Is server authentication implicit when using webservice over ssl


XML & Web services: Is server authentication implicit when using webservice over ssl

  1. Hello,

    I am trying to set up java clients to access WebServices over ssl. I will be using WSAD Generated Proxy classes, however, what I am unsure about is whether invoking webservice over ssl (especially through WSAD generated proxy) will achieve SERVER authentication by default/implicitly?

    Any guidance will be much appreciated.

    Threaded Messages (4)

  2. Authentication[ Go to top ]

    First when you deploy Ur service, you need to have the required deployment descriptors to make sure it is secured and the container asks the person to authenticate.
    Then you can add HTTP Auth headers to your soap message to trigger off the authentication. Since the communication is via ssl, http basic/digest auth should suffice. Hope this helps.
  3. Clarification[ Go to top ]

    I am sorry I wasn't clear in my problem description.

    I am not deploying a web-service, rather, I am deploying a Java Client (Servlet running on WebSphere) that will be accessing somebody else's web-service.

    If I were to write my own web-service handler, I know I'd need to validate the SERVER CERTIFICATE that it presents over ssl to its client (my servlet in this case), before SSL communication can begin.

    However, I am using WSAD generated proxy classes for Web-Service invokation, and I am trying to understand whether authentication OF THE SERVER (not of the client) will be done, i.e, SERVER CERTIFICATE WILL BE VALIDATED implicitly.
  4. SSL Comm[ Go to top ]

    When Ur Java client tries to open a ssl connection to talk to the web service, the server certificate validity will be checked. I am not sure whether we can call this real authentication, it is going to check the notBefore and notAfter fields on the certificate, and validate the cert chain of the certificate. If the certificate is signed by a valid CA - that is present in the trust store (the server's JDK's cacerts keystore), it is considered valid and the connection will continue. Ofcouse the server name check can be turned on or off as required. The stubs that are generated by the WSDL2Java automatically take care of that.
  5. Sounds like it will work[ Go to top ]

    That's all the authentication we want to do, that we are INDEED talking to the SERVER that we wanted to call this webservice on. We don't need the message level security. We only want to be assured that we can communicate with a Trusted partner without any eavesdroping.

    Sounds like as long as WSDl to Java stubs are configured to validate teh server name, we should be okay.