Mikle More answers:
On Feb 19, 2008 7:54 PM, mikle <[EMAIL PROTECTED]> wrote: > The clients are large organisations that will be submitting and pulling > financial transaction. so a username and password is not enough The Authentication mechanism in WS-Security allows the use of client certificates as well as u/p. So you can use a cert to authenticate and SSL to encrypt if you only need auth+encryption. That would be the simplest approach if those are your requirements. > pzfreo wrote: > > 1) Is it possible to access two-way SSL authentication information from a > > web service? (assuming SSL is setup on the axis server - no reverse proxy) > You can always access the Tomcat/Servlet/HTTP context, so if the SSL client > cert information is available from the servlet context (which it is) you can > get at it in your Axis2 service. Does this work when using axis without > tomcat? Yes this should work in any servlet container. > pzfreo wrote: > There is another alternative, which is to use WS-Trust and > WS-SecureConversation. This makes life more efficient if you have more than > one message exchange (which I'm guessing you will if this is a B2B sort of > situation). Basically, the client uses UserName token or the X509 cert to > set up the session. Then the server issues a token. The token acts as an > ephemeral key which can be used for traditional symmetric encryption and > signature. So now the conversation can proceed much more efficiently. > WS-SecureConversation sounds interesting.. does it work with anonymous > clients (behind a firewall)? Do you have any links to good implementation > guides for SecureConv? I ran a quick search and all the results seem to > point to the spec There are samples in Axis2/Rampart/Rahas. In addition WSO2 has a "packaged" version of Axis2 (http://wso2.org/projects/wsas) that provides some help configuring WS-SC and Trust, including some pre-built policies. > pzfreo wrote: > Basically this is the model I described with WS-Trust and SecureConv. > Effectively this models the session startup that SSL does in XML. The upside > is the efficiency. The downside is that you need more "stuff". So for > example, you can interoperate with .NET, but some older stacks don't do > WS-SecConv and Trust. interop is important for this impl..but it seems that > it is supported by the Sun and ibm stacks.. please correct me if I am wrong. Sure, there are a number of stacks that support SecureConversation. I simply meant that WS-Security is *very* widely implemented whereas SC is newer. Paul -- Paul Fremantle Co-Founder and VP of Technical Sales, WSO2 OASIS WS-RX TC Co-chair blog: http://pzf.fremantle.org [EMAIL PROTECTED] "Oxygenating the Web Service Platform", www.wso2.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
