java WS client-server communication with certificates, what frameworks/apis should i use?
I have simple client-server communication thru WebServices. Now, I'm using javax.ws.* and Endpoint class (is it a default implementation?) to create server side and Netbeans to create client side.
I have a basic knowledge about certificates etc. I want clients to use (private?) certificate to sign (encrypt?) messages, so server knows (can identify) which particular client is calling.
So i have to generate private certificates for clients and public certificate for server? Which APIs/fram开发者_如何学Goeworks (buzzwords like JAAS, ws-security, xwss, tls) should i use ? Maybe just TLS could be enough for that ?
javax.ws.* - is it a reference implementation from Sun ?
I used SAAJ 1.3.4 and it works. Now i have a question, how can i identify client (clients have unique private keys) can i extract some private key hash from SOAP envelope (to identify client) ?
You can try using Bouncycastle library, it's ligth weight and quite complete.
http://www.bouncycastle.org/java.html
Usually the client asks the server to identify itself and not the other way around. There is an option for a 2 way identification, I'm guessing you need to configure it.
I'd suggest using Axis2 for generating the client/service stub and Rampart for handling the security.
Rampart is an axis2 module that handles most of the security hustle for you.
精彩评论