JAX-WS and Security

From:

"Karl Uppiano" <karl.uppiano@verizon.net>

Newsgroups:

comp.lang.java.programmer

Date:

Mon, 22 Jan 2007 02:47:42 GMT

Message-ID:

<iBVsh.3518$uL6.165@trnddc03>

I am an experienced Java programmer, but I am perplexed by what seems to be
a simple and common problem.

I am developing a web-based client/server application based on the new
JAX-WS API in JSE 6. The server self-publishes a web service using
javax.xml.ws.Endpoint.publish. The client is a JSE 6 Swing application that
accesses the server using javax.xml.ws.Service.

One of my web methods can reconfigure some properties in the server. For
that, I need the client to identify themselves, so the server can decide if
they are allowed to perform the operation or not. One brain-dead solution
would be to add a username/password parameter to the web method. I am no
security wonk, and with so many security APIs in Java and WS-*, I fear I am
missing a prefabricated, integrated (with Java and/or the platform) solution
that would encompass my immediate needs, and cover security risks that I
have not yet considered.

I have Googled the usual suspects: JSE 6 JavaDocs, tutorials, various WS-*
specs, and so on, but nothing obvious really jumps out at me. Any other
suggestions?