exchangemandriva
mandriva 时间:2021-04-01 阅读:()
CopyrightIBMCorporation2010TrademarksJavawebservices:WS-SecuritywithoutclientcertificatesPage1of9Javawebservices:WS-SecuritywithoutclientcertificatesLearnhowtouseWS-SecuritysymmetricencryptionforsecureexchangeswithoutclientcertificatesDennisSosnoski03August2010WS-Securitysymmetricencryptionletsyousecuremessageexchangesbetweenclientandserverwithoutrequiringclientcertificates,simplifyingyourwebserviceconfigurationwhilealsoprovidingperformancebenefits.
YoucanuseitdirectlyorinthebootstrapforWS-SecureConversationexchanges.
Inthisarticle,you'lllearnhowtoconfigureandusesymmetricencryptionwiththethreemainopensourceJavawebservicesstacks:Axis2,Metro,andCXF.
You'llalsoseehowplainWS-SecuritysymmetricencryptionperformancecomparestoWS-SecureConversationperformance.
ViewmorecontentinthisseriesAboutthisseriesWebservicesareacrucialpartofJavatechnology'sroleinenterprisecomputing.
Inthisseriesofarticles,XMLandwebservicesconsultantDennisSosnoskicoversthemajorframeworksandtechnologiesthatareimportanttoJavadevelopersusingwebservices.
Followtheseriestostayinformedofthelatestdevelopmentsinthefieldandawareofhowyoucanusethemtoaidyourprogrammingprojects.
ManyWS-Securityconfigurationsrequirebothclientandservertousepublic/privatekeypairs,withX.
509certificatestovouchfortheownershipofthepublickeys.
ThisisprobablythemostwidelyusedtechniqueforsigningorencryptingmessageswithWS-Security,anditdoeshavesomeadvantages.
Inparticular,clientcertificatesprovidestrongclientidentityverificationandstrongsignatureguaranteesonrequests.
Butitalsohasdrawbacks,includingtheperformanceoverheadofasymmetricencryptionandthemanagementheadachesofobtainingandmaintainingcertificatesforeachclient.
"WS-SecureConversationperformance"showedhowWS-SecureConversation—whilestillworkingwithclientcertificates—reducesperformanceoverheadforongoingmessageexchangesbetweenclientandserverbyusingsymmetricencryption.
Inthisarticle,you'llseehowyoucangoastepfurtherandbreakfreeoftheneedforclientcertificatesinbothplainWS-SecurityandWS-SecureConversationexchanges.
developerWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage2of9EncryptingandsigningwithoutclientcertificatesUsingasymmetricencryptionwithpublic/privatekeypairsforsigningandencryptingmessagesissimple(atleastconceptually!
).
Asdiscussedin"Axis2WS-Securitysigningandencryption,"youuseyourprivatekeytosignmessagesandtherecipient'spublickeytoencryptmessages.
Anyonewithaccesstoyourpublickey(whichisgenerallywrappedwithinlayersofauthenticationintheformofanX.
509certificate)canverifythesignatureyougeneratedusingyourprivatekey,whereasonlytheownerofthecorrespondingprivatekeycandecryptamessageencryptedwithapublickey.
Iftheclientdoesn'thaveapublic/privatekeypair,youcan'tusefullasymmetricencryption.
Thealternativeissymmetricencryption,butwithsymmetricencryptionyoumusthaveasecretkeyknownonlytothepartiesinvolvedinamessageexchange.
HowcanyouestablishsuchasecretkeyThetechniquethatWS-Securityusesistohavetheclientgenerateasecret-keyvalue,whichisthenencryptedusingasymmetricencryptionwiththeserver'spublickeyandembeddedintherequestmessageinatoken.
Theclientcanusethissecretkey(orforbettersecurity,aseparatekeyderivedfromthesecretkey)toencryptand/orsigntherequestmessage,andtheservercandothesamewiththeresponsemessage.
There'snoneedfortheservertosendthesecretkeybacktotheclient,becausetheclientalreadyhasitavailable.
WS-SecurityPolicyconfigurationWS-Policy/WS-SecurityPolicyconfigurationforsymmetricencryptionusingaclient-generatedkeyissimple.
Listing1showstheversionusedinthisarticle.
Thispolicyspecifiesencryptionofmessagebodiessentinbothdirections,usingaclient-generatedsecretkey.
Listing1.
WS-Policyforencryptingallmessagebodiesibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage3of9TheassertionintheListing1policyiswhatconfigurestheuseofsymmetricencryptionwithasecretkey.
TheembeddedassertionsaysthataX.
509certificatewillbeusedtoprotectthetransmissionofthesecretkey(thatis,encryptthesecretkeyfortransmission),withthecertificateidentifiedusingathumbprintreference(essentiallyahashvalue).
Clientgenerationofthesecretkeyisimplicitintheuseofaassertionwithaprotectiontoken.
Theotherpolicyassertionsspecifydetailsoftheencryptionalgorithmandrequiredfeatures,andfinallytheassertionsaysthattheSOAPBodyistobeencryptedusingthesecretkey.
Asyou'veseeninearlierarticles,run-timeparametersforthesecurityhandling(suchaskeystoresandpasswords)mustbedefinedinanimplementation-dependentmanner.
Inthiscase,theparametersaresimple:theclientsideneedsaccesstoatruststorecontainingtheservercertificate,andtheserversideneedsaccesstoakeystorecontainingtheprivatekeymatchingthepublickeyinthecertificate.
Seeearlierarticlesinthisseriesfordetailsofhowtheparametersarepassedforeachofthestacks.
WS-SecureConversationwithoutclientcertificatesYoucanapplythesametechniqueforworkingwithoutclientcertificatestothemessageexchangebetweentheclientandtheSecurityTokenService(STS)whenusingWS-SecureConversation.
(See"WS-TrustandWS-SecureConversation"and"WS-SecureConversationperformance"fordetailsofWS-SecureConversation.
)Tousethisapproach,youbasicallysubstitutetheListing1policyintotheforthesecureconversation.
Listing2showshowthisworks,withtheshowninboldreplacingtheusedin"WS-SecureConversationperformance":Listing2.
WS-PolicyforWS-SecureConversationwithoutclientcertificatesdeveloperWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage4of9ibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage5of9Besidesusingaclient-generatedkeyforthemessageexchangewiththeSTS,theListing2policyalsodiffersfromthoseusedin"WS-SecureConversationperformance"byeliminatingtheassertion.
Intheory,thispolicyshouldworkonanyWS-SecurityandWS-SecureConversationimplementation.
Inpractice,someproblemsoccurredwhenItriedthisconfigurationwiththethreemainopensourceJavawebservicesstacks.
CXFwastheonlystackthatworkedwiththepolicyaswritten.
Axis2didn'tworkatall,failingwithaclient-sideexceptionwhenprocessingtheSTSresponsemessage.
WhenIchangedthebootstrappolicybacktoasymmetricencryption,Axis2workedbutusedWS-Addressingonallmessagesanyway.
Metroalsofailed;afterIaddedbackthe,itworkedwithaclient-generatedkeyforsymmetricencryptionintheSTSmessageexchange.
ComparingperformanceTheperformancecomparisonsusethesametestcodeasearlierarticles,aseismicdataretrievalservice.
Theserviceusesadatabaseofmorethan93,000earthquakesthatoccurredworldwideoveraperiodofyears.
Requeststotheservicespecifyatimerangeandageographiccoordinaterange,andtheservicereturnsallearthquakeswithinthespecifiedrange.
See"Thehighcostof(WS-)Security"forfulldetailsofthetestapplicationandasamplerequest/responsemessagepair.
Asinthepreviousarticles,twosetsofrequestsequencesareusedfortheperformancetests.
Thefirstsetuses1,000requests,withqueryparametersadjustedtomatchasmallportionoftheentireearthquakedatabase(returning816matchingearthquakesforthe1,000requests).
Thesecondsetuses100requests,adjustedtomatchalargerportionofthedatabase(returning176,745matchingearthquakesforthe100requests).
Thesetworequestsequencesemphasizedifferentperformancecharacteristicsofwebservicesstacks.
Thefirstoneshowshowquicklystacksprocessrequestswithlittledata,andthesecondemphasizesthespeedofprocessingdatavolumes.
Eachrequestsequencewasrunmultipletimesindifferentsecurityconfigurations,withonlythebesttimeforeachconfigurationkeptintheresults.
Thistime,onlytwosecurityconfigurationsweretested:WS-SecuritywithSymmetricBindingencryptingallrequest/responsemessagebodies(direct)WS-SecureConversationencryptingallrequest/responsemessagebodies(securconv)Thesecurconvconfigurationisessentiallythesameastheoneusedin"WS-SecureConversationperformance,"theonlydifferencebeingtheuseofaSymmetricBindingforthemessageexchangebetweentheclientandtheSTSwithMetroandCXF.
BecausethetestedSymmetricBindingSTSpolicydidn'tworkwithAxis2,theAxis2configurationusedforthetimingtestswasthesameasintheearlierarticle.
ThechangetousingaSymmetricBindingfortheSTSpolicyismorefordemonstrationpurposesthanforanysignificantimpactonperformance,sothisdifferenceisnotimportantintheresults.
ThetestswererunonaMandriva2009.
132-bitLinuxnotebookwithaTurionX2ZM-85processorand3GBofRAM,usingaSun(Oracle)Java1.
6.
0_1032-bitJVM.
(NotethatthisisadeveloperWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage6of9differentsystemfromtheoneusedforperformancetestsinearlierarticles.
)TheservercodewasrunonTomcat6.
0.
20,configuredtouse1024MBofheap,withtheclientcodeusing512MBofheap.
Thewebservicestackversionstestedwere:Axis21.
5.
1withthe1.
5releaseofRampartMetro2.
0CXF2.
1.
8IfyouwanttotrythetestsonyourownhardwareandJVM,seeDownloadtogetthecode.
PerformanceresultsFigure1showsthemeasuredtimesforthesmall-responsetestseries.
Asin"WS-SecureConversationperformance,"MetroisalittlefasterthanCXF(about10percent)intheWS-SecureConversationtimings.
MetrodoesevenbetterwithdirectuseofsymmetricencryptionwithWS-Security,runningabout30percentfaster.
(Inbothofthisarticle'scharts,shorterbarsarebetterbecausetheyindicatefastertimes.
)Figure1.
MeasuredtimeswithsmallresponsesAxis2resultsarenotincludedinFigure1becauseofabugthatshowedupinthecourseofthetest.
TheAxis2teststartedoutrunningatareasonablespeedbutthenprogressivelyslowedasthenumberofiterationsincreased.
ThetotaltimetorunthistestwithAxis2endedupmorethan40timestheMetrovalue.
Thistypeofprogressiveslowingusuallyindicatesanissuesuchaslinearlookupsofvaluesbeingstoredbycode,inthiscasewithintheAxis2securityhandlingforsymmetricencryption(perhapsdealingwiththeclient-generatedkeys,becauseanewsecretkeyisgeneratedforeachrequest).
Figure2showsthemeasuredtimesforthelarge-responsetestseries.
HereMetroisagainthefastestofthestacks,butCXFcomesclose—thedifferencebetweenthetwoisonlyabout10percent.
Axis2ismuchslowerthantheothertwostacks,aswasthecaseintheWS-SecurityandWS-SecureConversationtestsshowninearlierarticles.
ibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage7of9Figure2.
MeasuredtimeswithlargeresponsesTheseresults(exceptforAxis2)matchwhatyou'dexpecttoseebasedonthesecurityprocessingbeingdone.
Withbothsecurityconfigurations,symmetricencryptionisusedforthemessagesexchangedbetweentheclientandtheservice.
ThebigdifferencebetweenthetwoisthattheWS-Securitysymmetricencryptionconfigurationusesanewsecretkeygeneratedbytheclientforeachrequest/responsemessagepair.
Thissecretkeyneedstobeasymmetricallyencryptedusingtheserver'spublickeyandsentaspartoftherequestmessage,whereasWS-SecureConversationreusesasinglesecretkeyacrossmanymessagepairs.
ThismeanstheWS-Securityconfigurationaddssignificantper-requestoverhead,whichshowsupmainlyintheFigure1timings.
Thestacksdon'tsupportusingWS-Securityasymmetricencryptionforonlyencryptingamessage,insteadrequiringsigningtobedonealso.
Thismakesitdifficulttoprovideanydirectperformancecomparison,butyoucangetanideaofthedifferencebycomparingthesechartswiththosefrom"WS-SecureConversationperformance.
"TheearlierarticleshowedthatWS-SecureConversationsymmetricencryptionprovidesconsiderablybetterperformancethanWS-Securityasymmetricencryption,especiallyforencryptingmessages.
TheseresultsshowthatWS-Securitysymmetricencryptionwithclient-generatedkeysisnearlyasfastasWS-SecureConversation,especiallyforlargermessages.
WrappingupYou'veseeninthisarticlehowsymmetricencryption,usingclient-generatedsecretkeys,canbeusedtosecuremessageexchangeswithouttheneedforclientcertificates.
Thisapproachoffersgoodperformanceformessageexchanges—nearlyasgoodasWS-SecureConversation—whenthemessagesarerelativelylarge.
Ifonlyafewmessagesareexchangedbetweenaclientandserver,client-generatedsecretkeyscandeliverevenbetterperformancethanWS-SecureConversationsecretkeys(becauseWS-SecureConversationrequiresanextramessageexchange,betweentheclientandtheSTS).
Client-generatedsecretkeyscanalsobeusedforsigningmessages.
Thoughnotshowninthisarticle,thisuseofsecretkeysisessentiallythesameasthesigningexampleforWS-developerWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage8of9SecureConversationdiscussedin"WS-SecureConversationperformance.
"Signingwithsecretkeysinherentlyprovidesweakerguaranteesofauthenticitythansigningwithprivatekeys,butitcanstillbeusefulforensuringthatmessageshavenotbeentamperedwithintransit.
ThelastseveralarticlesofthisserieshavediscussedvariousformsofWS-SecurityandWS-SecureConversationsecurityforwebservices,includingperformancecomparisonsforthethreemainJavawebservicesstacks.
I'llcoversomespecializedWS-Securityfeaturesinfuturearticles,butfornowit'stimetowrapupthefocusonsecurityperformance.
ThenextarticleoftheserieswilldetailthestructureofWS-PolicydocumentsandthewaysthatpoliciescanbeattachedtoservicesinWSDL,withexamplesoffine-tuningsecurityconfigurationforApacheAxis2,Metro,andApacheCXF.
ibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage9of9DownloadableresourcesDescriptionNameSizeSamplecodeforthisarticlej-jws17.
zip5.
29MBCopyrightIBMCorporation2010(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
YoucanuseitdirectlyorinthebootstrapforWS-SecureConversationexchanges.
Inthisarticle,you'lllearnhowtoconfigureandusesymmetricencryptionwiththethreemainopensourceJavawebservicesstacks:Axis2,Metro,andCXF.
You'llalsoseehowplainWS-SecuritysymmetricencryptionperformancecomparestoWS-SecureConversationperformance.
ViewmorecontentinthisseriesAboutthisseriesWebservicesareacrucialpartofJavatechnology'sroleinenterprisecomputing.
Inthisseriesofarticles,XMLandwebservicesconsultantDennisSosnoskicoversthemajorframeworksandtechnologiesthatareimportanttoJavadevelopersusingwebservices.
Followtheseriestostayinformedofthelatestdevelopmentsinthefieldandawareofhowyoucanusethemtoaidyourprogrammingprojects.
ManyWS-Securityconfigurationsrequirebothclientandservertousepublic/privatekeypairs,withX.
509certificatestovouchfortheownershipofthepublickeys.
ThisisprobablythemostwidelyusedtechniqueforsigningorencryptingmessageswithWS-Security,anditdoeshavesomeadvantages.
Inparticular,clientcertificatesprovidestrongclientidentityverificationandstrongsignatureguaranteesonrequests.
Butitalsohasdrawbacks,includingtheperformanceoverheadofasymmetricencryptionandthemanagementheadachesofobtainingandmaintainingcertificatesforeachclient.
"WS-SecureConversationperformance"showedhowWS-SecureConversation—whilestillworkingwithclientcertificates—reducesperformanceoverheadforongoingmessageexchangesbetweenclientandserverbyusingsymmetricencryption.
Inthisarticle,you'llseehowyoucangoastepfurtherandbreakfreeoftheneedforclientcertificatesinbothplainWS-SecurityandWS-SecureConversationexchanges.
developerWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage2of9EncryptingandsigningwithoutclientcertificatesUsingasymmetricencryptionwithpublic/privatekeypairsforsigningandencryptingmessagesissimple(atleastconceptually!
).
Asdiscussedin"Axis2WS-Securitysigningandencryption,"youuseyourprivatekeytosignmessagesandtherecipient'spublickeytoencryptmessages.
Anyonewithaccesstoyourpublickey(whichisgenerallywrappedwithinlayersofauthenticationintheformofanX.
509certificate)canverifythesignatureyougeneratedusingyourprivatekey,whereasonlytheownerofthecorrespondingprivatekeycandecryptamessageencryptedwithapublickey.
Iftheclientdoesn'thaveapublic/privatekeypair,youcan'tusefullasymmetricencryption.
Thealternativeissymmetricencryption,butwithsymmetricencryptionyoumusthaveasecretkeyknownonlytothepartiesinvolvedinamessageexchange.
HowcanyouestablishsuchasecretkeyThetechniquethatWS-Securityusesistohavetheclientgenerateasecret-keyvalue,whichisthenencryptedusingasymmetricencryptionwiththeserver'spublickeyandembeddedintherequestmessageinatoken.
Theclientcanusethissecretkey(orforbettersecurity,aseparatekeyderivedfromthesecretkey)toencryptand/orsigntherequestmessage,andtheservercandothesamewiththeresponsemessage.
There'snoneedfortheservertosendthesecretkeybacktotheclient,becausetheclientalreadyhasitavailable.
WS-SecurityPolicyconfigurationWS-Policy/WS-SecurityPolicyconfigurationforsymmetricencryptionusingaclient-generatedkeyissimple.
Listing1showstheversionusedinthisarticle.
Thispolicyspecifiesencryptionofmessagebodiessentinbothdirections,usingaclient-generatedsecretkey.
Listing1.
WS-Policyforencryptingallmessagebodiesibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage3of9TheassertionintheListing1policyiswhatconfigurestheuseofsymmetricencryptionwithasecretkey.
TheembeddedassertionsaysthataX.
509certificatewillbeusedtoprotectthetransmissionofthesecretkey(thatis,encryptthesecretkeyfortransmission),withthecertificateidentifiedusingathumbprintreference(essentiallyahashvalue).
Clientgenerationofthesecretkeyisimplicitintheuseofaassertionwithaprotectiontoken.
Theotherpolicyassertionsspecifydetailsoftheencryptionalgorithmandrequiredfeatures,andfinallytheassertionsaysthattheSOAPBodyistobeencryptedusingthesecretkey.
Asyou'veseeninearlierarticles,run-timeparametersforthesecurityhandling(suchaskeystoresandpasswords)mustbedefinedinanimplementation-dependentmanner.
Inthiscase,theparametersaresimple:theclientsideneedsaccesstoatruststorecontainingtheservercertificate,andtheserversideneedsaccesstoakeystorecontainingtheprivatekeymatchingthepublickeyinthecertificate.
Seeearlierarticlesinthisseriesfordetailsofhowtheparametersarepassedforeachofthestacks.
WS-SecureConversationwithoutclientcertificatesYoucanapplythesametechniqueforworkingwithoutclientcertificatestothemessageexchangebetweentheclientandtheSecurityTokenService(STS)whenusingWS-SecureConversation.
(See"WS-TrustandWS-SecureConversation"and"WS-SecureConversationperformance"fordetailsofWS-SecureConversation.
)Tousethisapproach,youbasicallysubstitutetheListing1policyintotheforthesecureconversation.
Listing2showshowthisworks,withtheshowninboldreplacingtheusedin"WS-SecureConversationperformance":Listing2.
WS-PolicyforWS-SecureConversationwithoutclientcertificatesdeveloperWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage4of9ibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage5of9Besidesusingaclient-generatedkeyforthemessageexchangewiththeSTS,theListing2policyalsodiffersfromthoseusedin"WS-SecureConversationperformance"byeliminatingtheassertion.
Intheory,thispolicyshouldworkonanyWS-SecurityandWS-SecureConversationimplementation.
Inpractice,someproblemsoccurredwhenItriedthisconfigurationwiththethreemainopensourceJavawebservicesstacks.
CXFwastheonlystackthatworkedwiththepolicyaswritten.
Axis2didn'tworkatall,failingwithaclient-sideexceptionwhenprocessingtheSTSresponsemessage.
WhenIchangedthebootstrappolicybacktoasymmetricencryption,Axis2workedbutusedWS-Addressingonallmessagesanyway.
Metroalsofailed;afterIaddedbackthe,itworkedwithaclient-generatedkeyforsymmetricencryptionintheSTSmessageexchange.
ComparingperformanceTheperformancecomparisonsusethesametestcodeasearlierarticles,aseismicdataretrievalservice.
Theserviceusesadatabaseofmorethan93,000earthquakesthatoccurredworldwideoveraperiodofyears.
Requeststotheservicespecifyatimerangeandageographiccoordinaterange,andtheservicereturnsallearthquakeswithinthespecifiedrange.
See"Thehighcostof(WS-)Security"forfulldetailsofthetestapplicationandasamplerequest/responsemessagepair.
Asinthepreviousarticles,twosetsofrequestsequencesareusedfortheperformancetests.
Thefirstsetuses1,000requests,withqueryparametersadjustedtomatchasmallportionoftheentireearthquakedatabase(returning816matchingearthquakesforthe1,000requests).
Thesecondsetuses100requests,adjustedtomatchalargerportionofthedatabase(returning176,745matchingearthquakesforthe100requests).
Thesetworequestsequencesemphasizedifferentperformancecharacteristicsofwebservicesstacks.
Thefirstoneshowshowquicklystacksprocessrequestswithlittledata,andthesecondemphasizesthespeedofprocessingdatavolumes.
Eachrequestsequencewasrunmultipletimesindifferentsecurityconfigurations,withonlythebesttimeforeachconfigurationkeptintheresults.
Thistime,onlytwosecurityconfigurationsweretested:WS-SecuritywithSymmetricBindingencryptingallrequest/responsemessagebodies(direct)WS-SecureConversationencryptingallrequest/responsemessagebodies(securconv)Thesecurconvconfigurationisessentiallythesameastheoneusedin"WS-SecureConversationperformance,"theonlydifferencebeingtheuseofaSymmetricBindingforthemessageexchangebetweentheclientandtheSTSwithMetroandCXF.
BecausethetestedSymmetricBindingSTSpolicydidn'tworkwithAxis2,theAxis2configurationusedforthetimingtestswasthesameasintheearlierarticle.
ThechangetousingaSymmetricBindingfortheSTSpolicyismorefordemonstrationpurposesthanforanysignificantimpactonperformance,sothisdifferenceisnotimportantintheresults.
ThetestswererunonaMandriva2009.
132-bitLinuxnotebookwithaTurionX2ZM-85processorand3GBofRAM,usingaSun(Oracle)Java1.
6.
0_1032-bitJVM.
(NotethatthisisadeveloperWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage6of9differentsystemfromtheoneusedforperformancetestsinearlierarticles.
)TheservercodewasrunonTomcat6.
0.
20,configuredtouse1024MBofheap,withtheclientcodeusing512MBofheap.
Thewebservicestackversionstestedwere:Axis21.
5.
1withthe1.
5releaseofRampartMetro2.
0CXF2.
1.
8IfyouwanttotrythetestsonyourownhardwareandJVM,seeDownloadtogetthecode.
PerformanceresultsFigure1showsthemeasuredtimesforthesmall-responsetestseries.
Asin"WS-SecureConversationperformance,"MetroisalittlefasterthanCXF(about10percent)intheWS-SecureConversationtimings.
MetrodoesevenbetterwithdirectuseofsymmetricencryptionwithWS-Security,runningabout30percentfaster.
(Inbothofthisarticle'scharts,shorterbarsarebetterbecausetheyindicatefastertimes.
)Figure1.
MeasuredtimeswithsmallresponsesAxis2resultsarenotincludedinFigure1becauseofabugthatshowedupinthecourseofthetest.
TheAxis2teststartedoutrunningatareasonablespeedbutthenprogressivelyslowedasthenumberofiterationsincreased.
ThetotaltimetorunthistestwithAxis2endedupmorethan40timestheMetrovalue.
Thistypeofprogressiveslowingusuallyindicatesanissuesuchaslinearlookupsofvaluesbeingstoredbycode,inthiscasewithintheAxis2securityhandlingforsymmetricencryption(perhapsdealingwiththeclient-generatedkeys,becauseanewsecretkeyisgeneratedforeachrequest).
Figure2showsthemeasuredtimesforthelarge-responsetestseries.
HereMetroisagainthefastestofthestacks,butCXFcomesclose—thedifferencebetweenthetwoisonlyabout10percent.
Axis2ismuchslowerthantheothertwostacks,aswasthecaseintheWS-SecurityandWS-SecureConversationtestsshowninearlierarticles.
ibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage7of9Figure2.
MeasuredtimeswithlargeresponsesTheseresults(exceptforAxis2)matchwhatyou'dexpecttoseebasedonthesecurityprocessingbeingdone.
Withbothsecurityconfigurations,symmetricencryptionisusedforthemessagesexchangedbetweentheclientandtheservice.
ThebigdifferencebetweenthetwoisthattheWS-Securitysymmetricencryptionconfigurationusesanewsecretkeygeneratedbytheclientforeachrequest/responsemessagepair.
Thissecretkeyneedstobeasymmetricallyencryptedusingtheserver'spublickeyandsentaspartoftherequestmessage,whereasWS-SecureConversationreusesasinglesecretkeyacrossmanymessagepairs.
ThismeanstheWS-Securityconfigurationaddssignificantper-requestoverhead,whichshowsupmainlyintheFigure1timings.
Thestacksdon'tsupportusingWS-Securityasymmetricencryptionforonlyencryptingamessage,insteadrequiringsigningtobedonealso.
Thismakesitdifficulttoprovideanydirectperformancecomparison,butyoucangetanideaofthedifferencebycomparingthesechartswiththosefrom"WS-SecureConversationperformance.
"TheearlierarticleshowedthatWS-SecureConversationsymmetricencryptionprovidesconsiderablybetterperformancethanWS-Securityasymmetricencryption,especiallyforencryptingmessages.
TheseresultsshowthatWS-Securitysymmetricencryptionwithclient-generatedkeysisnearlyasfastasWS-SecureConversation,especiallyforlargermessages.
WrappingupYou'veseeninthisarticlehowsymmetricencryption,usingclient-generatedsecretkeys,canbeusedtosecuremessageexchangeswithouttheneedforclientcertificates.
Thisapproachoffersgoodperformanceformessageexchanges—nearlyasgoodasWS-SecureConversation—whenthemessagesarerelativelylarge.
Ifonlyafewmessagesareexchangedbetweenaclientandserver,client-generatedsecretkeyscandeliverevenbetterperformancethanWS-SecureConversationsecretkeys(becauseWS-SecureConversationrequiresanextramessageexchange,betweentheclientandtheSTS).
Client-generatedsecretkeyscanalsobeusedforsigningmessages.
Thoughnotshowninthisarticle,thisuseofsecretkeysisessentiallythesameasthesigningexampleforWS-developerWorksibm.
com/developerWorks/Javawebservices:WS-SecuritywithoutclientcertificatesPage8of9SecureConversationdiscussedin"WS-SecureConversationperformance.
"Signingwithsecretkeysinherentlyprovidesweakerguaranteesofauthenticitythansigningwithprivatekeys,butitcanstillbeusefulforensuringthatmessageshavenotbeentamperedwithintransit.
ThelastseveralarticlesofthisserieshavediscussedvariousformsofWS-SecurityandWS-SecureConversationsecurityforwebservices,includingperformancecomparisonsforthethreemainJavawebservicesstacks.
I'llcoversomespecializedWS-Securityfeaturesinfuturearticles,butfornowit'stimetowrapupthefocusonsecurityperformance.
ThenextarticleoftheserieswilldetailthestructureofWS-PolicydocumentsandthewaysthatpoliciescanbeattachedtoservicesinWSDL,withexamplesoffine-tuningsecurityconfigurationforApacheAxis2,Metro,andApacheCXF.
ibm.
com/developerWorks/developerWorksJavawebservices:WS-SecuritywithoutclientcertificatesPage9of9DownloadableresourcesDescriptionNameSizeSamplecodeforthisarticlej-jws17.
zip5.
29MBCopyrightIBMCorporation2010(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
- exchangemandriva相关文档
- Wumandriva
- 5.6mandriva
- 打印mandriva
- grandemandriva
- addmandriva
- buyingmandriva
ZJI-全场八折优惠,香港服务器 600元起,还有日本/美国/韩国服务器
ZJI怎么样?ZJI是一家成立于2011年的商家,原名维翔主机,主要从事独立服务器产品销售,目前主打中国香港、日本、美国独立服务器产品,是一个稳定、靠谱的老牌商家。详情如下:月付/年付优惠码:zji??下物理服务器/VDS/虚拟主机空间订单八折终身优惠(长期有效)一、ZJI官网点击直达香港葵湾特惠B型 CPU:E5-2650L核心:6核12线程内存:16GB硬盘:480GB SSD带宽:5Mbps...
日本vps云服务器选择指南。
日本vps云服务器怎么选择?很多人都会遇到日本vps和日本云服务器怎么选择的问题,日本云服务器具有免备案的特点。小编今天就分析一下日本云服务器价格多少钱,以方便大家选购的时候有个更加合适的取舍。日本云服务器租用前比较选择,高性能、安全、高效、免备案日本云服务器是很关键的因素。那么,日本云服务器该怎么选择呢?日本作为我们的邻国,与其贸易、文化往来是比较多的。日本云服务器价格多少钱一年?一、日本·CN...
Sharktech($49/月),10G端口 32GB内存,鲨鱼机房新用户赠送$50
Sharktech 鲨鱼机房商家我们是不是算比较熟悉的,因为有很多的服务商渠道的高防服务器都是拿他们家的机器然后部署高防VPS主机的,不过这几年Sharktech商家有自己直接销售云服务器产品,比如看到有新增公有云主机有促销活动,一般有人可能买回去自己搭建虚拟主机拆分销售的,有的也是自用的。有看到不少网友在分享到鲨鱼机房商家促销活动期间,有赠送开通公有云主机$50,可以购买最低配置的,$49/月的...
mandriva为你推荐
-
小度商城小度智能音箱1s上面的黄圈不熄灭怎么回事,第一天还能熄灭云爆发云玩家啥意思?是不是骂人的微信回应封杀钉钉微信大封杀什么时候结束lunwenjiance我写的论文,检测相似度是21.63%,删掉参考文献后就只有6.3%,这是为什么?百花百游迎得春来非自足,百花千卉共芬芳什么意思同一ip网站同一个IP不同的30个网站,是不是在一个服务器上呢?www.kk4kk.com猪猪影院www.mlzz.com 最新电影收费吗?5xoy.com求个如月群真汉化版下载地址789se.comwuwu8.com这个站长是谁?抓站工具抓鸡要什么工具?