I am new to WS-Security and i am very confused now:
I want to create a webservice where a lot of authorized clients (user+password protected) can call special methods. The communication between the client & server must be encrypted and the server should authenticate to the client (signature).
At first i secured my slsb webservice with jaas & roles. The webservice's @WebContext is set to authMethod="BASIC" so clients can bind a username+password to the request context and authenticate. That works well.
The next i wanted to do is to secure the communication between the client and server. The standard for that seams to be the ws-security. But why there is a must to store the clients public key on the server? To authenticate clients it could be needed ... ok. But my authentication is done at the ejb container and i only want to encrypt the communication (& authenticate the server to client). Is there a way to use the ws-security like it is without storing & validating client public keys on the server side?
I think i didnt got the point and my understanding is a potential security risk... So it would be nice if you can help me,