Hi Tim,
X.509 certificates seem like a good solution for this
problem. You can either set up your own issuer
or (CA) use a commercial one (ehrm :)
The CA issues certs to the set of allowed clients, who
would then use these to authenticate and encrypt.
You would simple check on the server that the client
connects with a cert issued by the CA.
Hans
Hi all,
From: Tim Williams [mailto:[EMAIL PROTECTED]
Sent: Monday, October 31, 2005 5:54 AM
To: [email protected]
Subject: Newbie 'best practise' question
I've got 2 way encryption working using wss4j, and very nicely it runs too. At the moment I'm designing another web service that I would like to provide some security on. Basically we want to be able to say that only people we want can use the service (authentication) and that nobody can listen in on confidential data (encryption).
The question is, how do I best maintain a list of clients that are allowed to connect to the service, and how do we go about checking a connecting client against that list?
Any links people have on this matter would also be appreciated. I've looked over the OASIS WS-Security authentication specification, but, to be honest, most of that went over my head.
Thanks in advanced,
Tim
