I am working on a service that is part of many services in a large SOA architecture based enterprise application. My service is a pojo based application that is deployed on weblogic server and uses Spring for autowiring the components.
The clients of this service are other serives. There are webservices, rmi and socket based clients. The webservices clients are two types - soap and simple http url based xml requests. The requirement is to desing security to my service that is independent of the client request type.
The service is supposed to process a quarter million requests per day and 99% of them are simple http requests.
The requirement is to design security to my service that is independent of the client request types.
The high level requirements are:
a) The security implementation must not be tied to a particular tool/technology as fara as possible, in case the service needs to be deployed on a different vendor specific application server.
b) Some clients applications/services send user credentials and some do not; How to design security in terms of authentication, authorization and access control that handles both the cases.
c) How to implement security specific to webservices which MUST be common to soap and simple http requests.
I am new to security and webservices. I did some home work and came across digital cetificates in case of authorization and filters for common seecurity for soap and simple http/rest like requests.
But I do not enough information to have a head start in terms of techologies, design and implementation.
Thus any pointers related to my problem domain in terms of security patterns/web site urls/books/technologies/examples would be HIGHLY appreciated.
Thank you in advance for your valuable time and interest.