At Web Services Edge, someone asked me in the hallway about doing WSE2 Security without X509 certificates. Although there is, out of the box, support for Kerberos (which I still know nearly zip about) and you can write custom tokens as well, I think the question was really about how to do security well with login/pw —> UsernameTokens.
The answer is that you can, but with the caveat that logins/passwords are often (thanks to social engineering and use of passwords like “cat”) not the best way to go.
However, if you are hoping to do this with UsernameTokens, there are two important resources you should be aware of.
1) Keith Brown’s recent article on the Web Services dev center on Securing UsernameTokens with WSE 2.0
2) To solve another problem – doing SecureConversation with UsernameTokens – which still basically requires a web server x509 certificate – see William Stacy’s blog post which accomplished what a number of us have been trying to do for some time!
Posted from BLInk!
Sign up for my newsletter so you don't miss my conference & Pluralsight course announcements!