|
Replies:
3
-
Last Post:
Jul 2, 2008 3:41 AM
by: kumarjayanti
|
|
|
|
|
|
|
signing/authenticating webservice proxy/gateway?
Posted:
Jul 1, 2008 4:15 AM
|
|
|
Hi all
I'm looking for something like an authenticating webservice proxy/gateway that takes a webservice request from a client and forwards it to a given service provider. Before forwarding the request, the webservice proxy/gateway must authenticate the request for the service provider either via HTTPS or WS-Security using a client certificate. Does anybody know of an application or library for Metro or another WS stack that implements such a behaviour or helps in implementing it in Java? Btw. the proxy/gateway must run on the client side, because every client has its own certificate.
Thanks in advance for any help!
Marc
|
|
|
|
|
|
|
Re: signing/authenticating webservice proxy/gateway?
Posted:
Jul 1, 2008 6:06 AM
in response to: mnoma
|
|
|
Does the Proxy/Gateway need to add additional security before forwarding the message to the service (say things like adding another WS-Security Header into the Message targeted to the service, i.e the ultimate-reciever soap role).
Does the Proxy process WS-Security Header targeted at ultimate-reciever SOAP role or does it look for a WS-Security Header with some other SOAP role.
If you just want handle secure messages that were targeted for the service (ultimate-reciever) at the gateway, then i can think of using a JAXWS Handler and within the handler you can use XWSS API's to process security in the Message.
IMO, The Proxy is not necessarily a client side thing if the client request includes its Certificate/Or -a-reference-to-its-cert under the Signature-KeyInfo.
See the SecurityHandler.java code in the following article :
https://xwss.dev.java.net/Securing_JAVASE6_WebServices.html
|
|
|
|
|
|
|
|
|
Re: signing/authenticating webservice proxy/gateway?
Posted:
Jul 2, 2008 2:46 AM
in response to: kumarjayanti
|
|
|
Thanks for your questions, kumarjayanti.
The proxy/gateway should provide unsecured endpoints to a client and should transparently add authentication information to the requests received from the client and forward those requests to the service providers that then will authenticate the clients before processing the request. The authentication information, that should be added by the proxy/gateway, will be a certificate (a different one for each client, each client has its own proxy gateway instance). The certificate should be added to the request either on the transport level (HTTPS with client certificate) or on the webservice level (WS-Security (client certificate + signature)).
The proxy/gateway does not need to handle incoming security information, it just has to add security information. The client request to the proxy does not include security information. The proxy will be the one to add such information.
I hope this describes a little bit better what I'm looking for.
I'll have a look at your link, thanks. But at the same time I'm still looking for something existing that implements the behaviour described above. (My guess is that I am not the first or only one having the requirements specified above)
|
|
|
|
|
|
|
|
|
Re: signing/authenticating webservice proxy/gateway?
Posted:
Jul 2, 2008 3:41 AM
in response to: mnoma
|
|
|
Ok, this kind of requirement can very well be handled with the article i sent you.
Let me know if you need further details.
|
|
|
|
|
java.net RSS
