cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rajeev jha <>
Subject Re: why would you use ws-security with certificates?
Date Mon, 03 Nov 2008 19:16:13 GMT

Thanks a ton!
I believe that for our requirements probably apache-SSL is good enough.
There is only one target server , no intermediaries and transport is on HTTP
only. Only hiccup maybe passing some info from client cert to web service
code, like CN etc.  

dkulp wrote:
> As Glen stated, WS-Security really has it's place when dealing with 
> intermediaries and such that may need to do limitted processing and/or 
> routing.    Also, things like standard HTTP proxy servers can have issues 
> with transport level certs.
> If you use transports other than HTTP, another issue comes up.   For
> example, 
> soap over JMS.   That would work fine with ws-security.
> Dan
> On Friday 31 October 2008 11:33:21 am Rajeev jha wrote:
>> Hi
>> Please excuse my ignorance. I am trying to understand why would you use
>> ws-security with certificates when you can do the  client certificates
>> authentication  at the apache /web server level?
>> So assuming that the web services are published from a web server
>> (stand-alone tomcat or Apache proxying to tomcat) and you can use the web
>> server itself to verify the clients, why use WS-security? what is the
>> advantage?
>> Thanks
>> -rajeev.
> -- 
> Daniel Kulp

View this message in context:
Sent from the cxf-user mailing list archive at

View raw message