tags:

views:

335

answers:

3
Q: 

How to extracts additional info from SSL certificate to allow access to WebService client on WAS

For explaining my situation, I will start with an example. Let's say there are two WS(WebService) clients A & B with trusted certificates. Now in normal excecution when both A & B make a call to WAS(Websphere application server) through SSL where my WebServices reside, WAS trusts both of them because of their trusted certificates and alows access to required WS. What we like to have is to allow only A not B to access WS on WAS, so after certificates verification is it possible to extracts user info (from WAS admin or Java way)which will be mapped to role defined in WAS for accessing WS

A: 

Sounds like rather than programming this into the application you could just use a revocation model instead. SSL was designed so that a certificate authority (presumably you in this case) could revoke certificates, so why not use that instead?

It's difficult to give you any concrete advice without knowing what platform you're on or how you're doing all your SSL connections and such, but setting up a central CA that signs all the certs that go out and maintaining a revocation list sounds like it would work just fine. You wouldn't need to add anything to the application either (other than dropping non-valid SSL connections).

Bob Somers  2008-10-24 08:45:03
A: 

Hi Bob, Thanks 4 ur reply. I have set this on J2EE platform on WebSphere Application Server. I have created self-signed certificates for client application and WebService deployed at WAS, added these certs to opposite side's trusted zone(for client at serer side n vice-versa). Can you please tell me more about this revocation model n related concepts, if u have some useful links would really help.

Thanks,

 2008-10-24 10:10:11
A: 

I would rephrase my problem.

from WebService client A the user would map to a role say RoleA and from WS B the role gets mapped to RoleB. Now at Server side the operation for these clients should be role based. So, wanted to extract user specific information from the certificates of the client coming to Server so as to map them with a role for further operation at server which will be role specific.

Thank,

 2008-10-24 10:22:35

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?