exchangemandriva
mandriva 时间:2021-04-01 阅读:()
CopyrightIBMCorporation2010TrademarksJavawebservices:WS-SecuritywithoutclientcertificatesPage1of9Javawebservices:WS-SecuritywithoutclientcertificatesLearnhowtouseWS-SecuritysymmetricencryptionforsecureexchangeswithoutclientcertificatesDennisSosnoski03August2010WS-Securitysymmetricencryptionletsyousecuremessageexchangesbetweenclientandserverwithoutrequiringclientcertificates,simplifyingyourwebserviceconfigurationwhilealsoprovidingperformancebenefits.
YoucanuseitdirectlyorinthebootstrapforWS-SecureConversationexchanges.
Inthisarticle,you'lllearnhowtoconfigureandusesymmetricencryptionwiththethreemainopensourceJavawebservicesstacks:Axis2,Metro,andCXF.
You'llalsoseehowplainWS-SecuritysymmetricencryptionperformancecomparestoWS-SecureConversationperformance.
ViewmorecontentinthisseriesAboutthisseriesWebservicesareacrucialpartofJavatechnology'sroleinenterprisecomputing.
Inthisseriesofarticles,XMLandwebservicesconsultantDennisSosnoskicoversthemajorframeworksandtechnologiesthatareimportanttoJavadevelopersusingwebservices.
Followtheseriestostayinformedofthelatestdevelopmentsinthefieldandawareofhowyoucanusethemtoaidyourprogrammingprojects.
ManyWS-Securityconfigurationsrequirebothclientandservertousepublic/privatekeypairs,withX.
509certificatestovouchfortheownershipofthepublickeys.
ThisisprobablythemostwidelyusedtechniqueforsigningorencryptingmessageswithWS-Security,anditdoeshavesomeadvantages.
Inparticular,clientcertificatesprovidestrongclientidentityverificationandstrongsignatureguaranteesonrequests.
Butitalsohasdrawbacks,includingtheperformanceoverheadofasymmetricencryptionandthemanagementheadachesofobtainingandmaintainingcertificatesforeachclient.
"WS-SecureConversationperformance"showedhowWS-SecureConversation—whilestillworkingwithclientcertificates—reducesperformanceoverheadforongoingmessageexchangesbetweenclientandserverbyusingsymmetricencryption.
Inthisarticle,you'llseehowyoucangoastepfurtherandbreakfreeoftheneedforclientcertificatesinbothplainWS-SecurityandWS-SecureConversationexchanges.
developerWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage2of9EncryptingandsigningwithoutclientcertificatesUsingasymmetricencryptionwithpublic/privatekeypairsforsigningandencryptingmessagesissimple(atleastconceptually!
).
Asdiscussedin"Axis2WS-Securitysigningandencryption,"youuseyourprivatekeytosignmessagesandtherecipient'spublickeytoencryptmessages.
Anyonewithaccesstoyourpublickey(whichisgenerallywrappedwithinlayersofauthenticationintheformofanX.
509certificate)canverifythesignatureyougeneratedusingyourprivatekey,whereasonlytheownerofthecorrespondingprivatekeycandecryptamessageencryptedwithapublickey.
Iftheclientdoesn'thaveapublic/privatekeypair,youcan'tusefullasymmetricencryption.
Thealternativeissymmetricencryption,butwithsymmetricencryptionyoumusthaveasecretkeyknownonlytothepartiesinvolvedinamessageexchange.
HowcanyouestablishsuchasecretkeyThetechniquethatWS-Securityusesistohavetheclientgenerateasecret-keyvalue,whichisthenencryptedusingasymmetricencryptionwiththeserver'spublickeyandembeddedintherequestmessageinatoken.
Theclientcanusethissecretkey(orforbettersecurity,aseparatekeyderivedfromthesecretkey)toencryptand/orsigntherequestmessage,andtheservercandothesamewiththeresponsemessage.
There'snoneedfortheservertosendthesecretkeybacktotheclient,becausetheclientalreadyhasitavailable.
WS-SecurityPolicyconfigurationWS-Policy/WS-SecurityPolicyconfigurationforsymmetricencryptionusingaclient-generatedkeyissimple.
Listing1showstheversionusedinthisarticle.
Thispolicyspecifiesencryptionofmessagebodiessentinbothdirections,usingaclient-generatedsecretkey.
Listing1.
WS-Policyforencryptingallmessagebodiesibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage3of9TheassertionintheListing1policyiswhatconfigurestheuseofsymmetricencryptionwithasecretkey.
TheembeddedassertionsaysthataX.
509certificatewillbeusedtoprotectthetransmissionofthesecretkey(thatis,encryptthesecretkeyfortransmission),withthecertificateidentifiedusingathumbprintreference(essentiallyahashvalue).
Clientgenerationofthesecretkeyisimplicitintheuseofaassertionwithaprotectiontoken.
Theotherpolicyassertionsspecifydetailsoftheencryptionalgorithmandrequiredfeatures,andfinallytheassertionsaysthattheSOAPBodyistobeencryptedusingthesecretkey.
Asyou'veseeninearlierarticles,run-timeparametersforthesecurityhandling(suchaskeystoresandpasswords)mustbedefinedinanimplementation-dependentmanner.
Inthiscase,theparametersaresimple:theclientsideneedsaccesstoatruststorecontainingtheservercertificate,andtheserversideneedsaccesstoakeystorecontainingtheprivatekeymatchingthepublickeyinthecertificate.
Seeearlierarticlesinthisseriesfordetailsofhowtheparametersarepassedforeachofthestacks.
WS-SecureConversationwithoutclientcertificatesYoucanapplythesametechniqueforworkingwithoutclientcertificatestothemessageexchangebetweentheclientandtheSecurityTokenService(STS)whenusingWS-SecureConversation.
(See"WS-TrustandWS-SecureConversation"and"WS-SecureConversationperformance"fordetailsofWS-SecureConversation.
)Tousethisapproach,youbasicallysubstitutetheListing1policyintotheforthesecureconversation.
Listing2showshowthisworks,withtheshowninboldreplacingtheusedin"WS-SecureConversationperformance":Listing2.
WS-PolicyforWS-SecureConversationwithoutclientcertificatesdeveloperWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage4of9ibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage5of9Besidesusingaclient-generatedkeyforthemessageexchangewiththeSTS,theListing2policyalsodiffersfromthoseusedin"WS-SecureConversationperformance"byeliminatingtheassertion.
Intheory,thispolicyshouldworkonanyWS-SecurityandWS-SecureConversationimplementation.
Inpractice,someproblemsoccurredwhenItriedthisconfigurationwiththethreemainopensourceJavawebservicesstacks.
CXFwastheonlystackthatworkedwiththepolicyaswritten.
Axis2didn'tworkatall,failingwithaclient-sideexceptionwhenprocessingtheSTSresponsemessage.
WhenIchangedthebootstrappolicybacktoasymmetricencryption,Axis2workedbutusedWS-Addressingonallmessagesanyway.
Metroalsofailed;afterIaddedbackthe,itworkedwithaclient-generatedkeyforsymmetricencryptionintheSTSmessageexchange.
ComparingperformanceTheperformancecomparisonsusethesametestcodeasearlierarticles,aseismicdataretrievalservice.
Theserviceusesadatabaseofmorethan93,000earthquakesthatoccurredworldwideoveraperiodofyears.
Requeststotheservicespecifyatimerangeandageographiccoordinaterange,andtheservicereturnsallearthquakeswithinthespecifiedrange.
See"Thehighcostof(WS-)Security"forfulldetailsofthetestapplicationandasamplerequest/responsemessagepair.
Asinthepreviousarticles,twosetsofrequestsequencesareusedfortheperformancetests.
Thefirstsetuses1,000requests,withqueryparametersadjustedtomatchasmallportionoftheentireearthquakedatabase(returning816matchingearthquakesforthe1,000requests).
Thesecondsetuses100requests,adjustedtomatchalargerportionofthedatabase(returning176,745matchingearthquakesforthe100requests).
Thesetworequestsequencesemphasizedifferentperformancecharacteristicsofwebservicesstacks.
Thefirstoneshowshowquicklystacksprocessrequestswithlittledata,andthesecondemphasizesthespeedofprocessingdatavolumes.
Eachrequestsequencewasrunmultipletimesindifferentsecurityconfigurations,withonlythebesttimeforeachconfigurationkeptintheresults.
Thistime,onlytwosecurityconfigurationsweretested:WS-SecuritywithSymmetricBindingencryptingallrequest/responsemessagebodies(direct)WS-SecureConversationencryptingallrequest/responsemessagebodies(securconv)Thesecurconvconfigurationisessentiallythesameastheoneusedin"WS-SecureConversationperformance,"theonlydifferencebeingtheuseofaSymmetricBindingforthemessageexchangebetweentheclientandtheSTSwithMetroandCXF.
BecausethetestedSymmetricBindingSTSpolicydidn'tworkwithAxis2,theAxis2configurationusedforthetimingtestswasthesameasintheearlierarticle.
ThechangetousingaSymmetricBindingfortheSTSpolicyismorefordemonstrationpurposesthanforanysignificantimpactonperformance,sothisdifferenceisnotimportantintheresults.
ThetestswererunonaMandriva2009.
132-bitLinuxnotebookwithaTurionX2ZM-85processorand3GBofRAM,usingaSun(Oracle)Java1.
6.
0_1032-bitJVM.
(NotethatthisisadeveloperWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage6of9differentsystemfromtheoneusedforperformancetestsinearlierarticles.
)TheservercodewasrunonTomcat6.
0.
20,configuredtouse1024MBofheap,withtheclientcodeusing512MBofheap.
Thewebservicestackversionstestedwere:Axis21.
5.
1withthe1.
5releaseofRampartMetro2.
0CXF2.
1.
8IfyouwanttotrythetestsonyourownhardwareandJVM,seeDownloadtogetthecode.
PerformanceresultsFigure1showsthemeasuredtimesforthesmall-responsetestseries.
Asin"WS-SecureConversationperformance,"MetroisalittlefasterthanCXF(about10percent)intheWS-SecureConversationtimings.
MetrodoesevenbetterwithdirectuseofsymmetricencryptionwithWS-Security,runningabout30percentfaster.
(Inbothofthisarticle'scharts,shorterbarsarebetterbecausetheyindicatefastertimes.
)Figure1.
MeasuredtimeswithsmallresponsesAxis2resultsarenotincludedinFigure1becauseofabugthatshowedupinthecourseofthetest.
TheAxis2teststartedoutrunningatareasonablespeedbutthenprogressivelyslowedasthenumberofiterationsincreased.
ThetotaltimetorunthistestwithAxis2endedupmorethan40timestheMetrovalue.
Thistypeofprogressiveslowingusuallyindicatesanissuesuchaslinearlookupsofvaluesbeingstoredbycode,inthiscasewithintheAxis2securityhandlingforsymmetricencryption(perhapsdealingwiththeclient-generatedkeys,becauseanewsecretkeyisgeneratedforeachrequest).
Figure2showsthemeasuredtimesforthelarge-responsetestseries.
HereMetroisagainthefastestofthestacks,butCXFcomesclose—thedifferencebetweenthetwoisonlyabout10percent.
Axis2ismuchslowerthantheothertwostacks,aswasthecaseintheWS-SecurityandWS-SecureConversationtestsshowninearlierarticles.
ibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage7of9Figure2.
MeasuredtimeswithlargeresponsesTheseresults(exceptforAxis2)matchwhatyou'dexpecttoseebasedonthesecurityprocessingbeingdone.
Withbothsecurityconfigurations,symmetricencryptionisusedforthemessagesexchangedbetweentheclientandtheservice.
ThebigdifferencebetweenthetwoisthattheWS-Securitysymmetricencryptionconfigurationusesanewsecretkeygeneratedbytheclientforeachrequest/responsemessagepair.
Thissecretkeyneedstobeasymmetricallyencryptedusingtheserver'spublickeyandsentaspartoftherequestmessage,whereasWS-SecureConversationreusesasinglesecretkeyacrossmanymessagepairs.
ThismeanstheWS-Securityconfigurationaddssignificantper-requestoverhead,whichshowsupmainlyintheFigure1timings.
Thestacksdon'tsupportusingWS-Securityasymmetricencryptionforonlyencryptingamessage,insteadrequiringsigningtobedonealso.
Thismakesitdifficulttoprovideanydirectperformancecomparison,butyoucangetanideaofthedifferencebycomparingthesechartswiththosefrom"WS-SecureConversationperformance.
"TheearlierarticleshowedthatWS-SecureConversationsymmetricencryptionprovidesconsiderablybetterperformancethanWS-Securityasymmetricencryption,especiallyforencryptingmessages.
TheseresultsshowthatWS-Securitysymmetricencryptionwithclient-generatedkeysisnearlyasfastasWS-SecureConversation,especiallyforlargermessages.
WrappingupYou'veseeninthisarticlehowsymmetricencryption,usingclient-generatedsecretkeys,canbeusedtosecuremessageexchangeswithouttheneedforclientcertificates.
Thisapproachoffersgoodperformanceformessageexchanges—nearlyasgoodasWS-SecureConversation—whenthemessagesarerelativelylarge.
Ifonlyafewmessagesareexchangedbetweenaclientandserver,client-generatedsecretkeyscandeliverevenbetterperformancethanWS-SecureConversationsecretkeys(becauseWS-SecureConversationrequiresanextramessageexchange,betweentheclientandtheSTS).
Client-generatedsecretkeyscanalsobeusedforsigningmessages.
Thoughnotshowninthisarticle,thisuseofsecretkeysisessentiallythesameasthesigningexampleforWS-developerWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage8of9SecureConversationdiscussedin"WS-SecureConversationperformance.
"Signingwithsecretkeysinherentlyprovidesweakerguaranteesofauthenticitythansigningwithprivatekeys,butitcanstillbeusefulforensuringthatmessageshavenotbeentamperedwithintransit.
ThelastseveralarticlesofthisserieshavediscussedvariousformsofWS-SecurityandWS-SecureConversationsecurityforwebservices,includingperformancecomparisonsforthethreemainJavawebservicesstacks.
I'llcoversomespecializedWS-Securityfeaturesinfuturearticles,butfornowit'stimetowrapupthefocusonsecurityperformance.
ThenextarticleoftheserieswilldetailthestructureofWS-PolicydocumentsandthewaysthatpoliciescanbeattachedtoservicesinWSDL,withexamplesoffine-tuningsecurityconfigurationforApacheAxis2,Metro,andApacheCXF.
ibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage9of9DownloadableresourcesDescriptionNameSizeSamplecodeforthisarticlej-jws17.
zip5.
29MBCopyrightIBMCorporation2010(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
YoucanuseitdirectlyorinthebootstrapforWS-SecureConversationexchanges.
Inthisarticle,you'lllearnhowtoconfigureandusesymmetricencryptionwiththethreemainopensourceJavawebservicesstacks:Axis2,Metro,andCXF.
You'llalsoseehowplainWS-SecuritysymmetricencryptionperformancecomparestoWS-SecureConversationperformance.
ViewmorecontentinthisseriesAboutthisseriesWebservicesareacrucialpartofJavatechnology'sroleinenterprisecomputing.
Inthisseriesofarticles,XMLandwebservicesconsultantDennisSosnoskicoversthemajorframeworksandtechnologiesthatareimportanttoJavadevelopersusingwebservices.
Followtheseriestostayinformedofthelatestdevelopmentsinthefieldandawareofhowyoucanusethemtoaidyourprogrammingprojects.
ManyWS-Securityconfigurationsrequirebothclientandservertousepublic/privatekeypairs,withX.
509certificatestovouchfortheownershipofthepublickeys.
ThisisprobablythemostwidelyusedtechniqueforsigningorencryptingmessageswithWS-Security,anditdoeshavesomeadvantages.
Inparticular,clientcertificatesprovidestrongclientidentityverificationandstrongsignatureguaranteesonrequests.
Butitalsohasdrawbacks,includingtheperformanceoverheadofasymmetricencryptionandthemanagementheadachesofobtainingandmaintainingcertificatesforeachclient.
"WS-SecureConversationperformance"showedhowWS-SecureConversation—whilestillworkingwithclientcertificates—reducesperformanceoverheadforongoingmessageexchangesbetweenclientandserverbyusingsymmetricencryption.
Inthisarticle,you'llseehowyoucangoastepfurtherandbreakfreeoftheneedforclientcertificatesinbothplainWS-SecurityandWS-SecureConversationexchanges.
developerWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage2of9EncryptingandsigningwithoutclientcertificatesUsingasymmetricencryptionwithpublic/privatekeypairsforsigningandencryptingmessagesissimple(atleastconceptually!
).
Asdiscussedin"Axis2WS-Securitysigningandencryption,"youuseyourprivatekeytosignmessagesandtherecipient'spublickeytoencryptmessages.
Anyonewithaccesstoyourpublickey(whichisgenerallywrappedwithinlayersofauthenticationintheformofanX.
509certificate)canverifythesignatureyougeneratedusingyourprivatekey,whereasonlytheownerofthecorrespondingprivatekeycandecryptamessageencryptedwithapublickey.
Iftheclientdoesn'thaveapublic/privatekeypair,youcan'tusefullasymmetricencryption.
Thealternativeissymmetricencryption,butwithsymmetricencryptionyoumusthaveasecretkeyknownonlytothepartiesinvolvedinamessageexchange.
HowcanyouestablishsuchasecretkeyThetechniquethatWS-Securityusesistohavetheclientgenerateasecret-keyvalue,whichisthenencryptedusingasymmetricencryptionwiththeserver'spublickeyandembeddedintherequestmessageinatoken.
Theclientcanusethissecretkey(orforbettersecurity,aseparatekeyderivedfromthesecretkey)toencryptand/orsigntherequestmessage,andtheservercandothesamewiththeresponsemessage.
There'snoneedfortheservertosendthesecretkeybacktotheclient,becausetheclientalreadyhasitavailable.
WS-SecurityPolicyconfigurationWS-Policy/WS-SecurityPolicyconfigurationforsymmetricencryptionusingaclient-generatedkeyissimple.
Listing1showstheversionusedinthisarticle.
Thispolicyspecifiesencryptionofmessagebodiessentinbothdirections,usingaclient-generatedsecretkey.
Listing1.
WS-Policyforencryptingallmessagebodiesibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage3of9TheassertionintheListing1policyiswhatconfigurestheuseofsymmetricencryptionwithasecretkey.
TheembeddedassertionsaysthataX.
509certificatewillbeusedtoprotectthetransmissionofthesecretkey(thatis,encryptthesecretkeyfortransmission),withthecertificateidentifiedusingathumbprintreference(essentiallyahashvalue).
Clientgenerationofthesecretkeyisimplicitintheuseofaassertionwithaprotectiontoken.
Theotherpolicyassertionsspecifydetailsoftheencryptionalgorithmandrequiredfeatures,andfinallytheassertionsaysthattheSOAPBodyistobeencryptedusingthesecretkey.
Asyou'veseeninearlierarticles,run-timeparametersforthesecurityhandling(suchaskeystoresandpasswords)mustbedefinedinanimplementation-dependentmanner.
Inthiscase,theparametersaresimple:theclientsideneedsaccesstoatruststorecontainingtheservercertificate,andtheserversideneedsaccesstoakeystorecontainingtheprivatekeymatchingthepublickeyinthecertificate.
Seeearlierarticlesinthisseriesfordetailsofhowtheparametersarepassedforeachofthestacks.
WS-SecureConversationwithoutclientcertificatesYoucanapplythesametechniqueforworkingwithoutclientcertificatestothemessageexchangebetweentheclientandtheSecurityTokenService(STS)whenusingWS-SecureConversation.
(See"WS-TrustandWS-SecureConversation"and"WS-SecureConversationperformance"fordetailsofWS-SecureConversation.
)Tousethisapproach,youbasicallysubstitutetheListing1policyintotheforthesecureconversation.
Listing2showshowthisworks,withtheshowninboldreplacingtheusedin"WS-SecureConversationperformance":Listing2.
WS-PolicyforWS-SecureConversationwithoutclientcertificatesdeveloperWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage4of9ibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage5of9Besidesusingaclient-generatedkeyforthemessageexchangewiththeSTS,theListing2policyalsodiffersfromthoseusedin"WS-SecureConversationperformance"byeliminatingtheassertion.
Intheory,thispolicyshouldworkonanyWS-SecurityandWS-SecureConversationimplementation.
Inpractice,someproblemsoccurredwhenItriedthisconfigurationwiththethreemainopensourceJavawebservicesstacks.
CXFwastheonlystackthatworkedwiththepolicyaswritten.
Axis2didn'tworkatall,failingwithaclient-sideexceptionwhenprocessingtheSTSresponsemessage.
WhenIchangedthebootstrappolicybacktoasymmetricencryption,Axis2workedbutusedWS-Addressingonallmessagesanyway.
Metroalsofailed;afterIaddedbackthe,itworkedwithaclient-generatedkeyforsymmetricencryptionintheSTSmessageexchange.
ComparingperformanceTheperformancecomparisonsusethesametestcodeasearlierarticles,aseismicdataretrievalservice.
Theserviceusesadatabaseofmorethan93,000earthquakesthatoccurredworldwideoveraperiodofyears.
Requeststotheservicespecifyatimerangeandageographiccoordinaterange,andtheservicereturnsallearthquakeswithinthespecifiedrange.
See"Thehighcostof(WS-)Security"forfulldetailsofthetestapplicationandasamplerequest/responsemessagepair.
Asinthepreviousarticles,twosetsofrequestsequencesareusedfortheperformancetests.
Thefirstsetuses1,000requests,withqueryparametersadjustedtomatchasmallportionoftheentireearthquakedatabase(returning816matchingearthquakesforthe1,000requests).
Thesecondsetuses100requests,adjustedtomatchalargerportionofthedatabase(returning176,745matchingearthquakesforthe100requests).
Thesetworequestsequencesemphasizedifferentperformancecharacteristicsofwebservicesstacks.
Thefirstoneshowshowquicklystacksprocessrequestswithlittledata,andthesecondemphasizesthespeedofprocessingdatavolumes.
Eachrequestsequencewasrunmultipletimesindifferentsecurityconfigurations,withonlythebesttimeforeachconfigurationkeptintheresults.
Thistime,onlytwosecurityconfigurationsweretested:WS-SecuritywithSymmetricBindingencryptingallrequest/responsemessagebodies(direct)WS-SecureConversationencryptingallrequest/responsemessagebodies(securconv)Thesecurconvconfigurationisessentiallythesameastheoneusedin"WS-SecureConversationperformance,"theonlydifferencebeingtheuseofaSymmetricBindingforthemessageexchangebetweentheclientandtheSTSwithMetroandCXF.
BecausethetestedSymmetricBindingSTSpolicydidn'tworkwithAxis2,theAxis2configurationusedforthetimingtestswasthesameasintheearlierarticle.
ThechangetousingaSymmetricBindingfortheSTSpolicyismorefordemonstrationpurposesthanforanysignificantimpactonperformance,sothisdifferenceisnotimportantintheresults.
ThetestswererunonaMandriva2009.
132-bitLinuxnotebookwithaTurionX2ZM-85processorand3GBofRAM,usingaSun(Oracle)Java1.
6.
0_1032-bitJVM.
(NotethatthisisadeveloperWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage6of9differentsystemfromtheoneusedforperformancetestsinearlierarticles.
)TheservercodewasrunonTomcat6.
0.
20,configuredtouse1024MBofheap,withtheclientcodeusing512MBofheap.
Thewebservicestackversionstestedwere:Axis21.
5.
1withthe1.
5releaseofRampartMetro2.
0CXF2.
1.
8IfyouwanttotrythetestsonyourownhardwareandJVM,seeDownloadtogetthecode.
PerformanceresultsFigure1showsthemeasuredtimesforthesmall-responsetestseries.
Asin"WS-SecureConversationperformance,"MetroisalittlefasterthanCXF(about10percent)intheWS-SecureConversationtimings.
MetrodoesevenbetterwithdirectuseofsymmetricencryptionwithWS-Security,runningabout30percentfaster.
(Inbothofthisarticle'scharts,shorterbarsarebetterbecausetheyindicatefastertimes.
)Figure1.
MeasuredtimeswithsmallresponsesAxis2resultsarenotincludedinFigure1becauseofabugthatshowedupinthecourseofthetest.
TheAxis2teststartedoutrunningatareasonablespeedbutthenprogressivelyslowedasthenumberofiterationsincreased.
ThetotaltimetorunthistestwithAxis2endedupmorethan40timestheMetrovalue.
Thistypeofprogressiveslowingusuallyindicatesanissuesuchaslinearlookupsofvaluesbeingstoredbycode,inthiscasewithintheAxis2securityhandlingforsymmetricencryption(perhapsdealingwiththeclient-generatedkeys,becauseanewsecretkeyisgeneratedforeachrequest).
Figure2showsthemeasuredtimesforthelarge-responsetestseries.
HereMetroisagainthefastestofthestacks,butCXFcomesclose—thedifferencebetweenthetwoisonlyabout10percent.
Axis2ismuchslowerthantheothertwostacks,aswasthecaseintheWS-SecurityandWS-SecureConversationtestsshowninearlierarticles.
ibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage7of9Figure2.
MeasuredtimeswithlargeresponsesTheseresults(exceptforAxis2)matchwhatyou'dexpecttoseebasedonthesecurityprocessingbeingdone.
Withbothsecurityconfigurations,symmetricencryptionisusedforthemessagesexchangedbetweentheclientandtheservice.
ThebigdifferencebetweenthetwoisthattheWS-Securitysymmetricencryptionconfigurationusesanewsecretkeygeneratedbytheclientforeachrequest/responsemessagepair.
Thissecretkeyneedstobeasymmetricallyencryptedusingtheserver'spublickeyandsentaspartoftherequestmessage,whereasWS-SecureConversationreusesasinglesecretkeyacrossmanymessagepairs.
ThismeanstheWS-Securityconfigurationaddssignificantper-requestoverhead,whichshowsupmainlyintheFigure1timings.
Thestacksdon'tsupportusingWS-Securityasymmetricencryptionforonlyencryptingamessage,insteadrequiringsigningtobedonealso.
Thismakesitdifficulttoprovideanydirectperformancecomparison,butyoucangetanideaofthedifferencebycomparingthesechartswiththosefrom"WS-SecureConversationperformance.
"TheearlierarticleshowedthatWS-SecureConversationsymmetricencryptionprovidesconsiderablybetterperformancethanWS-Securityasymmetricencryption,especiallyforencryptingmessages.
TheseresultsshowthatWS-Securitysymmetricencryptionwithclient-generatedkeysisnearlyasfastasWS-SecureConversation,especiallyforlargermessages.
WrappingupYou'veseeninthisarticlehowsymmetricencryption,usingclient-generatedsecretkeys,canbeusedtosecuremessageexchangeswithouttheneedforclientcertificates.
Thisapproachoffersgoodperformanceformessageexchanges—nearlyasgoodasWS-SecureConversation—whenthemessagesarerelativelylarge.
Ifonlyafewmessagesareexchangedbetweenaclientandserver,client-generatedsecretkeyscandeliverevenbetterperformancethanWS-SecureConversationsecretkeys(becauseWS-SecureConversationrequiresanextramessageexchange,betweentheclientandtheSTS).
Client-generatedsecretkeyscanalsobeusedforsigningmessages.
Thoughnotshowninthisarticle,thisuseofsecretkeysisessentiallythesameasthesigningexampleforWS-developerWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage8of9SecureConversationdiscussedin"WS-SecureConversationperformance.
"Signingwithsecretkeysinherentlyprovidesweakerguaranteesofauthenticitythansigningwithprivatekeys,butitcanstillbeusefulforensuringthatmessageshavenotbeentamperedwithintransit.
ThelastseveralarticlesofthisserieshavediscussedvariousformsofWS-SecurityandWS-SecureConversationsecurityforwebservices,includingperformancecomparisonsforthethreemainJavawebservicesstacks.
I'llcoversomespecializedWS-Securityfeaturesinfuturearticles,butfornowit'stimetowrapupthefocusonsecurityperformance.
ThenextarticleoftheserieswilldetailthestructureofWS-PolicydocumentsandthewaysthatpoliciescanbeattachedtoservicesinWSDL,withexamplesoffine-tuningsecurityconfigurationforApacheAxis2,Metro,andApacheCXF.
ibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage9of9DownloadableresourcesDescriptionNameSizeSamplecodeforthisarticlej-jws17.
zip5.
29MBCopyrightIBMCorporation2010(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
- exchangemandriva相关文档
- Wumandriva
- 5.6mandriva
- 打印mandriva
- grandemandriva
- addmandriva
- buyingmandriva
3元/首月香港便宜vps究竟是什么货。
便宜的香港vps多少钱?现在国外VPS主机的价格已经很便宜了,美国VPS主机最低一个月只要十几元,但同样免备案的香港VPS价格贵不贵呢?或者说便宜的香港VPS多少钱?香港vps主机价格要比美国机房的贵一些,但比国内的又便宜不少,所以目前情况是同等配置下,美国VPS比香港的便宜,香港VPS比国内(指大陆地区)的便宜。目前,最便宜香港vps低至3元/首月、18元/月起,今天云服务器网(www.yunt...
小白云 (80元/月),四川德阳 4核2G,山东枣庄 4核2G,美国VPS20元/月起三网CN2
小白云是一家国人自营的企业IDC,主营国内外VPS,致力于让每一个用户都能轻松、快速、经济地享受高端的服务,成立于2019年,拥有国内大带宽高防御的特点,专注于DDoS/CC等攻击的防护;海外线路精选纯CN2线路,以确保用户体验的首选线路,商家线上多名客服一对一解决处理用户的问题,提供7*24无人全自动化服务。商家承诺绝不超开,以用户体验为中心为用提供服务,一直坚持主打以产品质量用户体验性以及高效...
RFCHOST - 洛杉矶CN2 GIA VPS季付23.9美元起 100Mbps带宽
RFCHOST,这个服务商我们可能有一些朋友知道的。不要看官网是英文就以为是老外服务商,实际上这个服务商公司在上海。我们实际上看到的很多商家,有的是繁体,有的是英文,实际上很多都是我们国人朋友做的,有的甚至还做好几个品牌域名,实际上都是一个公司。对于RFCHOST商家还是第一次分享他们家的信息,公司成立大约2015年左右。目前RFCHOST洛杉矶机房VPS正进行优惠促销,采用CN2优化线路,电信双...
mandriva为你推荐
-
12306崩溃iphone 12306网络错误Baby被问婚变绯闻黄晓明婚礼上说baby碰他哪里最兴奋安徽汽车网想在合肥买辆二手车,想问在哪里买比较放心?留学生认证留学生服务中心认证内容和范围?李子柒年入1.6亿新晋网红李子柒是不是背后有团队是摆拍、炒作为的是人气、流量?www.jjwxc.net晋江文学网 的网址是什么?psbc.comwww.psbc.com怎样注册罗伦佐娜手上鸡皮肤怎么办,维洛娜毛周角化修复液丑福晋谁有好看的言情小说介绍下百花百游百花蛇草的作用