[MOBY-dev] Moby in a secure world

Pieter Neerincx Pieter.Neerincx at wur.nl
Thu Nov 22 17:01:16 UTC 2007 

Hi Paul,

I agree that would be more elegant. Basically I don't care too much  
about how authentication is handled as long as it works :) and the  
most important thing would be having something standardised!

But for those who want something that has been working already for  
the past two years, a simple User object is a pragmatic solution for  
the time being. I had that implemented in a split second. This in  
contrast to making the secure connection over HTTPS work. Fiddling  
with SLL certificates and Java keystores isn't always fun :).

Cheers,

Pi

On 22-nov-2007, at 16:14, Paul Gordon wrote:

> Hi Pieter,
>
> While your approach definitely works, I am loathe to incorporate
> authentication within Moby itself, as I mentioned in my previous
> message.  I think a more elegant solution would be for the  
> community to
> suggest the use of enveloped XML signatures in the MOBY payload.  In
> that way, the authentication is built right into the message (e.g.
> public-key based), rather than relying on a username/password  
> database.
> This would also promote one authentication amongst all service
> providers.  It would also be backward compatible, as parsers should
> ignore the signature tag, as it's not in the MOBY namespace.
>
> My $0.02,
>
> Paul
>
> Pieter Neerincx wrote:
>> Hi Andreas,
>>
>> On 22-nov-2007, at 12:54, groscurt at mpiz-koeln.mpg.de wrote:
>>
>>
>>> Hiho,
>>>
>>> at the EU-Sol meeting in Rome we discussed the usability of Moby
>>> for the
>>> project. One main issue was if it is possible to secure the data
>>> send via
>>> WebServices and to ensure that only specific people are able to use
>>> specific webservices. This is because the EU-Sol is a closed
>>> consortium
>>> with industry partners and they, but also the "normal" biologists,
>>> demand
>>> to have a solution which guarantees such requirements.
>>>
>>
>> In one of our collaborations I'm in a similar situation with a
>> combined public / private consortium.
>> There are several ways to secure your services, that can already work
>> with the current state of the BioMOBY art. The thing is that as far
>> as I know there is not really a standard ... yet. So probably several
>> people already have different mechanisms in place.
>>
>> I'm using HTTPS to secure the connection. Next I do authentication on
>> the web service level: in addition to other data I'm sending a
>> BioMOBY object called "User" around. This contains a user ID, a
>> password and an e-mail address. If necessary I validate those against
>> an LDAP server. Instead of doing authentication on the web service
>> level, you could also do authentication on the level of the web
>> server or on the level of the transport layer. The reason I'm not
>> doing this is that it would require extra logic for a workflow
>> builder or client to handle this and not all of them do. Putting the
>> user credentials inside the BioMOBY payload of the SOAP message makes
>> sure this way of handling authentication works with any BioMOBY
>> client :).
>>
>> If anyone has a more elegant solution I'd love the hear about it!
>>
>> Cheers,
>>
>> Pi
>>
>>
>>
>>> So what I was wondering if this issue already came up in Moby ? I'm
>>> currently getting started to understand the current principles of
>>> securing
>>> WebServices, but i was wondering if someone has somehow experiences
>>> with
>>> that ?
>>>
>>> So any comments and hints are welcome :-)
>>>
>>> Best
>>> andreas
>>>
>>> _______________________________________________
>>> MOBY-dev mailing list
>>> MOBY-dev at lists.open-bio.org
>>> http://lists.open-bio.org/mailman/listinfo/moby-dev
>>>
>>>
>>
>> -------------------------------------------------------------
>> Wageningen University and Research centre (WUR)
>> Laboratory of Bioinformatics
>> Transitorium (building 312) room 1034
>>
>> Dreijenlaan 3
>> 6703 HA Wageningen
>> The Netherlands
>>
>> phone:  0317-483 039
>> fax: 0317-483 584
>> mobile: 06-143 66 783
>> mail: pieter.neerincx at wur.nl
>> skype: pieter.online
>> ------------------------------------------------------------
>>
>>
>> _______________________________________________
>> MOBY-dev mailing list
>> MOBY-dev at lists.open-bio.org
>> http://lists.open-bio.org/mailman/listinfo/moby-dev
>>
>> !DSPAM:60005,47458d42260162341231610!
>>
>>
>>
>>
> _______________________________________________
> MOBY-dev mailing list
> MOBY-dev at lists.open-bio.org
> http://lists.open-bio.org/mailman/listinfo/moby-dev
>

-------------------------------------------------------------
Wageningen University and Research centre (WUR)
Laboratory of Bioinformatics
Transitorium (building 312) room 1034

Dreijenlaan 3
6703 HA Wageningen
The Netherlands

phone:  0317-483 039
fax: 0317-483 584
mobile: 06-143 66 783
mail: pieter.neerincx at wur.nl
skype: pieter.online
------------------------------------------------------------

More information about the MOBY-dev mailing list