[jboss-user] [Security & JAAS/JBoss] - WS-Security without client certificate validation possible?

_guido do-not-reply at jboss.com
Fri Aug 21 11:24:49 EDT 2009


I am new to WS-Security and i am very confused now:

I want to create a webservice where a lot of authorized clients (user+password protected) can call special methods. The communication between the client & server must be encrypted and the server should authenticate to the client (signature).

At first i secured my slsb webservice with jaas & roles. The webservice's @WebContext is set to authMethod="BASIC" so clients can bind a username+password to the request context and authenticate. That works well.

The next i wanted to do is to secure the communication between the client and server. 
The standard for that seams to be the ws-security. 
But why there is a must to store the clients public key on the server? To authenticate clients it could be needed ... ok. But my authentication is done at the ejb container and i only want to encrypt the communication (& authenticate the server to client).
Is there a way to use the ws-security like it is without storing & validating client public keys on the server side?

I think i didnt got the point and my understanding is a potential security risk...
So it would be nice if you can help me,


View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4250926#4250926

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4250926

More information about the jboss-user mailing list