Skip to main content

How secure is Message Authentication over SSL?

Please note these forums are being decommissioned and use the new and improved forums at
2 replies [Last post]
Joined: 2011-08-12

We develop a web service for point to point scenario only, so security on the transport layer is chosen to gain better performance. Among Security Policies supported by WSIT: "The Message Authentication over SSL mechanism attaches a cryptographically secured identity or authentication token with the message and use SSL for confidentiality protection" Quoted from

Does it protect for Data Integrity?

Metro guide gives too little information about this. It only say this mechanism protects for confidentiality. From the WSIT tutorial, the client trust store has to be imported with the server's credential. And with that the client application can encrypt the data exchange.

But for integrity, data has to be signed. I wonder, if the SSL hand shake is handled (by WSIT) with some client's private session key exchange behind the scene automatically or not? If yes, how long the session key remain (for each request/response or for a period of time)?

Amazon EC for example, all SOAP requests are sent over SSL. But in additional, they also require messages to be hashed and signed for integrity (BinarySecurityToken profile). Does it mean, SSL does not protect for data integrity???

Does it protect from Replay Attack?

Other WS Security Policy like Asymetric and Symetric Binding has an timestamp element to protect the message from replay Attack. How about Message Authentication over SSL?

Thank you very much.

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Joined: 2003-12-10

Sorry for the late reply.  Have you tried out a sample with  Message Authentication over SSL mechanism

You will see that a timestamp is included in the Message Security Header. There is a WS-Policy Assertion <sp:IncludeTimestamp /> that controls the presence of timestamp.

As for SSL, Metro does not handle SSL handshake on its own but instead depends on facilities in underlying container to setup SSL. So in the default case SSL needs to be setup in GlassFish.

SSL does provide integrity protection (All data packets exchanged include message integrity checks. An integrity check failure causes a connection to be closed.)


Joined: 2011-08-12

long time and no replies.. Then I need someone (experienced with Glassfish) at least confirm me one following statement:

if I configure Glassfish with:


any request via https endpoint will be protected with data integrity.