I'm looking for a solution to nearly the same problem. Did you find a solution to your urgent problem, and which one ?

To describe the possibilities more precisely I can give reference to some SAP sources.

In another 2004-thread on Dipak Chopra webservice overview, you can find a reference in Davids reply to a SAP teched-2004 presentation about standards, particulary the chapter entitled WSI webservice interoperabilty, which is a solution based upon transport layer security (WSI Basic Profile). I can't find anywhere a reference to a succesful implementation of these goals (mainly the same as the hints Volker gave you).

Can you or anybody else give me a status of this solution after teched-2004 ??

For me in this case it's a requirement (due to other consumer/providers standards) that the security shall be at transport layer based upon WS-I BP and x.509 consumer certificate identification.

A application layer solution based upon Webservice Security cannot be used in this case, but maybe another time in another service.

(ref: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/8af02871-0601-0010-9898-e9b... (SAP - .NET) and https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/3a913f71-0601-0010-7a83-dfd... (SAP Websphere)

Does anybody have succesful practical experiences with this type of webservice security ?

-jorgen

Hi!

This is a very wide field. The least you should do is to implement HTTP Basic Authentication (with userid/password whithin HTTP Body, Do not expect it as URL parameters!!!). Additionally you should secure the data traffic using HTTPS/SSL - like e.g. Amazon and Ebay do it.

The more sophisticated way would be to use X.509 client certificates ....

But like already mentioned. This is a very wide field and there is not THE ONE WAY to achvieve sufficient security in Internet traffic.

I know, these statements were not concrete enough for you, but maybe they gave you the right idea to make it on your own.

Regards,

Volker