Hi Zoltan, You can also consider not handling the certificate yourself. When you deploy Axis on a webserver, you can ask the webserver to authenticate using client certificates for the axis web application. Depending on whether the default behavior works for you, this can turn out to be the easiest solution.
Which webserver are you using ? Regards, Abhinav -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, March 15, 2004 2:55 PM To: [EMAIL PROTECTED] Subject: Web Service Security - what's the best way to achieve it? Hi people, I am considering two different ways of using Certificate based authentication of a client connecting to our Web Service: 1. Certificate is contained in the HTTPS request. I intercept the Request in my Web Service, get the Certificate out of it, and do the authentication. 2. Certificate is contained in the signed SOAP Envelope. My Web Service (a Handler) gets the SOAPEnvelope, gets the Certificate out of it, and does the authentication. Which one of these options is the better one, what do you people think? Best regards, Zoltan Schreter Nokia/Finland
