Appendix B. WS-SecureConversation
Consider a front-end application that uses SOAP message exchanges to invoke the services offered by a back-end application. If you have read chapters 3-8, you already know how to secure these message exchanges. Using WS-Security, the front-end and back-end applications can add security tokens needed for authentication, encryption/decryption, and signing/verifying signatures to each message. Observe that we are emphasizing the need to add the required tokens to each and every message. Is this really necessary? If the front-end application is going to exchange a series of SOAP messages with the back-end application, is it possible to authenticate just once, or exchange the keys used for encryption/decryption and signing/verifying signatures just once?
For performance reasons, the answer to these questions should be “yes.” But SOAP, for good reasons,[1] does not by itself provide a mechanism to tie a message to a past message. That is, SOAP is a stateless protocol. However, a SOAP extension is free to introduce a mechanism to tie together a series of message exchanges into a “conversation.” WS-SecureConversation is one such extension, and its purpose is to provide for the establishment and maintenance of a security context across different messages in a conversation.