
ThelastseveralarticlesofthisserieshavediscussedvariousformsofWS-SecurityandWS-SecureConversationsecurityforwebservices,includingperformancecomparisonsforthethreemainJavawebservicesstacks.
I'llcoversomespecializedWS-Securityfeaturesinfuturearticles,butfornowit'stimetowrapupthefocusonsecurityperformance.
ThenextarticleoftheserieswilldetailthestructureofWS-PolicydocumentsandthewaysthatpoliciescanbeattachedtoservicesinWSDL,withexamplesoffine-tuningsecurityconfigurationforApacheAxis2,Metro,andApacheCXF.
ibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage9of9DownloadableresourcesDescriptionNameSizeSamplecodeforthisarticlej-jws17.
zip5.
29MBCopyrightIBMCorporation2010(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
YoucanuseitdirectlyorinthebootstrapforWS-SecureConversationexchanges.
Inthisarticle,you'lllearnhowtoconfigureandusesymmetricencryptionwiththethreemainopensourceJavawebservicesstacks:Axis2,Metro,andCXF.
You'llalsoseehowplainWS-SecuritysymmetricencryptionperformancecomparestoWS-SecureConversationperformance.
ViewmorecontentinthisseriesAboutthisseriesWebservicesareacrucialpartofJavatechnology'sroleinenterprisecomputing.
Inthisseriesofarticles,XMLandwebservicesconsultantDennisSosnoskicoversthemajorframeworksandtechnologiesthatareimportanttoJavadevelopersusingwebservices.
Followtheseriestostayinformedofthelatestdevelopmentsinthefieldandawareofhowyoucanusethemtoaidyourprogrammingprojects.
ManyWS-Securityconfigurationsrequirebothclientandservertousepublic/privatekeypairs,withX.
509certificatestovouchfortheownershipofthepublickeys.
ThisisprobablythemostwidelyusedtechniqueforsigningorencryptingmessageswithWS-Security,anditdoeshavesomeadvantages.
Inparticular,clientcertificatesprovidestrongclientidentityverificationandstrongsignatureguaranteesonrequests.
Butitalsohasdrawbacks,includingtheperformanceoverheadofasymmetricencryptionandthemanagementheadachesofobtainingandmaintainingcertificatesforeachclient.
"WS-SecureConversationperformance"showedhowWS-SecureConversation—whilestillworkingwithclientcertificates—reducesperformanceoverheadforongoingmessageexchangesbetweenclientandserverbyusingsymmetricencryption.
Inthisarticle,you'llseehowyoucangoastepfurtherandbreakfreeoftheneedforclientcertificatesinbothplainWS-SecurityandWS-SecureConversationexchanges.
developerWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage2of9EncryptingandsigningwithoutclientcertificatesUsingasymmetricencryptionwithpublic/privatekeypairsforsigningandencryptingmessagesissimple(atleastconceptually!
).
Asdiscussedin"Axis2WS-Securitysigningandencryption,"youuseyourprivatekeytosignmessagesandtherecipient'spublickeytoencryptmessages.
Anyonewithaccesstoyourpublickey(whichisgenerallywrappedwithinlayersofauthenticationintheformofanX.
509certificate)canverifythesignatureyougeneratedusingyourprivatekey,whereasonlytheownerofthecorrespondingprivatekeycandecryptamessageencryptedwithapublickey.
Iftheclientdoesn'thaveapublic/privatekeypair,youcan'tusefullasymmetricencryption.
Thealternativeissymmetricencryption,butwithsymmetricencryptionyoumusthaveasecretkeyknownonlytothepartiesinvolvedinamessageexchange.
HowcanyouestablishsuchasecretkeyThetechniquethatWS-Securityusesistohavetheclientgenerateasecret-keyvalue,whichisthenencryptedusingasymmetricencryptionwiththeserver'spublickeyandembeddedintherequestmessageinatoken.
Theclientcanusethissecretkey(orforbettersecurity,aseparatekeyderivedfromthesecretkey)toencryptand/orsigntherequestmessage,andtheservercandothesamewiththeresponsemessage.
There'snoneedfortheservertosendthesecretkeybacktotheclient,becausetheclientalreadyhasitavailable.
WS-SecurityPolicyconfigurationWS-Policy/WS-SecurityPolicyconfigurationforsymmetricencryptionusingaclient-generatedkeyissimple.
Listing1showstheversionusedinthisarticle.
Thispolicyspecifiesencryptionofmessagebodiessentinbothdirections,usingaclient-generatedsecretkey.
Listing1.
WS-Policyforencryptingallmessagebodiesibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage3of9TheassertionintheListing1policyiswhatconfigurestheuseofsymmetricencryptionwithasecretkey.
TheembeddedassertionsaysthataX.
509certificatewillbeusedtoprotectthetransmissionofthesecretkey(thatis,encryptthesecretkeyfortransmission),withthecertificateidentifiedusingathumbprintreference(essentiallyahashvalue).
Clientgenerationofthesecretkeyisimplicitintheuseofaassertionwithaprotectiontoken.
Theotherpolicyassertionsspecifydetailsoftheencryptionalgorithmandrequiredfeatures,andfinallytheassertionsaysthattheSOAPBodyistobeencryptedusingthesecretkey.
Asyou'veseeninearlierarticles,run-timeparametersforthesecurityhandling(suchaskeystoresandpasswords)mustbedefinedinanimplementation-dependentmanner.
Inthiscase,theparametersaresimple:theclientsideneedsaccesstoatruststorecontainingtheservercertificate,andtheserversideneedsaccesstoakeystorecontainingtheprivatekeymatchingthepublickeyinthecertificate.
Seeearlierarticlesinthisseriesfordetailsofhowtheparametersarepassedforeachofthestacks.
WS-SecureConversationwithoutclientcertificatesYoucanapplythesametechniqueforworkingwithoutclientcertificatestothemessageexchangebetweentheclientandtheSecurityTokenService(STS)whenusingWS-SecureConversation.
(See"WS-TrustandWS-SecureConversation"and"WS-SecureConversationperformance"fordetailsofWS-SecureConversation.
)Tousethisapproach,youbasicallysubstitutetheListing1policyintotheforthesecureconversation.
Listing2showshowthisworks,withtheshowninboldreplacingtheusedin"WS-SecureConversationperformance":Listing2.
WS-PolicyforWS-SecureConversationwithoutclientcertificatesdeveloperWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage4of9ibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage5of9Besidesusingaclient-generatedkeyforthemessageexchangewiththeSTS,theListing2policyalsodiffersfromthoseusedin"WS-SecureConversationperformance"byeliminatingtheassertion.
Intheory,thispolicyshouldworkonanyWS-SecurityandWS-SecureConversationimplementation.
Inpractice,someproblemsoccurredwhenItriedthisconfigurationwiththethreemainopensourceJavawebservicesstacks.
CXFwastheonlystackthatworkedwiththepolicyaswritten.
Axis2didn'tworkatall,failingwithaclient-sideexceptionwhenprocessingtheSTSresponsemessage.
WhenIchangedthebootstrappolicybacktoasymmetricencryption,Axis2workedbutusedWS-Addressingonallmessagesanyway.
Metroalsofailed;afterIaddedbackthe,itworkedwithaclient-generatedkeyforsymmetricencryptionintheSTSmessageexchange.
ComparingperformanceTheperformancecomparisonsusethesametestcodeasearlierarticles,aseismicdataretrievalservice.
Theserviceusesadatabaseofmorethan93,000earthquakesthatoccurredworldwideoveraperiodofyears.
Requeststotheservicespecifyatimerangeandageographiccoordinaterange,andtheservicereturnsallearthquakeswithinthespecifiedrange.
See"Thehighcostof(WS-)Security"forfulldetailsofthetestapplicationandasamplerequest/responsemessagepair.
Asinthepreviousarticles,twosetsofrequestsequencesareusedfortheperformancetests.
Thefirstsetuses1,000requests,withqueryparametersadjustedtomatchasmallportionoftheentireearthquakedatabase(returning816matchingearthquakesforthe1,000requests).
Thesecondsetuses100requests,adjustedtomatchalargerportionofthedatabase(returning176,745matchingearthquakesforthe100requests).
Thesetworequestsequencesemphasizedifferentperformancecharacteristicsofwebservicesstacks.
Thefirstoneshowshowquicklystacksprocessrequestswithlittledata,andthesecondemphasizesthespeedofprocessingdatavolumes.
Eachrequestsequencewasrunmultipletimesindifferentsecurityconfigurations,withonlythebesttimeforeachconfigurationkeptintheresults.
Thistime,onlytwosecurityconfigurationsweretested:WS-SecuritywithSymmetricBindingencryptingallrequest/responsemessagebodies(direct)WS-SecureConversationencryptingallrequest/responsemessagebodies(securconv)Thesecurconvconfigurationisessentiallythesameastheoneusedin"WS-SecureConversationperformance,"theonlydifferencebeingtheuseofaSymmetricBindingforthemessageexchangebetweentheclientandtheSTSwithMetroandCXF.
BecausethetestedSymmetricBindingSTSpolicydidn'tworkwithAxis2,theAxis2configurationusedforthetimingtestswasthesameasintheearlierarticle.
ThechangetousingaSymmetricBindingfortheSTSpolicyismorefordemonstrationpurposesthanforanysignificantimpactonperformance,sothisdifferenceisnotimportantintheresults.
ThetestswererunonaMandriva2009.
132-bitLinuxnotebookwithaTurionX2ZM-85processorand3GBofRAM,usingaSun(Oracle)Java1.
6.
0_1032-bitJVM.
(NotethatthisisadeveloperWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage6of9differentsystemfromtheoneusedforperformancetestsinearlierarticles.
)TheservercodewasrunonTomcat6.
0.
20,configuredtouse1024MBofheap,withtheclientcodeusing512MBofheap.
Thewebservicestackversionstestedwere:Axis21.
5.
1withthe1.
5releaseofRampartMetro2.
0CXF2.
1.
8IfyouwanttotrythetestsonyourownhardwareandJVM,seeDownloadtogetthecode.
PerformanceresultsFigure1showsthemeasuredtimesforthesmall-responsetestseries.
Asin"WS-SecureConversationperformance,"MetroisalittlefasterthanCXF(about10percent)intheWS-SecureConversationtimings.
MetrodoesevenbetterwithdirectuseofsymmetricencryptionwithWS-Security,runningabout30percentfaster.
(Inbothofthisarticle'scharts,shorterbarsarebetterbecausetheyindicatefastertimes.
)Figure1.
MeasuredtimeswithsmallresponsesAxis2resultsarenotincludedinFigure1becauseofabugthatshowedupinthecourseofthetest.
TheAxis2teststartedoutrunningatareasonablespeedbutthenprogressivelyslowedasthenumberofiterationsincreased.
ThetotaltimetorunthistestwithAxis2endedupmorethan40timestheMetrovalue.
Thistypeofprogressiveslowingusuallyindicatesanissuesuchaslinearlookupsofvaluesbeingstoredbycode,inthiscasewithintheAxis2securityhandlingforsymmetricencryption(perhapsdealingwiththeclient-generatedkeys,becauseanewsecretkeyisgeneratedforeachrequest).
Figure2showsthemeasuredtimesforthelarge-responsetestseries.
HereMetroisagainthefastestofthestacks,butCXFcomesclose—thedifferencebetweenthetwoisonlyabout10percent.
Axis2ismuchslowerthantheothertwostacks,aswasthecaseintheWS-SecurityandWS-SecureConversationtestsshowninearlierarticles.
ibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage7of9Figure2.
MeasuredtimeswithlargeresponsesTheseresults(exceptforAxis2)matchwhatyou'dexpecttoseebasedonthesecurityprocessingbeingdone.
Withbothsecurityconfigurations,symmetricencryptionisusedforthemessagesexchangedbetweentheclientandtheservice.
ThebigdifferencebetweenthetwoisthattheWS-Securitysymmetricencryptionconfigurationusesanewsecretkeygeneratedbytheclientforeachrequest/responsemessagepair.
Thissecretkeyneedstobeasymmetricallyencryptedusingtheserver'spublickeyandsentaspartoftherequestmessage,whereasWS-SecureConversationreusesasinglesecretkeyacrossmanymessagepairs.
ThismeanstheWS-Securityconfigurationaddssignificantper-requestoverhead,whichshowsupmainlyintheFigure1timings.
Thestacksdon'tsupportusingWS-Securityasymmetricencryptionforonlyencryptingamessage,insteadrequiringsigningtobedonealso.
Thismakesitdifficulttoprovideanydirectperformancecomparison,butyoucangetanideaofthedifferencebycomparingthesechartswiththosefrom"WS-SecureConversationperformance.
"TheearlierarticleshowedthatWS-SecureConversationsymmetricencryptionprovidesconsiderablybetterperformancethanWS-Securityasymmetricencryption,especiallyforencryptingmessages.
TheseresultsshowthatWS-Securitysymmetricencryptionwithclient-generatedkeysisnearlyasfastasWS-SecureConversation,especiallyforlargermessages.
WrappingupYou'veseeninthisarticlehowsymmetricencryption,usingclient-generatedsecretkeys,canbeusedtosecuremessageexchangeswithouttheneedforclientcertificates.
Thisapproachoffersgoodperformanceformessageexchanges—nearlyasgoodasWS-SecureConversation—whenthemessagesarerelativelylarge.
Ifonlyafewmessagesareexchangedbetweenaclientandserver,client-generatedsecretkeyscandeliverevenbetterperformancethanWS-SecureConversationsecretkeys(becauseWS-SecureConversationrequiresanextramessageexchange,betweentheclientandtheSTS).
Client-generatedsecretkeyscanalsobeusedforsigningmessages.
Thoughnotshowninthisarticle,thisuseofsecretkeysisessentiallythesameasthesigningexampleforWS-developerWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage8of9SecureConversationdiscussedin"WS-SecureConversationperformance.
"Signingwithsecretkeysinherentlyprovidesweakerguaranteesofauthenticitythansigningwithprivatekeys,butitcanstillbeusefulforensuringthatmessageshavenotbeentamperedwithintransit.
ThelastseveralarticlesofthisserieshavediscussedvariousformsofWS-SecurityandWS-SecureConversationsecurityforwebservices,includingperformancecomparisonsforthethreemainJavawebservicesstacks.
I'llcoversomespecializedWS-Securityfeaturesinfuturearticles,butfornowit'stimetowrapupthefocusonsecurityperformance.
ThenextarticleoftheserieswilldetailthestructureofWS-PolicydocumentsandthewaysthatpoliciescanbeattachedtoservicesinWSDL,withexamplesoffine-tuningsecurityconfigurationforApacheAxis2,Metro,andApacheCXF.
ibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage9of9DownloadableresourcesDescriptionNameSizeSamplecodeforthisarticlej-jws17.
zip5.
29MBCopyrightIBMCorporation2010(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
- exchangemandriva相关文档
- Wumandriva
- 5.6mandriva
- 打印mandriva
- grandemandriva
- addmandriva
- buyingmandriva
10GBIZ(月$2.36 ), 香港和洛杉矶CN2 GIA
10GBIZ服务商经常有看到隔壁的一些博客分享内容,我翻看网站看之前有记录过一篇,只不过由于服务商是2020年新成立的所以分享内容比较谨慎。这不至今已经有将近两年的服务商而且云服务产品也比较丰富,目前有看到10GBIZ服务商有提供香港、美国洛杉矶等多机房的云服务器、独立服务器和站群服务器。其中比较吸引到我们用户的是亚洲节点的包括香港、日本等七星级网络服务。具体我们看看相关的配置和线路产品。第一、香...
HostDare($33.79/年)CKVM和QKVM套餐 可选CN2 GIA线路
关于HostDare服务商在之前的文章中有介绍过几次,算是比较老牌的服务商,但是商家背景财力不是特别雄厚,算是比较小众的个人服务商。目前主流提供CKVM和QKVM套餐。前者是电信CN2 GIA,不过库存储备也不是很足,这不九月份发布新的补货库存活动,有提供九折优惠CN2 GIA,以及六五折优惠QKVM普通线路方案。这次活动截止到9月30日,不清楚商家这次库存补货多少。比如 QKVM基础的五个方案都...
MechanicWeb免费DirectAdmin/异地备份
MechanicWeb怎么样?MechanicWeb好不好?MechanicWeb成立于2008年,目前在美国洛杉矶、凤凰城、达拉斯、迈阿密、北卡、纽约、英国、卢森堡、德国、加拿大、新加坡有11个数据中心,主营全托管型虚拟主机、VPS主机、半专用服务器和独立服务器业务。MechanicWeb只做高端的托管vps,这次MechanicWeb上新Xeon W-1290P处理器套餐,基准3.7GHz最高...
mandriva为你推荐
-
AsgardiaGlacia怎么读?是什么意思?比肩工场比肩是什么意思,行比肩大运的主要意象www.kkk.com谁有免费的电影网站,越多越好?百度关键词工具百度有关键字分析工具吗?Google AdWords有的haole16.com国色天香16 17全集高清在线观看 国色天香qvod快播迅雷下载地址51sese.com谁有免费看电影的网站?www.299pp.com免费PP电影哪个网站可以看啊www.javmoo.comjavimdb怎么看avtt4.comwww.51kao4.com为什么进不去啊?www.kknnn.com求有颜色的网站!要免费的