[MOBY-dev] Moby in a secure world

Paul Gordon gordonp at ucalgary.ca
Thu Nov 22 15:14:29 UTC 2007 

Hi Pieter,

While your approach definitely works, I am loathe to incorporate 
authentication within Moby itself, as I mentioned in my previous 
message.  I think a more elegant solution would be for the community to 
suggest the use of enveloped XML signatures in the MOBY payload.  In 
that way, the authentication is built right into the message (e.g. 
public-key based), rather than relying on a username/password database.  
This would also promote one authentication amongst all service 
providers.  It would also be backward compatible, as parsers should 
ignore the signature tag, as it's not in the MOBY namespace.

My $0.02,

Paul

Pieter Neerincx wrote:
> Hi Andreas,
>
> On 22-nov-2007, at 12:54, groscurt at mpiz-koeln.mpg.de wrote:
>
>   
>> Hiho,
>>
>> at the EU-Sol meeting in Rome we discussed the usability of Moby  
>> for the
>> project. One main issue was if it is possible to secure the data  
>> send via
>> WebServices and to ensure that only specific people are able to use
>> specific webservices. This is because the EU-Sol is a closed  
>> consortium
>> with industry partners and they, but also the "normal" biologists,  
>> demand
>> to have a solution which guarantees such requirements.
>>     
>
> In one of our collaborations I'm in a similar situation with a  
> combined public / private consortium.
> There are several ways to secure your services, that can already work  
> with the current state of the BioMOBY art. The thing is that as far  
> as I know there is not really a standard ... yet. So probably several  
> people already have different mechanisms in place.
>
> I'm using HTTPS to secure the connection. Next I do authentication on  
> the web service level: in addition to other data I'm sending a  
> BioMOBY object called "User" around. This contains a user ID, a  
> password and an e-mail address. If necessary I validate those against  
> an LDAP server. Instead of doing authentication on the web service  
> level, you could also do authentication on the level of the web  
> server or on the level of the transport layer. The reason I'm not  
> doing this is that it would require extra logic for a workflow  
> builder or client to handle this and not all of them do. Putting the  
> user credentials inside the BioMOBY payload of the SOAP message makes  
> sure this way of handling authentication works with any BioMOBY  
> client :).
>
> If anyone has a more elegant solution I'd love the hear about it!
>
> Cheers,
>
> Pi
>
>
>   
>> So what I was wondering if this issue already came up in Moby ? I'm
>> currently getting started to understand the current principles of  
>> securing
>> WebServices, but i was wondering if someone has somehow experiences  
>> with
>> that ?
>>
>> So any comments and hints are welcome :-)
>>
>> Best
>> andreas
>>
>> _______________________________________________
>> MOBY-dev mailing list
>> MOBY-dev at lists.open-bio.org
>> http://lists.open-bio.org/mailman/listinfo/moby-dev
>>
>>     
>
> -------------------------------------------------------------
> Wageningen University and Research centre (WUR)
> Laboratory of Bioinformatics
> Transitorium (building 312) room 1034
>
> Dreijenlaan 3
> 6703 HA Wageningen
> The Netherlands
>
> phone:  0317-483 039
> fax: 0317-483 584
> mobile: 06-143 66 783
> mail: pieter.neerincx at wur.nl
> skype: pieter.online
> ------------------------------------------------------------
>
>
> _______________________________________________
> MOBY-dev mailing list
> MOBY-dev at lists.open-bio.org
> http://lists.open-bio.org/mailman/listinfo/moby-dev
>
> !DSPAM:60005,47458d42260162341231610!
>
>
>
>

More information about the MOBY-dev mailing list