If you're implementing encryption then you'd generally use the same file for all clients; if you're implementing signature then each client would need his own file.
Joined: Aug 18, 2010
Thank you so much for your reply.
I think I'm implementing signature on my web service. My problem now is that my rampart configuration is hard coded in sevices.xml file (btw, I'm using axis2 and rampart). My merlin.file points to a specific location of the service.jks and password is hard coded.
Can you share with any tutorial on how to make rampart configuration dynamic? I mean, if client A is accessing my web services then rampart configuration for client A is loaded, and so on for client B, C, etc..
Any help is very much appreciated.
Joined: Aug 18, 2010
you have mentioned that I would use same file for all my clients if im implementing encryption. in this case how would I know which client is accessing my service?
Thanks for your reply. Now i have a little understanding on how encryption and authentication are done.
Sorry for a little confusion. I think what I want to know is how the server get the information of his clients base on the keys (without using username Token).
For example: all of my clients information are stored in the database. Whenever a client is accessing my service, the client's information well be fetched from the DB.
for my security implementation I used the Asymmetric binding, Is there a way for the server to identify the client based on the Keys? Any link to a tutorial is a great help.
Thanks in advance.
Joined: Mar 22, 2005
Again: encryption is not authentication. Receiving an encrypted request does not tell the server who sent the request. Assuming that by "asymmetric binding" you actually mean "asymmetric encryption" - that only relies on the client having got hold of the service's public key. From that, you can't infer who the client is.
You seem to be reluctant to use both encryption and authentication in the same request despite apparently needing to do that; why is that?