Unfortunately, I'm still a bit confused. Suppose I use Mutual Certificates. And I insert servers cert into clients truststore (client being municiality app and server bank ws). Then, when client requests an operation from server (wsp, that is), it sends its cert within SOAP message (in form of X509 token). That client's cert is issued by some CA. If server has CA's cert in its truststore it will be able that client cert is valid. But what if someone else (other than trusted client) sends opp request (encrypted with server's public key) and inside it its own x509 certificate, with its own public key in it? If that someone else's cert has been signed by CA to wich server trusts, than that someone else may be able to use servers ops (i.e. make money transfers). That is not what I want. I want only those clients that have authorizattion to be able to make money transfers. Am I getting smth wrong? Is username/password token better (with symetric key)? Once again, I want only trusted clients to be able to make transfers, and only bank server to be able to send confirmation messages (soap responses) to those clients.
[Message sent by forum member 'markomitrovic' (markomitrovic)]
http://forums.java.net/jive/thread.jspa?messageID=238484