A simple model-view-controller.
If I were doing it, I would do it this way:
Use a REST service with the signature in the HTTP header X-http-signature (or
something
http://progrium.com/blog/2012/12/17/http-signatures-with-content-hmac/) if
exposing it as form data (i.e. ?signature=base64(binarysignature) ) does not
suffice. (it would not suffice if you want to checksum the whole message
without first removing the &signature content -- when the message is an opaque
entity) I would assume you are trying to make this NSA proof and eliminate any
kind of HTTPS man-in-the-middle attack.
Have the model talk HTTP and DB. Your controller are the CRUD operations of
REST operating on the REST objects, represented by urls. Your view is Wt tied
to the DB, possibly views instead of tables if you want your view to be
read-only so all puts have to go through REST. This way you can operate your
business logic using standard AJAX in the UI, you'd only need to calculate the
signature and put it in the header or body.
However, if you have your client UI sign the request, then you have to give
your client your private key to generate the signature. They can then capture
it and sign whatever they they want to at that point. Perhaps you could have
the server sign it for you, (createRequest(id, data), signRequest(id),
ExecuteSignedRequest(id)) but then they can just figure out how to have the
server sign whatever request they pass to it. In short, I don't see how this
makes you anymore secure than TLS. Since you're looking at Witty, I'm assuming
a web browser, and I don't know of any that isn't vulnerable to attack. Then
you have pirivate key leakage, which you might not be aware of, which would be
very damaging.
If you wade into SOAP you're going to get bogged down with maintaining XML
schemas and more formal messaging. The signing of content is not enough to
justify the pain and suffering of SOAP. SOAP is for business people, REST is
for engineers. My signing concerns would still apply.
Good Luck.
________________________________
From: Krzysztof Kardas <krzyc...@gmail.com>
To: Jason H <scorp...@yahoo.com>; witty-interest@lists.sourceforge.net
Sent: Thursday, April 3, 2014 3:58 AM
Subject: Re: [Wt-interest] SOAP protocol in witty.
Hi
Thank You for Your response.
Well I'd like to sign the soap request to prevent the modifications of the
request (customer requirements).
My idea was to write the application in 3 levels - dbo, business logic and the
UI. So the integration level would be around business logic objects. The the
SOAP interface should use the business logic objects. The DBO and UI would be
served by Wt.
Socket connection to business logic sounds a great idea.
2014-04-02 21:24 GMT+02:00 Jason H <scorp...@yahoo.com>:
SOAP and Witty are two different things.
>
>
>Besides, who wants SOAP? REST is winning. having implemented both, I say REST
>is better.
>
>
>However there is nothing preventing you from using gSOAP or some other toolkit
>to implement a SOAP service. I can bang out a REST-based Qt service pretty
>easily, even though the toolkit doesn't really target server apps. Though once
>that is done you can somehow integrate the two on the back-end. Easiest is
>database work queues, most elegant is probably a socket.
>
>
>
>________________________________
> From: Krzysztof Kardas <krzyc...@gmail.com>
>To: witty-interest@lists.sourceforge.net
>Sent: Wednesday, April 2, 2014 2:20 AM
>Subject: [Wt-interest] SOAP protocol in witty.
>
>
>
>Hi.
>
>
>Is it possible to use a SOAP protocol in witty to integrate applications?
>
>
>--
>Regards
>Krzysztof Kardas
>------------------------------------------------------------------------------
>
>_______________________________________________
>witty-interest mailing list
>witty-interest@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/witty-interest
>
>
>
>------------------------------------------------------------------------------
>
>_______________________________________________
>witty-interest mailing list
>witty-interest@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/witty-interest
>
>
------------------------------------------------------------------------------
_______________________________________________
witty-interest mailing list
witty-interest@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/witty-interest
