I implement Java server application which should work with number of clients and provide requested information from database. This information is client specific. From my point of view I had a choice between socket connection and web services. Web services looked quite natural for this kind of task. I started looking for information about web services with username/password authentication and came to WS-Security. And then things became very complex.
I use Metro. Its manual requires to install NetBeans, GlassFish and perform configuration via NetBeans GUI. I installed it and was a bit confused by a lot of options and settings related to WS-Security. To ensure everything is going right I need the message to be signed up and encrypted. For that I need a bunch of public/private keys and certificates which should be delivered to client. When new client registers I have to update keystore, generate new keys and certs and so on. My data isn't that secret. It's just online game character parameters and I don't actually need all that stuff with privacy and encryption. I assume that username and password is enough. I also read that encryption produces big overhead on message handling and in case of big load I'm afraid it can become performance bottleneck.
So I'm a bit confused about futher dealing with WS-Security and ask your advice. Is it good scenario for using WS at all or better implement it with sockets? Do I need WS-Security here? If so are certs and keys a big deal here? Because at the moment it looks very complex (probably because I'm very tired of reading all those security specs, encryption details and so on).
Thanks!
