Encrypted WS-Security Username Token Question

[Shawn McKinney <sm...@sbcglobal.net>]

Greetings,

We have been using WSS4J and Axis successfully in our
SOA's for a couple of years now. 

Specifically we use WSDoAllSender/Receiver WSS4J
handler's to insert and validate the WSS Username
token on both client and server sides.

The config we generally use for WSS creds is:

Usernametoken encrypt timestamp

My question is sort of a general question in terms of
securing the server endpoint.

We want to ensure that the server endpoint isn't
vulnerable to attacker who can spoof a WSS
transaction.  We don't want an attacker to be able to
use the server's public key, generate a WSS token and
send transactions on behalf of an otherwise authorized
user.

If we keep the server's public key only in the
authorized client's java keystore and not share it
with other parties can we be assured (reasonably
speaking) that noone else could also generate a WSS
token?

The server's public key would be generated by internal
mechanism and not be available via X.509 outside of
this network.

Is this notion of keeping a public key secret to
ensure others can't transaction with server
reasonable?

Thanks in advance for your reply,

Shawn McKinney

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org