Bruce Edge wrote:
Can someone give me a short description of the differences between these 2
methods:
http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the
Hi Bruce,
Above is using Message level security provided by WS-Security to secure
the web service communication.
Below is using Transport level security provided by HTTPS to secure web
service communication.
http://www.jroller.com/gmazza/entry/setting_up_ssl_and_basic
Thanks
-Bruce
Transport layer security handles underlying transport, i.e. it cares
from the point when you data comes onto the transport pipe and leaves
the transport pipe. If you have multiple hops in between producer and
consumer, then there could be data flow pipes where your message is not
secured. Like, in the cases where you have Producer on System 1,
intermediate consumer on System 2 and Final Consumer at System 2. Then,
there is leak between Intermediate consumer and final consumer.
Also, another deficiency with *Transport layer* security is that you
don't have control over securing specific data. For example, if you are
sending Customer Information (name, address, product-purchased, delivery
address of customer and Credit card information), then in this case you
can't control securing only Credit Card Information, all the other
customer information would also be secured by channel, i.e. an extra
overhead in processing and data transferred.
Whereas in *Message Layer* Security you can secure your message
'end-to-end', i.e. from Initial Source to Final Destination. You can
also customize what need to be secured and what can be passed as plain text.
With Regards.
Mayank
