Securing Apache SOAP services on Secured Sockets Layer:

Securing Apache SOAP services on Secured Sockets Layer

To make a request over HTTPS using the Secured Socket Layer support of Apache SOAP, you need a separate Java Secure Socket Extension (JSSE) provider.
WebSphere Application Server includes the ibmjsse.jar in the IBM Developer Kit for Windows, Java Technology Edition.The SOAP on SSL scenario is useful for many business-to-business (B2B) applications because:

The data in transit is protected from eavesdropping or forgery by SSL.
The client identity is authenticated through user ID and password, which are encrypted by the SSL transport.

For example, if an inventory application is configured as a Web service, the service provider has the following two SOAP service entries:

https://foo.com/inventory/inquiry
https://foo.com/inventory/update

Each SOAP service entry should be deployed as a separate enterprise application because each service has a different access control policy, which is: anyone can inquire about the inventory but only the inventory clerks can update the contents.
The SOAP enablement model limits you to one context root for the unsecured services and another for the secured services. In this example, you want to make the inquiry service unsecured and the update service secured. If you want different levels of security for a secured service, then deploy the entries in the secured service as separate EAR files.
To enable the SOAP on SSL scenario:

Configure the Web server ( httpd.conf ) so that it only allows SSL access to these servlets.
Configure the security role for the RPCRouterServlet in the inquiry services EAR file. By doing this step, the RPCRouterServlet for the inquiry service is accessible by everyone, while the RPCRouterServlet for the update service requires authentication based on the HTTP basic authentication (userID and password).
In this case, the update application does not know the identity of the requester; it only knows that access is granted. In other words, the update application is not concerned with the identity of the user because it knows WebSphere Application Server is ensuring that only authenticated users have access.

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.