Thanks a ton! I believe that for our requirements probably apache-SSL is good enough. There is only one target server , no intermediaries and transport is on HTTP only. Only hiccup maybe passing some info from client cert to web service code, like CN etc.
dkulp wrote: > > > As Glen stated, WS-Security really has it's place when dealing with > intermediaries and such that may need to do limitted processing and/or > routing. Also, things like standard HTTP proxy servers can have issues > with transport level certs. > > If you use transports other than HTTP, another issue comes up. For > example, > soap over JMS. That would work fine with ws-security. > > Dan > > > On Friday 31 October 2008 11:33:21 am Rajeev jha wrote: >> Hi >> Please excuse my ignorance. I am trying to understand why would you use >> ws-security with certificates when you can do the client certificates >> authentication at the apache /web server level? >> >> So assuming that the web services are published from a web server >> (stand-alone tomcat or Apache proxying to tomcat) and you can use the web >> server itself to verify the clients, why use WS-security? what is the >> advantage? >> >> Thanks >> >> -rajeev. > > > > -- > Daniel Kulp > [EMAIL PROTECTED] > http://dankulp.com/blog > > -- View this message in context: http://www.nabble.com/why-would-you-use-ws-security-with-certificates--tp20268372p20308758.html Sent from the cxf-user mailing list archive at Nabble.com.
