taverna-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dmitry <redmi...@list.ru>
Subject Re: wsdl-generic (experimental) and SSL
Date Tue, 28 Jul 2015 15:25:22 GMT
> If the server certificate is missing / wrong then you should detect it. 
I am not sure how is this possible in Java. :-(
Browsers have a long list of trusted authorities.
On the other hand, Taverna uses its own KeyStrore.
I cannot ask the user trust the server certificate, neither I have all 
trusted authorities in a java certificates.

For example, I have a transPLANT web services registry (based on BioSWR) 
which is protected via SSL.
https://transplantdb.bsc.es/registry/rest/service/94259BD285E07E855382DD197BC61D62

But the WSDL location may be different from the service one.
So there are two things here:

1. https wsdl location
2. web service location (which by the way may be a usual http).

By the way, how Taverna's server execute https services?
Does it provide certificates as a part of the workflow?

Dmitry

On 7/28/2015 12:12 PM, alaninmcr wrote:
> On 28/07/2015 10:25, Dmitry wrote:
>> Hello,
>
> Hello
>
>> I am working to add https support to my experimental wsdl-generic code.
>>
>> Currently, wsdl-generic doesn't support https directly.
>> Taverna's credential manager hooks into https requests.
>
> You should probably be OK without the credential manager in there.
>
> You can use the Java trust store.
>
>> Because I use wsdl-generic as a stand-alone package, I'd like to provide
>> https secured services support.
>>
>> 1. I just ignore server certificate while getting WSDL/Schema files.
>>      Is it OK?
>
> Not really. If the server certificate is missing / wrong then you 
> should detect it.
>
> Also, from a user's point of view, the services normally are on the 
> same site as a WSDL. So it will be better to identify a problem when 
> the WSDL is read, rather than "down the line".
>
>> IMHO getting WSDL is not that critical issue...
>> 2. Is it OK to do the same for the service execution?
>
> Even less that for getting the WSDL.
>
> I think HTTPS should be enforced as much as possible.
>
>> Any thoughts and comments are very appreciated :-).
>>
>> Dmitry
>
> Alan
>


Mime
View raw message