'RE: Newbie 'best practise' question'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wss4j-dev
Subject:    RE: Newbie 'best practise' question
From:       "Granqvist, Hans" <hgranqvist () verisign ! com>
Date:       2005-10-31 16:32:07
Message-ID: E9616AD132F1464BB96EBBFC4F1F3355957CDD () MOU1WNEXMB02 ! vcorp ! ad ! vrsn ! com
[Download RAW message or body]

Hi Tim,
 
X.509 certificates seem like a good solution for this problem. You can
either set up your own issuer
or (CA) use a commercial one (ehrm :) 
 
The CA issues certs to the set of allowed clients, who would then use
these to authenticate and encrypt.
You would simple check on the server that the client connects with a
cert issued by the CA.
 
Hans


________________________________

	From: Tim Williams [mailto:theshady@gmail.com] 
	Sent: Monday, October 31, 2005 5:54 AM
	To: wss4j-dev@ws.apache.org
	Subject: Newbie 'best practise' question
	
	
	Hi all,
	
	I've got 2 way encryption working using wss4j, and very nicely
it runs too. At the moment I'm designing another web service that I
would like to provide some security on. Basically we want to be able to
say that only people we want can use the service (authentication) and
that nobody can listen in on confidential data (encryption).
	
	The question is, how do I best maintain a list of clients that
are allowed to connect to the service, and how do we go about checking a
connecting client against that list?
	
	Any links people have on this matter would also be appreciated.
I've looked over the OASIS WS-Security authentication specification,
but, to be honest, most of that went over my head.
	
	Thanks in advanced,
	Tim
	


[Attachment #3 (text/html)]

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2800.1498" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=506482916-31102005><FONT face=Arial 
color=#0000ff size=2>Hi Tim,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=506482916-31102005><FONT face=Arial 
color=#0000ff size=2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=ltr align=left><SPAN class=506482916-31102005><FONT face=Arial 
color=#0000ff size=2>X.509 certificates seem like a good solution for this 
problem. You can either set up your own issuer</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=506482916-31102005><FONT face=Arial 
color=#0000ff size=2>or (CA) use a commercial one (ehrm :) </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=506482916-31102005><FONT face=Arial 
color=#0000ff size=2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=ltr align=left><SPAN class=506482916-31102005><FONT face=Arial 
color=#0000ff size=2>The CA issues certs to the set of allowed clients, who 
would then use these to authenticate and encrypt.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=506482916-31102005><FONT face=Arial 
color=#0000ff size=2>You would simple check on the server that the client 
connects with a cert issued by the CA.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=506482916-31102005><FONT face=Arial 
color=#0000ff size=2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=ltr align=left><SPAN class=506482916-31102005><FONT face=Arial 
color=#0000ff size=2>Hans</FONT></SPAN></DIV><BR>
<BLOCKQUOTE 
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
  <DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
  <HR tabIndex=-1>
  <FONT face=Tahoma size=2><B>From:</B> Tim Williams [mailto:theshady@gmail.com] 
  <BR><B>Sent:</B> Monday, October 31, 2005 5:54 AM<BR><B>To:</B> 
  wss4j-dev@ws.apache.org<BR><B>Subject:</B> Newbie 'best practise' 
  question<BR></FONT><BR></DIV>
  <DIV></DIV>Hi all,<BR><BR>I've got 2 way encryption working using wss4j, and 
  very nicely it runs too. At the moment I'm designing another web service that 
  I would like to provide some security on. Basically we want to be able to say 
  that only people we want can use the service (authentication) and that nobody 
  can listen in on confidential data (encryption).<BR><BR>The question is, how 
  do I best maintain a list of clients that are allowed to connect to the 
  service, and how do we go about checking a connecting client against that 
  list?<BR><BR>Any links people have on this matter would also be appreciated. 
  I've looked over the OASIS WS-Security authentication specification, but, to 
  be honest, most of that went over my head.<BR><BR>Thanks in 
  advanced,<BR>Tim<BR></BLOCKQUOTE></BODY></HTML>


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic