There are 2 fundamental choices:
1. Secure the message at the SOAP layer 2. Secure the channel at the protocol layer
WS-Security is for #1. It means you can perform security related functions like authentication, signing and privacy(encryption) entirely by manipulating the XML messages. This makes your security solution transport independent and also makes it possible for secure delivery of messages that span multiple intermediary servers. These solutions tend to be a little more complicated since the specs/toolkit implementations are "new-ish" they may not interoperate, perform well or even work. It is the direction we are going but be prepared to learn more about security than you ever wanted to. :)
Option #2 is the most expedient and popular approach these days. You send messages in clear text and secure the underlying protocol by using https for example. This has certain advantage too, not the least of which is familiarity and reliability. This disadvantages are the advantages of approach #1. Using HTTP basic authentication over https is a very reasonable solution given what you mentioned about your needs.
Hope that helps,
Jim Murphy Mindreef, Inc.
Suzy Fynes wrote:
Hi,
Can anyone tell me the best approach to take for securing a web services server? Its set up using java and I’ve been currently looking at xws-security but it seems to causing more trouble than anything else. Does anyone know if this is the best approach or is there another option. At the moment the security level needed would be simply just to have each client login before accessing the deployed service on server.
Thanks, Suzy
