I am planning to implement security on webservices. Whats the best way to do it ?
Solutions: X.509 -- 10 webservices which needs to be verified for the client who accesses it, which can be done with certificates, but i don't have much idea about certificates. I have created a keystore with keytool now whats the next thing i need to do ? Is there any way i can create some internal certificates for my development purpose and then move to some certificate provider once moving to production ?
Also for implementing security on webservices can we create webservice handlers and implement the authentication or role based checks security in that. Are there any practical links where i can see step by step guide to implement security to a webservice.
Atlast any clues about certificates or any kind of webservice security links or guide is highly appreciated.
I have heard about WS-Security but was not able to find any easy guide to implementing one on any webservice. I am creating EJB3 webservices with annotations and deploying on jboss server.
There are many facets to security. Are you solely interested in client certificates, or would other forms of authentication be acceptable as well? WS-Security also covers encryption and digital signing which might be if value.
A problem with the WS-Security standard is that there is no single way how to use it WS implementation. So using it with JBoss will be different from using it with Axis or Metro; you'll need to check the JBoss documentation for information on how to apply it.
I am thinking of implementing it with a combination of certificates and role based security.
Can you guide me to any specific links where i can find the sample implementation and i think it would be good if we can find a generic solution incase we port the webservices to a different server in future.
Also i am considering Oracle SOA suite and OracleAs for deploying webservices. Any specific hint to Oracle will also help me a lot.