IL GON KIM wrote:
I am studying on WS-Security and have a question about it.
As far as I understand it, WS-Security defines security elements in
header part of the SOAP messages, by combining WS-Signature and
WS-Encryption standards.
I think it is possible to define security elements in body part of the
SOAP message, not in header part.
In my opinon, there would be a reason why security elment is described
in header part in WS-Security.
If there is anyone who knows this reason or trade-off between two
approaches, please give me your opinion.
If you look at the history of messaging, there has always been the need
to separate metadata from the actual payload. MQSeries and JMS are prime
examples. They leverage information in the message headers for message
correlation, priority, etc... This normalizes the message, and provides
the ability to optimize message processing. The reasons are the same for
SOAP where one can reduce the the amount of clutter that could go into
the actual payload, and normalize the message content for ease of
processing.
When it comes to WS-Security, there are many reasons for using SOAP
headers. For example, if you wish to sign the message body, would you
put the wsse element into the message body or header? What if there are
multiple signatures within the body. Seems to me that putting the
WS-Security wsse elements into the message body is a nightmare.
Finally, there is performance. If there isn't any headers, there is no
need to process WS-Security, WS-Addressing, etc... If everything is in
the body, it is more difficult to determine whether metadata processing
will need to be made or not.
Regards,
Bill
