Hello,
I am trying to set up java clients to access WebServices over ssl. I will be using WSAD Generated Proxy classes, however, what I am unsure about is whether invoking webservice over ssl (especially through WSAD generated proxy) will achieve SERVER authentication by default/implicitly?
Any guidance will be much appreciated.
thanks.
-
Is server authentication implicit when using webservice over ssl (4 messages)
- Posted by: Waqas Ahmed
- Posted on: June 16 2005 16:43 EDT
Threaded Messages (4)
- Authentication by Sowmya Sridhar on June 17 2005 11:04 EDT
- Clarification by Waqas Ahmed on June 17 2005 14:42 EDT
- SSL Comm by Sowmya Sridhar on June 17 2005 15:20 EDT
- Sounds like it will work by Waqas Ahmed on June 17 2005 22:25 EDT
-
Authentication[ Go to top ]
- Posted by: Sowmya Sridhar
- Posted on: June 17 2005 11:04 EDT
- in response to Waqas Ahmed
First when you deploy Ur service, you need to have the required deployment descriptors to make sure it is secured and the container asks the person to authenticate.
Then you can add HTTP Auth headers to your soap message to trigger off the authentication. Since the communication is via ssl, http basic/digest auth should suffice. Hope this helps. -
Clarification[ Go to top ]
- Posted by: Waqas Ahmed
- Posted on: June 17 2005 14:42 EDT
- in response to Waqas Ahmed
I am sorry I wasn't clear in my problem description.
I am not deploying a web-service, rather, I am deploying a Java Client (Servlet running on WebSphere) that will be accessing somebody else's web-service.
If I were to write my own web-service handler, I know I'd need to validate the SERVER CERTIFICATE that it presents over ssl to its client (my servlet in this case), before SSL communication can begin.
However, I am using WSAD generated proxy classes for Web-Service invokation, and I am trying to understand whether authentication OF THE SERVER (not of the client) will be done, i.e, SERVER CERTIFICATE WILL BE VALIDATED implicitly. -
SSL Comm[ Go to top ]
- Posted by: Sowmya Sridhar
- Posted on: June 17 2005 15:20 EDT
- in response to Waqas Ahmed
When Ur Java client tries to open a ssl connection to talk to the web service, the server certificate validity will be checked. I am not sure whether we can call this real authentication, it is going to check the notBefore and notAfter fields on the certificate, and validate the cert chain of the certificate. If the certificate is signed by a valid CA - that is present in the trust store (the server's JDK's cacerts keystore), it is considered valid and the connection will continue. Ofcouse the server name check can be turned on or off as required. The stubs that are generated by the WSDL2Java automatically take care of that. -
Sounds like it will work[ Go to top ]
- Posted by: Waqas Ahmed
- Posted on: June 17 2005 22:25 EDT
- in response to Waqas Ahmed
That's all the authentication we want to do, that we are INDEED talking to the SERVER that we wanted to call this webservice on. We don't need the message level security. We only want to be assured that we can communicate with a Trusted partner without any eavesdroping.
Sounds like as long as WSDl to Java stubs are configured to validate teh server name, we should be okay.
thanks