[MOBY-dev] Web Services in a secure World

[Andreas Groscurth]

Hi,

funny to have written an email and then later while searching the web 
and discussing stuff with Mark Fiers here - we think to have a nice 
solution based on the description here

http://www.impetus.us/~rjmooney/projects/misc/clientcertauth.html.

with different services depending on which certificate was used.

So - in our view this is solved, but feel free to add something :-)

best
andreas



Andreas Groscurth wrote:
> Hi everyone,
>
> I like to start a discussion or ask for your knowledge about the 
> possibilty of using secure BioMoby Web Service.
>
> The scenario is to register Web Services which work on https and only 
> people with a specific certificate are allowed to call this Web Service.
>
> Another scenario is that people with different certificates can call 
> the same Web Service, but based on their certificate the Web Service 
> does behave differntly (like given out different data, working on 
> different databases or so).
>
> Unfortunately I'm not that familiar with the whole https and java - 
> http communication, so I like to ask you to give me some input about 
> my ideas.
>
> Establishing a https connection is not difficult, I'm currently 
> thinking about how to enable that different certificates are treated 
> differently.
>
> One possibility is to work on the level of the apache and do have 
> different authenifications for the certificates. Based on this 
> authentification people are directed to the corresponding service. But 
> this solution sound aweful, because you have to offer for each 
> certificate a service and this services have to be physically be 
> different so that not person A with certificate A can call service B 
> with some detours. So for me this is a really messy solution.
>
> Is this correct or do I have an error in my scenario.
>
> The other idea is that based on the certificate the Web Service checks 
> who has actually called. I tried with the current moby API to retrieve 
> any information about the certificate which was used for the calling 
> process, but I couldnt find any method which gives me such information.
>
> So ist here any method which is or could return me any information.
>
> Another idea was, because the certificate is actually non binary one 
> could send it as secondary. Is this reasonable to do so and is it 
> sufficient to do a simple equals in the web service or is any more 
> complex operation based on the certificate required.
>
> Thanks for reading and thanks for any input, comments and suggestions
> Andreas
>
> PS:  just to verify - this is nothing which came up just in my mind - 
> it is a request from several EU-SOL partners ;-)
> _______________________________________________
> MOBY-dev mailing list
> MOBY-dev at lists.open-bio.org
> http://lists.open-bio.org/mailman/listinfo/moby-dev