In my opinion, this is a bit more complex than just setting up Axis the right way.
If you need to do such things as "This message was signed by john smith", you will need some kind of PKI infrastructure. You have to think of how you store and distribute your keys. How will 'client A' be able to reach client 'B's public' certificate for message validation? If you want to go down this path, I found some articles on how to build axis that way here ; " This is needed for Axis to support signed and encrypted messages (as opposed to unsigned messages over HTTPS, which is different)" http://ws.apache.org/axis/java/building-axis.html http://xml.apache.org/security/ However, if you don't want to set-up the key infrastracuture, a strategy for unsigned XML messages over HTTPS could still meet your need. Ask me if anything of this is unclear. Best regards, Glenn -----Original Message----- From: Hernan Bay Area Guy [mailto:[EMAIL PROTECTED] Sent: 2. februar 2006 02:20 To: [email protected] Subject: Digital signatures on AXIS? Hello, We have a prototype SOAP server running on AXIS 1.3 and would like to add client authentication using digital signature. I didn't find much information on the web, some articles from 2002 or so mostly. According to these articles, we need to use XML signatures, and intercepti the messages before they reach the SOAP engine itself to verify that the signature matches. I'm still doing some research on this, but it's not obvious to me how to tell the SOAP engine something like "this message was signed by John Smith". We need this type of functionality to be able to manage user's permissions adequately of course. We would like to avoid re-inventing the (square) wheel, so pointers to articles / books on the subject, and also any comments on how do you all implement digital signatures on AXIS are much appreciated. Many thanks in advance! -- Hernan __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
