File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Services and the fly likes Question regarding web service security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "Question regarding web service security" Watch "Question regarding web service security" New topic
Author

Question regarding web service security

win llen
Greenhorn

Joined: Aug 18, 2010
Posts: 18
Hi All,

I would just like to know how the service.jks being handled.

Let's say I have 100 clients. Do I need to create 100 service.jks unique for each the clients?


Thanks.
Lester Burnham
Rancher

Joined: Oct 14, 2008
Posts: 1337
If you're implementing encryption then you'd generally use the same file for all clients; if you're implementing signature then each client would need his own file.
win llen
Greenhorn

Joined: Aug 18, 2010
Posts: 18
Hi Lester,

Thank you so much for your reply.

I think I'm implementing signature on my web service. My problem now is that my rampart configuration is hard coded in sevices.xml file (btw, I'm using axis2 and rampart). My merlin.file points to a specific location of the service.jks and password is hard coded.

Can you share with any tutorial on how to make rampart configuration dynamic? I mean, if client A is accessing my web services then rampart configuration for client A is loaded, and so on for client B, C, etc..

Any help is very much appreciated.

Thanks
win llen
Greenhorn

Joined: Aug 18, 2010
Posts: 18
Hi,

you have mentioned that I would use same file for all my clients if im implementing encryption. in this case how would I know which client is accessing my service?

please advise.

thanks
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39570
    
  27
You wouldn't - encryption is different from authentication. If you need authentication, then that's what WS-Security's UsernameToken is for. You can use both together.


Ping & DNS - updated with new look and Ping home screen widget
win llen
Greenhorn

Joined: Aug 18, 2010
Posts: 18
Hi Ulf,

Thanks for your reply. Now i have a little understanding on how encryption and authentication are done.

Sorry for a little confusion. I think what I want to know is how the server get the information of his clients base on the keys (without using username Token).

For example: all of my clients information are stored in the database. Whenever a client is accessing my service, the client's information well be fetched from the DB.

for my security implementation I used the Asymmetric binding, Is there a way for the server to identify the client based on the Keys? Any link to a tutorial is a great help.


Thanks in advance.


Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39570
    
  27
Again: encryption is not authentication. Receiving an encrypted request does not tell the server who sent the request. Assuming that by "asymmetric binding" you actually mean "asymmetric encryption" - that only relies on the client having got hold of the service's public key. From that, you can't infer who the client is.

You seem to be reluctant to use both encryption and authentication in the same request despite apparently needing to do that; why is that?

For an example of how to use encryption with Axis2/Rampart, see this article I wrote some time ago: http://www.javaranch.com/journal/2008/10/web-service-security-encryption-axis2.html
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Question regarding web service security
 
Similar Threads
Clients on Tomcat 3.3
After RMI Connection lost
Client side on Axi2 1.4 not generating any headers (not even timestamp)
Servlet Instance
servlet to another client