Hi Oliver, Le 07/04/2011 22:09, Oliver Wulff a écrit : > WS-Trust and SAML gives you so many options for authentication and security > token transformation. > So it really depends on the requirements you have like: > - Is it secure enough for users to authenticate using username/password? Or > does each user require a certificate? Is it required that the security token > attached to the web servcie requests is protected against a man-in-the-middle > attack which grabs this token and sends requests on behalf of the other user. > Sometimes, it's enough to use HTTPS but in some cases, the service provider > wants to proof whether the caller is in the possession of a key which is only > known to him (and not to the "man-in-the-middle"). Then, you require SAML > Holder-Of-Key (HOK) subject confirmation.
Users absolutely need to access services using certificates yes. All our services are deployed into a secure container requesting client certificates. > - what are the requirements for the communication between the gateway and the > target services? Of course, you can't just delegate the SAML HOK token > because the intermediary is not in the possession of the secret. Only one services must be able to get the client private key (proxy). This service setup then the environment for the other services. > CXF 2.4 will have a lot of new functionality with respect to improved support > for SAML and WS-Trust. I'm currently working within a project where we want > to solve similar security challenges where it is a requirement that the > target service knows the original user. Yes I saw some email exchanges on the mailing list about WS-Trust, STS etc. Let's hope that it could fit our needs. I will keep you up to date if I manage to solve this issue. Please could you do the same if you find something interesting before me ;-). Thanks, Best, Jerome -- ===================================================== Dr Jérôme Revillard CTO MAAT France www.maatg.com =====================================================
smime.p7s
Description: S/MIME Cryptographic Signature
