This week's giveaway is in the EJB and other Java EE Technologies forum. We're giving away four copies of EJB 3 in Action and have Debu Panda, Reza Rahman, Ryan Cuprak, and Michael Remijan on-line! See this thread for details.
It depends on the web service you are trying to call. If the web service require authentication, then the client must supply authentication credentials.
It is optional to implement authentication in a web service - you can have web services without any kind of authentication. Authentication may not be necessary if the web service is published to a private network.
just a follow up question. if the the WS-Security implementation uses Keys. how would the service know which client is accessing him. I mean if each of the client has different key (unique for everyone) and the service has only one service.key to signed all the clients. please enlighten.
Joined: Oct 04, 2006
There are two options available (as far as I know) concerning keys:
- If you use a symmetric cipher, then the clients and server share a common secret key which can be used to encrypt/decrypt and/or sign messages.
- If you are using an asymmetric cipher, then the server must have the public keys of all the clients, in order to be able to determine if a client's private key has been used to encrypt and/or sign some data.
Hope this answers some of your questions!