Sep 29th, 2006, 10:12 AM
WS-Sec + certificates
it's not directly related to SWS, but to WS-Security. I hope this is okay.
If i'm using certificates to sign and encrypt my SOAP-Messages, is this really good for clients applications?
I mean, a person which want to work with my WebService needs his own certificate.
How can i explain a person (secretary, warehouseman, ...) which isn't very good in computer things, what it is and how to get it? Isn't the certificate thing to complex for people?
That's why i think about to use the normal digest-way for my web service - the username/password princip understands every one.
What do you think?
Sep 29th, 2006, 12:52 PM
I'm using certificates, but all of my "clients" are software applications, not humans. In my case, the PKI issues about managing/distributing certificates (and the whole "trusting trust" problem) don't apply as strongly. The signatures tell me exactly who sent the message as well as ensure that it wasn't changed along the way. I don't need encryption at the moment, but the certificates would provide a reasonable path to message-based encryption (as opposed to transport-layer encryption).
I doubt I'd go to certificates if my WS was being invoked by random humans, unless message-based encryption was important. Of course, you might be able to leverage the certificates that may already be in place for transport-layer security (i.e., SSL). I know ACEGI has tools to pull the certificate that was used to encrypt the transport layer, but I'm not sure if you can access them in Spring-WS. All of the examples I remember were for website (rather than web service) authentication/authorization.
Oct 10th, 2006, 03:06 AM
it might be good solution in your case, if all clients are only some self made services.
The problem will be even bigger, if the application clients will be used from different locations, like a web mail application. The people has to "carry" his certificate to every place and using an usb stick or something to access it.
I'm happy that you agree with me.