I am new to web service security and need to secure B2B web services over the web with a "hub-and-spoke" setup... so clients will be consuming services provided by 1 server
The messages will be fairly large - arrays with about 500 elements with 2 13k attachments for each. so performance/msg size is a big issue.. I've been reading articles comparing WS-Security and SSL.. and it seems to basically boil down to: SSL: simple, point-to-point, can be optimized using acceleration h/w WS-Security: flexible, end-to-end The web method implementations must be aware of the client identity... so authentication information must be available to the web method.. 1) Is it possible to access two-way SSL authentication information from a web service? (assuming SSL is setup on the axis server - no reverse proxy) 2) if not.. would it make sense to have one-way SSL for encryption and XML-Signature for authentication? how would that perform? Would XML-Signature increase the message size drastically? Any alternatives? 3) I also read that PK encryption is too intensive for message encryption.. and is normally used to to exchange a session key - does the performance problem apply to digital signatures? is the session key exchange part of the Ws-Security spec or do I have to develop a web method that generates the session key? Thanks, Mike -- View this message in context: http://www.nabble.com/WS-Security%2C-SSL-or-both-tp15549089p15549089.html Sent from the Axis - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
