axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anderson Jonathan" <anderson_jonat...@bah.com>
Subject RE: Web Service Security - what's the best way to achieve it?
Date Tue, 16 Mar 2004 16:35:09 GMT
No easy answer, as it all depends on the deployment environment that you
need to support.

Who is consuming the service?  Is it a portal?  Do you own the portal server
that is consuming it?  What about the service itself?  Do you own the whole
server?  Where are they located?  Are they both on a VPN?  What about
throughput?  Is your service deployed in a clustered, load balanced
environment?

All of these things factor in, I'm afraid.  It's a nasty, nasty problem
domain right now.  <plug>We're using WSS4J to apply WS-Security 1.0
compliant digital signatures to SOAP messages,</plug> but that's because we
need that level of security in our deployment environment.

Food for thought.
	-Jon

-----Original Message-----
From: Davanum Srinivas [mailto:dims@yahoo.com]
Sent: Monday, March 15, 2004 10:37 PM
To: axis-user@ws.apache.org
Subject: Re: Web Service Security - what's the best way to achieve it?


http://ws.apache.org/ws-fx/wss4j/

--- Ext-Zoltan.Schreter@nokia.com wrote:
> Hi people,
>
> I am considering two different ways of using Certificate based
authentication of a client
> connecting to our Web Service:
>
> 1. Certificate is contained in the HTTPS request. I intercept the Request
in my Web Service, get
> the Certificate out of it, and do the authentication.
>
> 2. Certificate is contained in the signed SOAP Envelope. My Web Service (a
Handler) gets the
> SOAPEnvelope, gets the Certificate out of it, and does the authentication.
>
> Which one of these options is the better one, what do you people think?
>
> Best regards,
>
> Zoltan Schreter
> Nokia/Finland
>
>


=====
Davanum Srinivas - http://webservices.apache.org/~dims/


Mime
View raw message