On Sat, Jul 18, 2009 at 6:34 PM, K.C. Ramakrishna<kcramakris...@yahoo.com> wrote: > 1. Application is Liferay (running in tomcat without Apache) which also has > Web Services. > 2. There are clients (.NET, ruby..) which access these services after logging > is as a special user.
What kind of WS authentication are you using in this scenario? Is it Basic HTTP authentication or SOAP authentication ? > 3. Currently both authentication and data transfer between Liferay and > clients is also on https (for the web services part). > 4. I want to configure so that clients authenticate using https but the data > transfer is over http. For webservices, using Basic HTTP authentication, there is only one request that goes between the client and the server. It cannot be split into two requests. Client: Hi I am "Client" with password as "password" can you please give me the response for this soap request message? <SOAP:Envelope> ....request.... </SOAP:Envelope> Server: OK. Valid user. here is the response <SOAP:Envelope> .... response..... </SOAP:Envelope> As you can see, there is only one request going between the client and server. You cannot split the Webservice request into two request, one in HTTPS and the other in HTTP. Also, HTTP sessions are generally not maintained across webservices (not recommended). You loose the basic purpose of a webservice in this case. You also looseout on the basics of security in a webservice. > I read somewhere that https is approc 30% overhead compared to http. How does it matter? The 30% overhead mentioned is just at the protocol level. The actual time taken by the webservice is because of your code. Make sure that 1. Your service is atomic (following the rules of a "service") 2. Is your code, particularly the DB hits properly fine tuned? 3. Have you avoided unnecessary object creation, loops, etc? 4. Check your code using PMD, Checkstyle, FindBugs, etc... and FIX all By the way, what is the peak traffic that you are expecting? will that 30% network overhead be an issue? AFAIK, this 30% HTTPS overhead might become an issue, if you are transacting data more than a couple of hundred MB over a SINGLE service request. And if that is the case, your service architecture needs to be revamped and re-written. > a. Can we do this with just tomcat? What configurations should I make in > tomcat and/or apache? Can we do this without Apache in the picture? > b. What changes do we need to make in the clients? See above. 1. No Point doing this. 2. Make sure that your service is cleanly defined and the code is properly written with regards, Natarajan _______________________________________________ To unsubscribe, email ilugc-requ...@ae.iitm.ac.in with "unsubscribe <password> <address>" in the subject or body of the message. http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
