No easy answer, as it all depends on the deployment environment that you
need to support.
Who is consuming the service? Is it a portal? Do you own the portal server
that is consuming it? What about the service itself? Do you own the whole
server? Where are they located? Are they both on a VPN? What about
throughput? Is your service deployed in a clustered, load balanced
environment?
All of these things factor in, I'm afraid. It's a nasty, nasty problem
domain right now. <plug>We're using WSS4J to apply WS-Security 1.0
compliant digital signatures to SOAP messages,</plug> but that's because we
need that level of security in our deployment environment.
Food for thought.
-Jon
-----Original Message-----
From: Davanum Srinivas [mailto:[EMAIL PROTECTED]
Sent: Monday, March 15, 2004 10:37 PM
To: [EMAIL PROTECTED]
Subject: Re: Web Service Security - what's the best way to achieve it?
http://ws.apache.org/ws-fx/wss4j/
--- [EMAIL PROTECTED] wrote:
> Hi people,
>
> I am considering two different ways of using Certificate based
authentication of a client
> connecting to our Web Service:
>
> 1. Certificate is contained in the HTTPS request. I intercept the Request
in my Web Service, get
> the Certificate out of it, and do the authentication.
>
> 2. Certificate is contained in the signed SOAP Envelope. My Web Service (a
Handler) gets the
> SOAPEnvelope, gets the Certificate out of it, and does the authentication.
>
> Which one of these options is the better one, what do you people think?
>
> Best regards,
>
> Zoltan Schreter
> Nokia/Finland
>
>
=====
Davanum Srinivas - http://webservices.apache.org/~dims/
