As Glen stated, WS-Security really has it's place when dealing with intermediaries and such that may need to do limitted processing and/or routing. Also, things like standard HTTP proxy servers can have issues with transport level certs.
If you use transports other than HTTP, another issue comes up. For example, soap over JMS. That would work fine with ws-security. Dan On Friday 31 October 2008 11:33:21 am Rajeev jha wrote: > Hi > Please excuse my ignorance. I am trying to understand why would you use > ws-security with certificates when you can do the client certificates > authentication at the apache /web server level? > > So assuming that the web services are published from a web server > (stand-alone tomcat or Apache proxying to tomcat) and you can use the web > server itself to verify the clients, why use WS-security? what is the > advantage? > > Thanks > > -rajeev. -- Daniel Kulp [EMAIL PROTECTED] http://dankulp.com/blog
