Hello Sonia,
Here's some info i was able to find,
High Level, that assertion requires that the inbound message has the portions of the request needed to be WS-Secure compliant, if not, it will fail.
DOCOPS
The Require WS-Secure Conversation assertion allows you to require that request and response messages be secured using a secure conversation session. Specifically, messages must:
- Include a "SecurityContextToken" referencing an already-established WS-Secure Conversation session
- Include at least one element signed with the shared secret from this session as proof of possession of the session shared secret
The Require WS-Secure Conversation assertion is a credential source that saves the user that owns the session for later authorization via the Authenticate User or Group Assertion. This assertion can be used in tandem with the Protect Against Message Replay, Sign Element, and Encrypt Element assertions.
Some more information about using WS-Secure Conversation on the Gateway:
- The Require WS-Secure Conversation assertion, by itself, does not require that the request message contain a timestamp, and does not check the validity of any time stamp that might be present. To protect against stale or replayed messages, use the Require WS-Secure Conversation assertion with the Protect Against Message Replay Assertion.
- This assertion may behave unexpectedly if there are two users in different identity providers, with both recognizing the same certificate credentials.
- To enable persistence for WS-Secure Conversation sessions, set the cluster property wss.secureConversation.clusterSessions to "true". This will allow WSSC sessions to be shared between cluster nodes.
- Federated virtual users are not compatible with secure conversation. For more information on virtual users, see Federated Identity Provider Users and Groups.
WIKIPEDIA
Pros/Cons[edit]
Following a pattern similar to TLS, WS-SecureConversation establishes a kind of session key. The processing overhead for key establishment is reduced significantly when compared to WS-Security in the case of frequent message exchanges. However, a new layer is put on top of WS-Security, that implies other WS-* protocols like WS-Addressing and WS-Trust. So the importance of performance has to be compared to the added complexity and dependencies. See the performance section in WS-Security.