I have some (probably basic ones) question about WS Security:
I will need to invoke a WS which uses binary token for authentication and authorization.
Now, if I understand it correctly (after some reading up) the token is nothing more than a value which is signed using the senders private key (is this correct?). This way the WS provider can verify the signature of the token with the public key (which is transmitted using a X.509 certificate) to ensure that the caller is who he claims to be. Next, the WS provider can use information from the certificate to perform authorization control.
In the assumption that my understandig is correct :
1. Where is this kind of security indication defined ? Is this defined in the WSDL ? Or only in the configuration files on client/server side ?
2. Is the binary token transparant for the client code ? By this I mean, does the developer has to do something special in its code to activate the binary token security or is it activated declarative using the client configuration file?
3. How is the client certificate transmitted to the WS provider? Is there an option wheither this is done or not ?
4. How does the binary token relate to the digital signature ?
Joined: Mar 22, 2005
The standard package for implementing WS-Security for Java is WSS4J, so you should check out what it does and how it does it. WSS4J works in a declarative way - the client does not need to change if the security requirements change. You may need to add some JAX-RPC handlers for dertain security functions, though. The WSDL is not involved in declaring security, at least not in version 1.1 (which is what Axis 1 and 2 support).