[MOBY-dev] Web Services in a secure World

Andreas Groscurth groscurt at mpiz-koeln.mpg.de
Thu Mar 13 10:06:48 UTC 2008 

Hi everyone,

I like to start a discussion or ask for your knowledge about the 
possibilty of using secure BioMoby Web Service.

The scenario is to register Web Services which work on https and only 
people with a specific certificate are allowed to call this Web Service.

Another scenario is that people with different certificates can call the 
same Web Service, but based on their certificate the Web Service does 
behave differntly (like given out different data, working on different 
databases or so).

Unfortunately I'm not that familiar with the whole https and java - http 
communication, so I like to ask you to give me some input about my ideas.

Establishing a https connection is not difficult, I'm currently thinking 
about how to enable that different certificates are treated differently.

One possibility is to work on the level of the apache and do have 
different authenifications for the certificates. Based on this 
authentification people are directed to the corresponding service. But 
this solution sound aweful, because you have to offer for each 
certificate a service and this services have to be physically be 
different so that not person A with certificate A can call service B 
with some detours. So for me this is a really messy solution.

Is this correct or do I have an error in my scenario.

The other idea is that based on the certificate the Web Service checks 
who has actually called. I tried with the current moby API to retrieve 
any information about the certificate which was used for the calling 
process, but I couldnt find any method which gives me such information.

So ist here any method which is or could return me any information.

Another idea was, because the certificate is actually non binary one 
could send it as secondary. Is this reasonable to do so and is it 
sufficient to do a simple equals in the web service or is any more 
complex operation based on the certificate required.

Thanks for reading and thanks for any input, comments and suggestions
Andreas

PS:  just to verify - this is nothing which came up just in my mind - it 
is a request from several EU-SOL partners ;-)

More information about the MOBY-dev mailing list