We implemented security at the transport level using SSL with client-authentication. The good thing about this is the web services code does not have to deal with security related aspects at all. It works well, and in a predictable manner. We had a binary level of security - either a client can invoke the web service or not. We didn't have tiered security or diff levels of authorization. Having to deal with that will complicate this solution.
The negative aspect is the overhead in managing all the certs and keys floating around and ensuring the security policy is well understood and adhered to. The latest JAX RPC comes with message level security. You might want to explore that but I believe the standardization in that area is not yet complete. So not sure about the level of interoperability needs on your project and the impact of using something non-standard. -----Original Message----- From: Marco Mistroni [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 4:43 AM To: [EMAIL PROTECTED] Subject: adding security to webservices in axis Hello all, I have a question for axis mailing list.. I would like to add security to my axis webservice, and I am looking For tips.. What I want to avoid is to going and modify the web.xml in tomcat for adding Users.... I am sure that there is at least someone on this list which came across This problem... Any hints will be appreciated... Thanks in advance and regards marco
