Chapter 7 Security

313

When setting authentication requirements for a client, keep in mind that an

endpoint can require a client to authenticate either by using basic authentication

and supplying a username and password or by using mutual authentication with

the client supplying a digital certificate. An endpoint cannot require a client to use

both mechanisms. 

When deploying an application that uses this type of hybrid authentication

mechanism, it is important to properly set the security elements of the Web

resource's deployment descriptor. 

E

Ensure that you set up an SSL transport for each endpoint that requires basic 

authentication. Otherwise, the client authenticator is not fully protected. For 

example, for Web endpoints, ensure that the 

transport guarantee

 element of 

each protected Web endpoint is set to 

CONFIDENTIAL

 for an application using a 

hybrid authentication mechanism. 

7.3.1.4

Publicizing Security Policy

Just as it needs to describe its methods and related information in a WSDL docu 

ment, a Web service endpoint also needs to describe its security policy and make

that information available to clients. If the WSDL document does not express the

policy information, then the service must use other means to make its requirements

known so that clients can be designed and implemented with those requirements in

mind and be able to interact with the service. 

At the present time, a WSDL description contains minimal information about

the security characteristics of an endpoint just the HTTPS location specified in

the endpoint URL. The security functionality specified by the WS I Basic Profile

1.0 only requires that Web services using HTTPS have 

https

 in the URI of the

location attribute of the 

address

 element in its 

wsdl:port

 description. See Code

Example 7.5.