users@glassfish.java.net

Re: Securing a webservice with certificates

From: V B Kumar Jayanti <Vbkumar.Jayanti_at_Sun.COM>
Date: Thu, 07 Jun 2007 15:40:46 +0530

Hi,

  You mention :
> So after a week, I finally gave up on using webservice extensions
to secure my webservice

   I think i saw your posts in WSIT Forum. Can you let me know what is
the exact WSIT issue that you are facing.... (Point me to the Forum
Posting so i can reply there or file an Issue on WSIT as necessary).

glassfish_at_javadesktop.org wrote:

>I'm starting to suspect that my replacement certificate for s1as is not adequate.
>
The CN name of the server certificate should be the host name or the
fully-qualified domain name. In the default installation of GlassFish,
the server certificate has the alias name s1as.

> If I leave it, using the tester throws the broswer to ssl, and the browser prompts me to accept the server's certificate. This is part of a solution in that its securing HTTP POST with ssl, but my goal is for the server to disallow unless it trusts the certificate given by the broswer.
>
>
You mention the following in your step 35. check "Enable User Data
Constraint", set Transport Guarantee to CONFIDENTIAL.

 But it appears you want to do mutual authentication. For SSL mutual
authentication, you need to set the <auth-method> subelement of the
<login-config> element to CLIENT-CERT in addition to setting
<transport-guarantee> element to CONFIDENTIAL.

Please take a look at the following tech-tip and let us know if this
helps you :
http://www.java-tips.org/java-ee-tips/java-api-for-xml-web-services/using-jax-ws-based-web-services-wit.html

Thanks

>[Message sent by forum member 'atappert' (atappert)]
>
>http://forums.java.net/jive/thread.jspa?messageID=220683
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>
>