(Sorry for the dup post I sent wrong list earlier.) Greetings,
We have been using WSS4J and Axis successfully in our SOA's for a couple of years now. Specifically we use WSDoAllSender/Receiver WSS4J handler's to insert and validate the WSS Username token on both client and server sides. The config we generally use for WSS creds is: Usernametoken encrypt timestamp My question is sort of a general question in terms of securing the server endpoint. We want to ensure that the server endpoint isn't vulnerable to attacker who can spoof a WSS transaction. We don't want an attacker to be able to use the server's public key, generate a WSS token and send transactions on behalf of an otherwise authorized user. If we keep the server's public key only in the authorized client's java keystore and not share it with other parties can we be assured (reasonably speaking) that noone else could also generate a WSS token? The server's public key would be generated by internal mechanism and not be available via X.509 outside of this network. Is this notion of keeping a public key secret to ensure others can't transaction with server reasonable? Thanks in advance for your reply, Shawn McKinney --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
