Hi,
I must say that I am quite new to the whole web services (WS) paradigm,
but already have to deal with some serious matters which seem to grow a
bit over my head. So I am hoping you can help me by providing some
answers or links to relevant sites or documents (I am not to lazy to
read myself, but there is too much information out there).
We have a set up where there is a WS on one side running tomcat, muse,
axis and pubscribe and on the other hand the clients using .jsp pages to
connect to the WS.
We basically want to do authentication and also authorization. However
due to apparent DoS attacks on WS-authorization we choose to do that
part in TLS, to be able to just drop packets at a low level and simply
revoke TLS certificates of unwanted clients.
However for the authorization part we want to use different roles a
client can have (3 roles in our case). For this part we also want to use
certificates (preferably the same as in the authorization ones, but not
sure if that is possible or even good-practice).
I found some stuff about Realm
(http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html) but it seems
to me that is mainly username/password based. Also found the jguard
project ( http://jguard.net/ ) which seems to be able to handle
certificates.
Can somebody provide some answers/suggestions? When I read about WS and
security related issues it all seems very scattered and not very
documented and stable jet, but that might be my impression.
Thanks in advance for the help,
Bertrand Baesjou
P.S. I hope I am on the correct mailing list for these kind of
questions..... please redirect me otherwise....
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]