The clients are large organisations that will be submitting and pulling financial transaction. so a username and password is not enough
pzfreo wrote: > >> 1) Is it possible to access two-way SSL authentication information from a >> web service? (assuming SSL is setup on the axis server - no reverse >> proxy) > You can always access the Tomcat/Servlet/HTTP context, so if the SSL > client cert information is available from the servlet context (which > it is) you can get at it in your Axis2 service. > Does this work when using axis without tomcat? pzfreo wrote: > > There is another alternative, which is to use WS-Trust and > WS-SecureConversation. This makes life more efficient if you have more > than one message exchange (which I'm guessing you will if this is a > B2B sort of situation). Basically, the client uses UserName token or > the X509 cert to set up the session. Then the server issues a token. > The token acts as an ephemeral key which can be used for traditional > symmetric encryption and signature. So now the conversation can > proceed much more efficiently. > WS-SecureConversation sounds interesting.. does it work with anonymous clients (behind a firewall)? Do you have any links to good implementation guides for SecureConv? I ran a quick search and all the results seem to point to the spec pzfreo wrote: > > Basically this is the model I described with WS-Trust and SecureConv. > Effectively this models the session startup that SSL does in XML. The > upside is the efficiency. The downside is that you need more "stuff". > So for example, you can interoperate with .NET, but some older stacks > don't do WS-SecConv and Trust. > interop is important for this impl..but it seems that it is supported by the Sun and ibm stacks.. please correct me if I am wrong. -- View this message in context: http://www.nabble.com/WS-Security%2C-SSL-or-both-tp15549089p15562519.html Sent from the Axis - User mailing list archive at Nabble.com.
