I'm recently facing an issue with web service security. the basic requirement is that, the client code doesn't want to use username token to authenticate the user, they want to use certificates. (some big companies have password policies and certificates live longer)
There are multiple users calling the service and different client will have different level of privilege. the question is, what is the best way to implement this?
or, I'm trying to seek the answer of the following questions: 1. is it possible to use 2-way SSL + username only in soap header to identify the user? if yes how should the web service should be secured? I'm trying to specify ws-policies comes with WLS... 2. if some kind of certificate based signing is used, how can I dertermine the user identity from the web service code? in this way one user will have one certificate, which will increase the complexity of management...