background image

message-layer security

<< Advantages of Message Security | Message Security Mechanisms >>
<< Advantages of Message Security | Message Security Mechanisms >>
234
S
ECURING
W
EB
S
ERVICES
even across intermediaries. The problem is that it is not protected once it gets to
its destination. One solution is to encrypt the message before sending using mes-
sage security.
In message-layer security, security information is contained within the SOAP
message and/or SOAP message attachment, which allows security information
to travel along with the message or attachment. For example, a portion of the
message may be signed by a sender and encrypted for a particular receiver.
When the message is sent from the initial sender, it may pass through intermedi-
ate nodes before reaching its intended receiver. In this scenario, the encrypted
portions continue to be opaque to any intermediate nodes and can only be
decrypted by the intended receiver. For this reason, message-layer security is
also sometimes referred to as end-to-end security.
The advantages of message-layer security include the following:
· Security stays with the message over all hops and after the message arrives
at its destination.
· Is fine-grained. Can be selectively applied to different portions of a mes-
sage (and to attachments if using XWSS).
· Can be used in conjunction with intermediaries over multiple hops.
· Is independent of the application environment or transport protocol.
The disadvantage to using message-layer security is that it is relatively complex
and adds some overhead to processing.
The Application Server and the Java Web Services Developer Pack (Java WSDP)
both support message security.
· The Sun Java System Application Server uses Web Services Security
(WSS) to secure messages. Using WSS is discussed in Using the Applica-
tion Server Message Security Implementation (page 242).
· The Java Web Services Developer Pack (Java WSDP) includes XML and
Web Services Security (XWSS), a framework for securing JAX-RPC,
JAX-WS, and SAAJ applications, as well as message attachments. An
implementation of XWSS is included in the Application Server. Using
XWSS is discussed in Using the Java WSDP XWSS Security
Implementation (page 247).
Because neither of these options for message security are part of the Java EE
platform, this document would not normally discuss using either of these options
to secure messages. However, as there are currently no Java EE APIs that per-
form this function and message security is a very important component of web