Hi Ali,
> >>3.) Now each requester's signature will be verified by the security
> >>module as and when it reaches the service.
> If it passes this step, can I say that "It is coming from one of my trusted
> senders and it's not intruded during transfer." ?
Yes.
> >>4.) At the service you can identify the client that sent the request
> >>using the information available in the message context.
> - Do you mean that "even the incomming message passes the 3th step, I'm
> still not aware of the sender and if I want to identify the sender, I need
> to follow instructions in 4th step" ?
> - If your answer is "yes", is it possible to do this before executing any
> service instead of at the beginning of each service?
Answer to both questions is yes.
The inflow security handler will identify the sender and the
information is available in the results vector. You can obtain the
sender information at the service (when the operation is invoked)
before you perform any other processing. You can simply do it anywhere
you like.
Please note that you should obtain the message context at the service
by adding an init method as shown below:
public class ServiceClass {
MessageContext ctx;
public void init(MessageContext msgCtx) {
ctx = msgCtx;
}
//The operation that is exposed
public void foo() {
//Get the information from the msgCtx here and continue
}
}
>
> One more question. If I use client side certification based security model,
> do I still need to authenticate each message?
IMHO in the simplest case when you use the client's signature (i.e.
the request msg signed by the client) that itself authenticates the
client if the signature is valid and the cert is trusted. Therefore
you don't have to any additional authentication.
Thanks,
Ruchith
