Ticket #208 (closed issue: worksforme)

Opened 13 years ago

Last modified 12 years ago

[S] [M] [WG] Why should access to exist databases be tunnelled through the firewall at all?

Reported by: lawrence Owned by: mpritcha
Priority: required Milestone: BETA
Component: community Version:
Keywords: WS-Discovery2 Cc:

Description

Shouldn't access to the exist database be turned off, so only NDG services can access the database in a secure way. (Noting that Kev's current service is visible worldwide, so when we resolve this issue, we should spin off a task to deal with those consequences).

Change History

comment:1 Changed 13 years ago by selatham

  • Status changed from new to assigned

Will the eXist web interface and oxygen webdav still work? Do we need them to work?

comment:2 Changed 13 years ago by selatham

How do we get it behind the firewall? Just turn off the Apache re-direct in Apache conf file?

i.e. comment out:-

# eXist xml database web interface

ProxyPass? /exist  http://glue.badc.rl.ac.uk:8082/exist ProxyPassReverse? /exist  http://glue.badc.rl.ac.uk:8082/exist

comment:3 Changed 13 years ago by lawrence

  • Milestone changed from PreAlpha to PostAlpha_review

Currently we use usecode and passwords to make this work, which isn't really the ndg philosophy ... we need to think how this should be done ...

comment:4 Changed 13 years ago by lawrence

AHM Decision: Yes we still want to get at moles content from other providers, but we need to specify the interface properly ...

comment:5 Changed 13 years ago by selatham

  • Milestone changed from PostAlpha_review to ReFactored Discovery WebServices

comment:6 Changed 13 years ago by selatham

I plan to make it so that only port 80 is available throught the firewall, then services are re-directed via apache and tomcat to exist. I beleive this should be the correct way of doing things. I will do this on glue first to test the effect on all services running there, then superglue. Can anyone foresee this giving them problems?

comment:7 Changed 13 years ago by selatham

Only port 80 is available on glue now. Question is do we need the apache redirect to service /exist? How do Discovery WS and browse get at things from outside?

comment:8 Changed 13 years ago by mpritcha

From my point of view, only the web service needs to be exposed. Once I have it installed on glue, Axis2 should be the only thing exposed via the ProxyPass? for this purpose. The fact that this happens to talk to eXist behind the scenes is an internal design detail. But we do need to implement the MOLES web service (offering a doPresent() operation for MOLES docs) but again this can be in axis2 ...using the same code I've written for Discovery2.

comment:9 Changed 13 years ago by lawrence

  • Keywords WS-Discovery2 added
  • Milestone changed from ReFactored_Discovery_WebServices to PreBeta

comment:10 Changed 12 years ago by selatham

  • Priority changed from critical to required

comment:11 Changed 12 years ago by selatham

  • Owner changed from selatham to mpritcha
  • Status changed from assigned to new

Have we actually got to the stage where everything is hidden behind WS Web Services now? Can I close this?

comment:12 Changed 12 years ago by lawrence

  • Status changed from new to closed
  • Resolution set to worksforme

I think we're ok, we may need to reopen this if I have a poblem with late binding, but I think there is no need for tunnelling!

Note: See TracTickets for help on using tickets.