users@glassfish.java.net

WSIT security mechanisms help needed, please!

From: <glassfish_at_javadesktop.org>
Date: Wed, 03 Oct 2007 09:03:00 PDT

Hi everyone,
I'm using NetBeans IDE 5.5.1 and Glassfish v2 (b58g) to develop simple web-service based application. For my faculty project (diplomma project, that is) I need to implement some sort of e-gov system with web services with special care of security. I will create one web service for municipality (operations related to citizen services-issuing documents to citizens) and other that will simulate some sort of bank (operations for money transfer from account to account).
Web application containing municipality ws will have ws client for bank ws (which will be in separate web app) in order to realize online payment of municipality services. There will also be third web app with servlets and jsps for user interface, wich will contain ws client for municipal ws.
I installed WSIT plugin for netbeans and went through some tutorials on ws security and it's all pretty simple to set up. But, I have hard time figuring out wich security mechanism to use (mutual sertificates, SAML holder-of-key, SAML sender-vouches etc.). I want both ws provider and ws client to be authorized to each other and SOAP messages to be encrypted (body element), in order to protect sensitive financial data. Can anyone please help me by explaining differences between available sec. mechanisms (and how each of them in fact works, not only what it achieves) or pointing to some site where I can find some sort of clear and concise explaination?
I'm googling for 3 days now and am still stuck, and deadline is approaching fast. Also, I need explaination on how to set my own private/public keys (and certificates) for chosen security mechanism.
Thanks in advance.
[Message sent by forum member 'markomitrovic' (markomitrovic)]

http://forums.java.net/jive/thread.jspa?messageID=238318