My plan is to add email transport to axis/jboss.net (I have a simple test that is capable of receiving, processing and responding to an email).
I already am performing soap via https. For my use this seems secure enough. Using digest authentication would perhaps add some mild data integrity checking to the mix for basic http.
Initially I want to use XML digital signatures for authentication via email. Then once that is functional add XML encryption to the mix.
My need is simply point to point (no intermediaries). However, if this is Implemented properly it could be easily used with http, or any other transport also.
XML-security seems like such a core technology for web services to be useful to enterprise that I am supprised there is not already an effort to implement it. It seems (to me anyway) that being sure of the validity and security of the data traveling via a web service would be a primary requirement of any business that sends their data over any network. That being said, There don't seem to be any final specifications for XML-security (well, the encryption part anyway) as it would be implemented in SOAP.
-jason
On Friday, November 8, 2002, at 02:03 AM, Stefan Carlsson wrote:
Hi Jason ! I have also been thinking about this issue... I'd be glad if someone could comment on this contribution...I would say it depends on who you should serve with your service. It also depends on what kind of information you are going to send. If you are going to do a b2b solution and need high sequrity then I would suggest that you use both server and client authentication over SSL. Also, you might want to use XML digital signatures for further protection. If you only use XML-encryption your data might not be read but can be tampered with, so it's not sequre enough. I have tried Axis1.0 over SSL. I used WSDL2Java -generated classes and encountered some problems with (if I remember it right) Axis' SSLSocketFactory... Just my 2 cents... Regards, stefan
