Hi,
The question is wrong. First of all, it asks for
Himai Minh wrote:Which container managed web service security mechanism must the development team use to allow web service clients to use the current security model?"
And it suggests the following answers:
Himai Minh wrote:
Choice:
A XKMS
B. XACML
C. XML digital signature
D. HTTP basic authentication
E annotations mapped to the JAX-WS-runtime.
None of these are web service security mechanisms. At best, annotations (which?) mapped to the JAX-WS runtime could considered as a potential answer.
HTTP Basic authentication is a mechanism through which a user can be authenticated. It largely pre-dates web services. It is not specific to web services and in a way, it's not even a recommended way to authenticate for web services, though it does work fine.
XKMS and XACML are not about authentication but rather key management and attribute-based access control respectively.
XML digital signature is about signing XML content. It is not specific to web services and it is not about authenticating but rather proving the authenticity of content and that it has not been tampered with.
Going back to your original question:
Can we use both XACML and basic authentication in a container managed WS for authorization?
The anwer is yes. You can use HTTP basic authentication (or any other means of authN e.g. SAML) to authenticate the users and services trying to access your web service. You definitely want to have the authentication container-managed. What that means is that the application / web service / web app / API you are developing and installing in the container does not need to worry about authentication. It's handled by the container.
You can then use XACML (eXtensible Access Control Markup Language) to define XACML policies (access control policies) and then protect your web services. You would typically do that using either of a
Servlet filter or a JAX-WS handler. They then act as a Policy Enforcement Point (PEP) which creates a XACML authorization request which is then sent to the Policy Decision Point (PDP).
I hope this clarifies things.
Cheers,
David.