Probably no advantage, given the architecture you're describing. You're describing transport-level encryption and identification, WS-Security provides the same but at the message-level, the infrastructure of which can provide more flexibility for future needs--e.g., I can encrypt a SOAP request to withdraw funds from my bank account with the public key of the bank, send it to your third party web service which can't read the message but can still forward it off to the bank, which *can* read the message. Transport-level encryption alone would allow your third-party web service to read and understand the entire message--including sensitive bank account information.
Glen Rajeev jha wrote: > > Hi > Please excuse my ignorance. I am trying to understand why would you use > ws-security with certificates when you can do the client certificates > authentication at the apache /web server level? > > So assuming that the web services are published from a web server > (stand-alone tomcat or Apache proxying to tomcat) and you can use the web > server itself to verify the clients, why use WS-security? what is the > advantage? > > Thanks > > -rajeev. > -- View this message in context: http://www.nabble.com/why-would-you-use-ws-security-with-certificates--tp20268372p20269402.html Sent from the cxf-user mailing list archive at Nabble.com.
