axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anderson Jonathan" <>
Subject RE: Web Service Security - what's the best way to achieve it?
Date Tue, 16 Mar 2004 16:35:09 GMT
No easy answer, as it all depends on the deployment environment that you
need to support.

Who is consuming the service?  Is it a portal?  Do you own the portal server
that is consuming it?  What about the service itself?  Do you own the whole
server?  Where are they located?  Are they both on a VPN?  What about
throughput?  Is your service deployed in a clustered, load balanced

All of these things factor in, I'm afraid.  It's a nasty, nasty problem
domain right now.  <plug>We're using WSS4J to apply WS-Security 1.0
compliant digital signatures to SOAP messages,</plug> but that's because we
need that level of security in our deployment environment.

Food for thought.

-----Original Message-----
From: Davanum Srinivas []
Sent: Monday, March 15, 2004 10:37 PM
Subject: Re: Web Service Security - what's the best way to achieve it?

--- wrote:
> Hi people,
> I am considering two different ways of using Certificate based
authentication of a client
> connecting to our Web Service:
> 1. Certificate is contained in the HTTPS request. I intercept the Request
in my Web Service, get
> the Certificate out of it, and do the authentication.
> 2. Certificate is contained in the signed SOAP Envelope. My Web Service (a
Handler) gets the
> SOAPEnvelope, gets the Certificate out of it, and does the authentication.
> Which one of these options is the better one, what do you people think?
> Best regards,
> Zoltan Schreter
> Nokia/Finland

Davanum Srinivas -

View raw message