No easy answer, as it all depends on the deployment environment that you need to support.
Who is consuming the service? Is it a portal? Do you own the portal server that is consuming it? What about the service itself? Do you own the whole server? Where are they located? Are they both on a VPN? What about throughput? Is your service deployed in a clustered, load balanced environment? All of these things factor in, I'm afraid. It's a nasty, nasty problem domain right now. <plug>We're using WSS4J to apply WS-Security 1.0 compliant digital signatures to SOAP messages,</plug> but that's because we need that level of security in our deployment environment. Food for thought. -Jon -----Original Message----- From: Davanum Srinivas [mailto:[EMAIL PROTECTED] Sent: Monday, March 15, 2004 10:37 PM To: [EMAIL PROTECTED] Subject: Re: Web Service Security - what's the best way to achieve it? http://ws.apache.org/ws-fx/wss4j/ --- [EMAIL PROTECTED] wrote: > Hi people, > > I am considering two different ways of using Certificate based authentication of a client > connecting to our Web Service: > > 1. Certificate is contained in the HTTPS request. I intercept the Request in my Web Service, get > the Certificate out of it, and do the authentication. > > 2. Certificate is contained in the signed SOAP Envelope. My Web Service (a Handler) gets the > SOAPEnvelope, gets the Certificate out of it, and does the authentication. > > Which one of these options is the better one, what do you people think? > > Best regards, > > Zoltan Schreter > Nokia/Finland > > ===== Davanum Srinivas - http://webservices.apache.org/~dims/