Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Question regarding web service security

 
win llen
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

I would just like to know how the service.jks being handled.

Let's say I have 100 clients. Do I need to create 100 service.jks unique for each the clients?


Thanks.
 
Lester Burnham
Rancher
Posts: 1337
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you're implementing encryption then you'd generally use the same file for all clients; if you're implementing signature then each client would need his own file.
 
win llen
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Lester,

Thank you so much for your reply.

I think I'm implementing signature on my web service. My problem now is that my rampart configuration is hard coded in sevices.xml file (btw, I'm using axis2 and rampart). My merlin.file points to a specific location of the service.jks and password is hard coded.

Can you share with any tutorial on how to make rampart configuration dynamic? I mean, if client A is accessing my web services then rampart configuration for client A is loaded, and so on for client B, C, etc..

Any help is very much appreciated.

Thanks
 
win llen
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

you have mentioned that I would use same file for all my clients if im implementing encryption. in this case how would I know which client is accessing my service?

please advise.

thanks
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You wouldn't - encryption is different from authentication. If you need authentication, then that's what WS-Security's UsernameToken is for. You can use both together.
 
win llen
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Ulf,

Thanks for your reply. Now i have a little understanding on how encryption and authentication are done.

Sorry for a little confusion. I think what I want to know is how the server get the information of his clients base on the keys (without using username Token).

For example: all of my clients information are stored in the database. Whenever a client is accessing my service, the client's information well be fetched from the DB.

for my security implementation I used the Asymmetric binding, Is there a way for the server to identify the client based on the Keys? Any link to a tutorial is a great help.


Thanks in advance.


 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Again: encryption is not authentication. Receiving an encrypted request does not tell the server who sent the request. Assuming that by "asymmetric binding" you actually mean "asymmetric encryption" - that only relies on the client having got hold of the service's public key. From that, you can't infer who the client is.

You seem to be reluctant to use both encryption and authentication in the same request despite apparently needing to do that; why is that?

For an example of how to use encryption with Axis2/Rampart, see this article I wrote some time ago: http://www.javaranch.com/journal/2008/10/web-service-security-encryption-axis2.html
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic