Need advice on security setup
 

Hi all experts.

I am currently planning a rather large application that will have the
following characteristics:

1)
Business Services layer will be implemented as XML Web Services. I think
service (WSDL) lookup will be done using UDDI, not sure yet, since I can't
really see why I should go for UDDI. Quite OT, but anyone on this?

2)
There will be several "clients" to the service layer. Some of which I
develop, and some of which a 3rd party develop. These clients range from
WinForms (smart) applications and WebForm applications.

3)
Customers running on this solution can have different versions of services
and clients. 90% will run on the same services, but 10% can run on
services/clients providing extra functionality.

4)
The Internet is used as transport medium. Pure Internet, not Intra or
Extranets here.

5)
80% will be on .NET, 20% on J2EE

Why I am asking this is security newsgroup is because:

1)
I need to autenticate if customers has access to a service (and the WSDL)
and which exactly which set of services (versions) they run on. I thought
about using UDDI for this, but maybe I can go for a simpler solution, maybe
file access byt IIS

2)
I need to authenticate each request (I guess so) to my services layer, since
is can be anyone trying to access the service. Maybe by putting the
credentials in the web service request (in each call to a webmethod???),
maybe in SOAP headers, maybe by using WSE 2.0....Is WSE 2.0 interoperable by
other platforms

3)
I need to make sure that the request has not been tampered with on the way
from client to web service. This is "just" pure SSL right?

Thanx in advance for any suggestions... or links that can point me in the
right direction..

Maybe I can issue a client certifcate and then all my trouble is
over...except for managing those d.... certicates on the client.... :-)

Regards

Henrik

http://websolver.blogspot.com