File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Web Services and the fly likes WS Security questions Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "WS Security questions" Watch "WS Security questions" New topic

WS Security questions

Jim Janssens
Ranch Hand

Joined: Sep 24, 2004
Posts: 210
I have some (probably basic ones) question about WS Security:

I will need to invoke a WS which uses binary token for authentication and authorization.

Now, if I understand it correctly (after some reading up) the token is nothing more than a value which is signed using the senders private key (is this correct?). This way the WS provider can verify the signature of the token with the public key (which is transmitted using a X.509 certificate) to ensure that the caller is who he claims to be. Next, the WS provider can use information from the certificate to perform authorization control.

In the assumption that my understandig is correct :

1. Where is this kind of security indication defined ? Is this defined in the WSDL ? Or only in the configuration files on client/server side ?

2. Is the binary token transparant for the client code ? By this I mean, does the developer has to do something special in its code to activate the binary token security or is it activated declarative using the client configuration file?

3. How is the client certificate transmitted to the WS provider? Is there an option wheither this is done or not ?

4. How does the binary token relate to the digital signature ?

Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
The standard package for implementing WS-Security for Java is WSS4J, so you should check out what it does and how it does it. WSS4J works in a declarative way - the client does not need to change if the security requirements change. You may need to add some JAX-RPC handlers for dertain security functions, though. The WSDL is not involved in declaring security, at least not in version 1.1 (which is what Axis 1 and 2 support).
Jim Janssens
Ranch Hand

Joined: Sep 24, 2004
Posts: 210
Ok, thanks for that information, I'll start from there.
I agree. Here's the link:
subject: WS Security questions
It's not a secret anymore!