I am implementing security for web services, for my academic project. The requirement is for many clients to access the three methods of the web service, based on their authorization. I mean the authorization should be on the method-level, the client can access it only if it is authorized to.
My design is to implement XML encryption for message confidentiality, XML signature for message integrity and non-repudiation and SAML tokens for authentication and authorization. I could implement all these using wss4j.
I chose SAML tokens over other tokens like UsernameTokens, supposing that I could also implement method-level access control using SAML. Am I right?
I would like to know if I am in the right direction with my design, Does my design address all the security issues in my requirement or will I need to implement XKMS and XACML too?
I am new to web services, you can say starting with it. can you provide me some guidance or a map how to start reading about it and issues that need to be taken into consideration while building a web services based project.
Please do not hijack this thread -which is about WS security- with general WS questions. Feel free to start a new thread for any questions you may have. In the mean time you might peruse the Web Services FAQ, which points to a number of resources that are helpful in learning WS.