This invention relates generally to security. More specifically the invention relates to high-performance web services secure conversation.
Presently, many error conditions in Web Services-Secure Conversation (WS-SC) exist on the management of Secure Conversation Tokens (SCT). Current implementations of WS-SC are unable to handle heavy traffic load, especially when handling the SCT bootstrap, SCT cancel, and SCT renew.
Further, in WS-SC conversations between the client and the server are protected by the SCT. The SCT is a share secret that is generated by the Secure Token Service (STS) on the server side, exchanged with a WS-Trust bootstrap message, and this shared secret in maintained at the client and the server. When the SCT is expired, the client sends a SCT renew request message, and new SCT will be used to protect the subsequent conversation messages between the client and the server. Both client and server will reject a message if an expired SCT is used to protect the message. As such, in a heavy message load conditions the conversation messages exchange and the SCT renew will not be synchronized. So, there will be some race conditions where the SCT on both sides will be out-of-sync, multiple bootstraps or renew message exchanges will happen, and some expired SCT will cause message failures.
Thus, the following considerations should be made. Synchronized and asynchronize messages exchange between client and service. A combination of stacks where the WS-SC may combine with other Web Services protocols, such as WS-ReliableMessage (WS-RM) and/or WS-MakeConnections (WS-MC). Cluster environment where many servers work together as computer cluster to serve WS conversations concurrently. Interoperability where the client or sever may be from other vendors without any direct control over the behavior. Security which needs to be distinct with regard to the good protected messages and invalid messages during the run-time on security policy enforcement. Hence, these and other shortcomings in the art are remedied by the present invention.
In the appended figures, similar components and/or features may have the same numerical reference label. Further, various components of the same type may be distinguished by following the reference label by a letter that distinguishes among the similar components and/or features. If only the first numerical reference label is used in the specification, the description is applicable to any one of the similar components and/or features having the same first numerical reference label irrespective of the letter suffix.