[MOBY-dev] Web Services in a secure World
Andreas Groscurth
groscurt at mpiz-koeln.mpg.de
Fri Mar 14 10:39:04 UTC 2008
sneumann wrote:
> On Do, 2008-03-13 at 12:38 +0100, Andreas Groscurth wrote:
>
>> with different services depending on which certificate was used.
>>
> but that was not part of the simple tutorial, was it ?!
>
no the simple tutorial, which i took down today, does not cover that. As
soon as we tested at here in EU-SOL I will put up the turial up again.
Otherwise its dangerous that it will be changed over the next weeks over
and over again
>> So - in our view this is solved, but feel free to add something :-)
>>
> So what is the use case solved here ?
>
Use case is that you offer Web services which shall be only called by
elected persons identified by a certificate.
We assume that the servlet container is not accessible for public.
The solution we think of is that the clients retrieving a certificate
signed by an CA and have to use this files in the clients to call
BioMoby Web Services.
On the server side the apache will take care of the authentification and
depending on the certificates redirect to the corresponding servlet
container
E.g.
Certificate-A-user -> axis_a/services/....
Certificate-B-user -> axis_b/services/...
of course it has to be ensured that these redirects are not accessible
without any authentification
And although this might have the problem of implementing several
services more than once - at least in Java you can easily use avoid this
by using facade patterns.
> You have a service -- say a database/repository -- which includes
> data produced by -- say three -- different consortia, and should also
> serve data (for which the protection phase has expired) to the public
> without any certificate. How do pass the cert information down to the
> retrieval layer ?
>
so as describes - apache will do that
> Or do you use apache to demultiplex / route the same query
> to a given (virtual) service to the appropriate instance
> based on the certificate ? This probably doesn't scale very well.
>
didnt get that - if this is the way as described above - why yo think it
doesnt scala very well ?
> What happens if some remote machine/user belongs to two consortia
> (or in fact the administrator needs access to all consortium data),
> then he needs to choose the appropriate cert ?
>
This is definitely a point we have to think of. This has to be
differences. One - what happens if a person with two certificates calls
a service, which one is used ? a solution (at least in java) could be
that the client has several keystore in which the certificates are
stored and he selectes the one he wants to use currently.
The other one is if one has access to all data, although from different
consortium. In this case I would use a different certificate.
Thanks for your input - I'm glad if you have anything to add here.
best
andreas
> Yours,
> Steffen
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> MOBY-dev mailing list
> MOBY-dev at lists.open-bio.org
> http://lists.open-bio.org/mailman/listinfo/moby-dev
>
More information about the MOBY-dev
mailing list