wiki:DXAndSecurity

NDG-Securing the Data Extractor

Here are some notes on how/why both the DX client and server must be NDG-security enabled:

  1. Client and Server need to know about security because:
  • Server might be called directly so must be secure.
  • Client needs to do web-based (cookie) authentication and provide login and forwarding to NDG hosts, therefore needs to know.
  1. Client can follow MOLES Browse model of:
  • If not logged in: get list of trusted hosts
  • User selects one and logs in at that trusted host.
  • Trusted host forwards back to DX with cookies set or encrypted cookies on URL.
  • DX can then use NDG security code to get the list of roles and the username.
  1. Client and server exchange secure Token and session ID:
  • Session ID is a non-secure object that just binds to your saved session.
  • In order to access the session ID you should also provide the secure token.
  • The secure token needs to be an object that the server can use with NDG Security. Hence it could be a Proxy Certificate…