[jboss-user] [Security & JAAS/JBoss] - WS-Security without client certificate validation possible?
do-not-reply at jboss.com
Fri Aug 21 11:24:49 EDT 2009
I am new to WS-Security and i am very confused now:
I want to create a webservice where a lot of authorized clients (user+password protected) can call special methods. The communication between the client & server must be encrypted and the server should authenticate to the client (signature).
At first i secured my slsb webservice with jaas & roles. The webservice's @WebContext is set to authMethod="BASIC" so clients can bind a username+password to the request context and authenticate. That works well.
The next i wanted to do is to secure the communication between the client and server.
The standard for that seams to be the ws-security.
But why there is a must to store the clients public key on the server? To authenticate clients it could be needed ... ok. But my authentication is done at the ejb container and i only want to encrypt the communication (& authenticate the server to client).
Is there a way to use the ws-security like it is without storing & validating client public keys on the server side?
I think i didnt got the point and my understanding is a potential security risk...
So it would be nice if you can help me,
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4250926#4250926
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4250926
More information about the jboss-user