0 Replies Latest reply on Aug 21, 2009 11:24 AM by _guido

    WS-Security without client certificate validation possible?

      Hello,

      I am new to WS-Security and i am very confused now:

      I want to create a webservice where a lot of authorized clients (user+password protected) can call special methods. The communication between the client & server must be encrypted and the server should authenticate to the client (signature).

      At first i secured my slsb webservice with jaas & roles. The webservice's @WebContext is set to authMethod="BASIC" so clients can bind a username+password to the request context and authenticate. That works well.

      The next i wanted to do is to secure the communication between the client and server.
      The standard for that seams to be the ws-security.
      But why there is a must to store the clients public key on the server? To authenticate clients it could be needed ... ok. But my authentication is done at the ejb container and i only want to encrypt the communication (& authenticate the server to client).
      Is there a way to use the ws-security like it is without storing & validating client public keys on the server side?

      I think i didnt got the point and my understanding is a potential security risk...
      So it would be nice if you can help me,

      guido