HTTPS (and more widely SSL) requires, beyond support in runtime : keys to be generated on the server, certificates to be approved on the client, and configuration of the service runtime to use them.
Concretely, as always HTTPS support depends on the actual service stack.
About WS-Security : both are also true, though it is at SOAP level (while HTTPS is at HTTP level). Concretely, it works in CXF using message interceptors.
About SCA : in true SCA spirit, it should be configurable using (service stack-specific) policies, more atibm.In FraSCAti : WS-Security interceptors could be configured on CXF in the right Fractal binding factory ; WSS and HTTPS could also be configured in the Spring XML file provided by system property, or using possible future finer configuration ways (see #27).
About OAuth :
A cool way to distribute to users in an online, securized way EasySOA-built services and UI, especially Light ones.
Nuxeo can manage providers and consumers, and contain gadgets which are the easiest way to benefit from OAuth. See conf.
About making HTTPS (and other SSL-based) easier with EasySOA :
consuming existing securized services and securizing exposed services (for Light app & testing proxies)
at runtime (Light app, proxies, other integrated runtimes) and configuration providing (also for all-purpose Java) levels
both thanks to explicit atomic configuration, or even platform-level (Nuxeo, FraSCAti ?) configurable SecurityService / SSO (or even platform-level integration with external SecurityService / SSO)
About proxying HTTPS :
HTTPS can be proxied but not read beyond server and port. So only alternatives are : work in HTTP only on the client side of the proxy (allowing usual HTTP proxy and exchange reading) if possible, or full HTTPS tunnel proxying and the appropriate companion routing can be used.
To make it viable for clients, they (or the platform-wide security service thay delegate to) have to approve the proxy server's certificates as well as the actual server's (without proxies, ex. in production) ; to make it easy for servers, central authentication may be used ; to preserve security across proxies bridging providers and consumers, a three-legged authentication scheme (OAuth-like) has to be used.
So TODO :
Add an HTTPS-exposed service demo (to an existing one, or a new demo), and use it to develop, test and demo the following EasySOA features with HTTPS.
DbBrowsing :
in the browser-in-a-browser, remove "s" from https to work in http only with the node.js proxy server so exchanges can be read, but add it back in the proxy server to work in https with the actual server ; by moving proxy to 'node-http-proxy'? https://github.com/nodejitsu/node-http-proxy
WSDL scraping : check it supports https://...?wsdl URLs
Import :
check it supports HTTPS URLs ex. in binding.ws
Scaffolder :
as for dbb, do HTTPS on proxy-to-actual-server only.
Monitoring, Scaffolder, other FraSCAti proxies (Studio...) :
check it supports HTTPS WS & REST client and servers, further HTTPS support (using tunneling, central authentication...)
HTTPS (and more widely SSL) requires, beyond support in runtime : keys to be generated on the server, certificates to be approved on the client, and configuration of the service runtime to use them.
Concretely, as always HTTPS support depends on the actual service stack.
In node.js : Has its own TLS API for HTTPS & SSL (just changed in 0.4) to create servers, see a good tutorial. A better way is to use a node.js HTTPS-supporting proxy server like node-http-proxy (beware the doc), or more specific servers like node-tls-proxy.
In FraSCAti / CXF : by default uses JDK's SSL configuration (keystores for certificates & keys ; cacerts). Further, SSL configuration (keystores) is customizable (per http-conduit) in Spring XML, see http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html
Further :
About WS-Security : both are also true, though it is at SOAP level (while HTTPS is at HTTP level). Concretely, it works in CXF using message interceptors.
About SCA : in true SCA spirit, it should be configurable using (service stack-specific) policies, more at ibm.In FraSCAti : WS-Security interceptors could be configured on CXF in the right Fractal binding factory ; WSS and HTTPS could also be configured in the Spring XML file provided by system property, or using possible future finer configuration ways (see #27).
About OAuth : A cool way to distribute to users in an online, securized way EasySOA-built services and UI, especially Light ones. Nuxeo can manage providers and consumers, and contain gadgets which are the easiest way to benefit from OAuth. See conf.
About making HTTPS (and other SSL-based) easier with EasySOA : consuming existing securized services and securizing exposed services (for Light app & testing proxies) at runtime (Light app, proxies, other integrated runtimes) and configuration providing (also for all-purpose Java) levels both thanks to explicit atomic configuration, or even platform-level (Nuxeo, FraSCAti ?) configurable SecurityService / SSO (or even platform-level integration with external SecurityService / SSO)
About proxying HTTPS : HTTPS can be proxied but not read beyond server and port. So only alternatives are : work in HTTP only on the client side of the proxy (allowing usual HTTP proxy and exchange reading) if possible, or full HTTPS tunnel proxying and the appropriate companion routing can be used. To make it viable for clients, they (or the platform-wide security service thay delegate to) have to approve the proxy server's certificates as well as the actual server's (without proxies, ex. in production) ; to make it easy for servers, central authentication may be used ; to preserve security across proxies bridging providers and consumers, a three-legged authentication scheme (OAuth-like) has to be used.
So TODO :
Add an HTTPS-exposed service demo (to an existing one, or a new demo), and use it to develop, test and demo the following EasySOA features with HTTPS.
DbBrowsing : in the browser-in-a-browser, remove "s" from https to work in http only with the node.js proxy server so exchanges can be read, but add it back in the proxy server to work in https with the actual server ; by moving proxy to 'node-http-proxy'? https://github.com/nodejitsu/node-http-proxy WSDL scraping : check it supports https://...?wsdl URLs
Import : check it supports HTTPS URLs ex. in binding.ws
Scaffolder : as for dbb, do HTTPS on proxy-to-actual-server only.
Monitoring, Scaffolder, other FraSCAti proxies (Studio...) : check it supports HTTPS WS & REST client and servers, further HTTPS support (using tunneling, central authentication...)