aspose file tools*
The moose likes Web Services and the fly likes AXIS Security Transaction (Highest Protection) Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "AXIS Security Transaction (Highest Protection)" Watch "AXIS Security Transaction (Highest Protection)" New topic
Author

AXIS Security Transaction (Highest Protection)

Stas Sokolov
Ranch Hand

Joined: Apr 13, 2004
Posts: 117

I want to implement the following security transaction using AXIS
Is it possible? If it is not Why ?
1.Clients creates a messages that is a parameter of the webservice call.
2.Client encrypts payload of message using server public key .
3.Clients add to message digital signature using X.509 managed certificate. (It is should be performed automatically to all outgoing clients messages)
4.Client establishes security SSL connection to the server.
5.Client calls appropriate webservice using HTTPS.
6.Server checks digital signature of input message. (It is should be performed automatically to all ingoing server messages)
7.Server decrypts payload of the message using server private key.
8.Server processes the message and creates replay message.
9.Server encrypts message using own private key.
10.Server attaches digital signature to the message.(It is should be performed automatically to all outgoing server messages)
11.Server returns response message back to the client.
12.Client checks server digital signature.(It is should be performed automatically to all ingoing clients messages)
13.Client decrypts payload of the message using server public key.
Scenario above represents the highest level of the security protection. It assumes that messages are protected by set of security keys.
1.Digital signature to authenticate server when establish SSL connection.
2.Digital signature to authenticate client when establish SSL connection
3.Asymmetric key's pair to encrypt SSL traffic between client and server.
4.Digital signature to be added to all outgoing messages on the client side
5.Digital signature to be added to all outgoing messages on the server side
6.Asymmetric key's pair to encrypt encrypt/decrypt payload of the messages.
Sorry. It is probably too long. If somebody has implemented something similar in practise?


Good luck for yourself.
Gareth Western
Ranch Hand

Joined: Apr 07, 2004
Posts: 45
This isn't a direct answer to your question, sorry, but have you looked at the Apache WSS4J project?
http://ws.apache.org/ws-fx/wss4j/
Balaji Loganathan
author and deputy
Bartender

Joined: Jul 13, 2001
Posts: 3150
I'm not sure but you can whether this book is covering your task or not.


Spritle Software Blogs
Stas Sokolov
Ranch Hand

Joined: Apr 13, 2004
Posts: 117

About http://ws.apache.org/ws-fx/wss4j/
I have impression that this project is in the begining stage now. At least I didn't find files that are available for download (http://ws.apache.org/mirrors.cgi)
Correct me if I was wrong
Stas Sokolov
Ranch Hand

Joined: Apr 13, 2004
Posts: 117

Couple of words regarding the book. From the begining thank you for the advice. I followed the link and found some positive and negative feed-backs. They should help me to make a desicion. It is always difficult to state the value of the book without reading couple of articles. I will have a look at this book in the bookstore. Thank you. Most of all I am intrested in some practical scenarios. Because from the theoretical standpoint there is complex of solutions but not all of these solutions probably match to my production environment that defintilty has perfomance and security constraints.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: AXIS Security Transaction (Highest Protection)
 
Similar Threads
Encryption Performance
Question on HTTPS ?
My SCEA Part 1Study Notes
Java Security MOCK
Protocols