Discussion:
[Wsf-general] Exposing a Database as a Webservice
Chamil Thanthrimudalige
2007-02-26 11:04:59 UTC
Permalink
hi all,

It is a way to expose some/all of the content in a database as
Webservices. Data in the database will be exposed without exposing
the fact that we are retrieving the data from a database.

The design that we have come up so far is to give the database
administrator two ways to authenticate and authorize the users of the
service. The he can either enter the details for a user who has the
necessary permissions for doing the operations defined in the service
in which case WSO2 Application Server(WSAS) will take care of access
control or else he can get the database to control access to the data.

In the first method WSAS will authenticate the user and then use the
authorization details in it's system to do the access control. In
this all permissions will be controlled through the security module
inside WSAS. WSAS will login and access as itself.

In the second method the user will send the authentication and
authorization details and these details will be used when accessing
the database. Please note the Security Token that will be used will
not be some thing that is special to the Database service.

The database administrator will create a configuration file [xml]
with the needed details for exposing the required data in the
database. I will send a separate mail about the configuration file
and its format as it stands.

Best Regards,
Chamil Thanthrimudalige
Afkham Azeez
2007-02-26 12:18:39 UTC
Permalink
The attached doc shows the two database access scenarios, which may give
a better understanding.

-- Azeez
Post by Chamil Thanthrimudalige
hi all,
It is a way to expose some/all of the content in a database as
Webservices. Data in the database will be exposed without exposing the
fact that we are retrieving the data from a database.
The design that we have come up so far is to give the database
administrator two ways to authenticate and authorize the users of the
service. The he can either enter the details for a user who has the
necessary permissions for doing the operations defined in the service in
which case WSO2 Application Server(WSAS) will take care of access
control or else he can get the database to control access to the data.
In the first method WSAS will authenticate the user and then use the
authorization details in it's system to do the access control. In this
all permissions will be controlled through the security module inside
WSAS. WSAS will login and access as itself.
In the second method the user will send the authentication and
authorization details and these details will be used when accessing the
database. Please note the Security Token that will be used will not be
some thing that is special to the Database service.
The database administrator will create a configuration file [xml] with
the needed details for exposing the required data in the database. I
will send a separate mail about the configuration file and its format as
it stands.
Best Regards,
Chamil Thanthrimudalige
_______________________________________________
Wsf-general mailing list
http://wso2.org/cgi-bin/mailman/listinfo/wsf-general
--
Afkham Azeez
GPG Fingerprint: 643F C2AF EB78 F886 40C9 B2A2 4AE2 C887 665E 0760

http://www.wso2.org
James Clark
2007-02-27 04:21:46 UTC
Permalink
Post by Chamil Thanthrimudalige
In the first method WSAS will authenticate the user and then use the
authorization details in it's system to do the access control. In
this all permissions will be controlled through the security module
inside WSAS. WSAS will login and access as itself.
In the second method the user will send the authentication and
authorization details and these details will be used when accessing
the database. Please note the Security Token that will be used will
not be some thing that is special to the Database service.
Can these be mixed? I would expect one common scenario would be that

- the database would have a "guest" user that would be allowed read-only
access to non-sensitive data

- when using the first method, WSAS would login and access as this guest
user

- for access that requires more privileges that the database guest user
allows, the second method would be used

James
Chamil Thanthrimudalige
2007-02-27 04:44:09 UTC
Permalink
Post by James Clark
Post by Chamil Thanthrimudalige
In the first method WSAS will authenticate the user and then use the
authorization details in it's system to do the access control. In
this all permissions will be controlled through the security module
inside WSAS. WSAS will login and access as itself.
In the second method the user will send the authentication and
authorization details and these details will be used when accessing
the database. Please note the Security Token that will be used will
not be some thing that is special to the Database service.
Can these be mixed? I would expect one common scenario would be that
- the database would have a "guest" user that would be allowed read-
only
access to non-sensitive data
- when using the first method, WSAS would login and access as this guest
user
- for access that requires more privileges that the database guest user
allows, the second method would be used
What we can do is have the connection settings for the gust user in
the configuration file and the for each operation add another
attribute to denote whether to use the guest account or to use the
details given by the party invoking the service. Or else we can make
two services with two different types of access control, however I
think the first method might be more practical.

The attribute name can be "access-control" which can have "wsas" as
the value to denote that access control will be done from with in
WSAS or can have "database" to denote that the database will do it.

Best Regards,
Chamil Thanthrimudalige
Post by James Clark
James
Loading...