Difference between revisions of "SOA3 Connector"
(Created page with '==Overview== SOA3 Connector is the implementation if the architectural module described in GCube_Security_Handler: it is a complex element composed by a ''client module'' and…') |
|||
Line 1: | Line 1: | ||
==Overview== | ==Overview== | ||
− | SOA3 Connector is the implementation if the architectural module described in [[ | + | SOA3 Connector is the implementation if the architectural module described in [[GCube Security Handler]]: it is a complex element composed by a ''client module'' and a ''server module''. |
The client module is composed by: | The client module is composed by: | ||
Line 11: | Line 11: | ||
==Architecture== | ==Architecture== | ||
+ | The deployment model is described in the following picture: | ||
+ | |||
+ | [[Image:SOA3Connector.png|frame|center|SOA3 Connector]] | ||
+ | |||
+ | Every node contains a client library, that performs the controls on the requests and, if needed, asks SOA3 using SOA3 Connector Service. The Connector Service acts as a single endpoint providing authentication and authorization in a single step | ||
==Client library== | ==Client library== | ||
+ | |||
+ | The structure of the Client Library is described in the following picture: | ||
+ | |||
+ | [[Image:SOA3ConnectorClient.png|frame|center|SOA3 Connector Client Library]] | ||
+ | |||
+ | It is the actual implementation of [[GCube Security Handler]], which incercepts incoming messages, checks the security privileges and sets the credentials for outgoing messages. | ||
+ | |||
+ | ===Common Security Library=== | ||
+ | Common-security library,based on the FeatherWeightStack, allows to manage the credentials used by gCube. The rationale of the library is described in [[Integration_and_Interoperability_Facilities_Framework:_Client_Libraries_Design_Model#Security_Management|Client Security Library]], and an example of integration is given in [[GCube Clients Integration with security]]. | ||
+ | |||
+ | The core of the library is the CredentialManager, [http://docs.oracle.com/javase/6/docs/api/java/lang/InheritableThreadLocal.html <code>InheritableThreadLocal</code>], where it is possible to set and get the credentials for the current thread. In particular, in a GHN each service can use its credentials with its propagation policy: the InheritableThreadLocal feature allows to get specific Service Credentials, if set, or default container credentials otherwise. | ||
+ | The library includes <code>org.gcube.soa3.connector.common.security.handlers.SOA3Handler</code>, an implementation of <code>org.gcube.common.clients.stubs.jaxws.handlers.CallHandler</code>, dynamically loaded using Java ServiceLoader feature. SOA3Handler adds the Message Security Header to the outgoing message without any explicit intervention of the User or the Developer. The handler works also for TLS: if a specific certificate is associated to a certain service and is defined using common-security ''X509TLSCredentials'' class, <code>SOA3Handler</code> adds the certificate to the specific request for the specific service (using the InheritableThreadLocal feature). | ||
+ | |||
+ | The described features are valid for both clients running in a GHN and standalone clients. | ||
+ | |||
+ | ===GCube Server Security Integration Library=== | ||
+ | This library is a bridge between the Common Security Library and GSS stack used in the GHN. It also provides the implementation of the classes providing the controls to be performed on received messages. | ||
+ | The main control class is <code>org.gcube.security.soa3.connector.integration.server.SOA3IntegrationSecurityController</code>: it implements the interface <code>org.gcube.common.core.security.GCUBEServiceAuthorizationController</code>, used in the old version of gCube Security Framework. This class sets the security configuration in <code>org.gcube.security.soa3.connector.SOA3SecurityController</code> class, which actually extecutes the controls. The two levels of encapsulation are due to the compatibility with the current version of GCF: in the next versions, which will use less features of GSS framework, the Integration Library will be progressively deprecated, allowing to use directly only the common-security library and few control classes. | ||
+ | The class <code>org.gcube.security.soa3.connector.SOA3SecurityController</code> is called by <code>GCubeHandler</code>, intercepts all the incoming messages, checks the security related information (Message Level security header and TLS Certificate DN) and checks the authentication and authorization privileges. At first it asks a local cache, and, if there are no information, the request is forwarded to SOA3Connector Service. The answer (successful or fail), is stored in the cache in case of other call with the same credentials. In case of successful authentication, if the identity propagation is enabled, the controller sets a <code>TicketCredentials</code> object in the CredentialManager to be used if the request should be propagated to another GHN. | ||
+ | |||
==SOA3 Connector Service== | ==SOA3 Connector Service== | ||
+ | |||
+ | |||
+ | The high level a | ||
+ | |||
+ | [[Image:SecurityHandler.jpg|frame|center|Security Handler]] |
Revision as of 12:32, 8 March 2013
Contents
Overview
SOA3 Connector is the implementation if the architectural module described in GCube Security Handler: it is a complex element composed by a client module and a server module. The client module is composed by:
- common-security library
- gcube-server-security-integration library
it is integrated in the container, provides a caching mechanism and acts as client for SOA3 Connector Service (this is the reason of its name).
The server module is SOA3 Connector Service: it exposes a single REST interface allowing clients to obtain authentication and authorization. If required, it contacts SOA3 Authentication and Authorization Services, but these operations are limited by a caching mechanism.
Architecture
The deployment model is described in the following picture:
Every node contains a client library, that performs the controls on the requests and, if needed, asks SOA3 using SOA3 Connector Service. The Connector Service acts as a single endpoint providing authentication and authorization in a single step
Client library
The structure of the Client Library is described in the following picture:
It is the actual implementation of GCube Security Handler, which incercepts incoming messages, checks the security privileges and sets the credentials for outgoing messages.
Common Security Library
Common-security library,based on the FeatherWeightStack, allows to manage the credentials used by gCube. The rationale of the library is described in Client Security Library, and an example of integration is given in GCube Clients Integration with security.
The core of the library is the CredentialManager, InheritableThreadLocal
, where it is possible to set and get the credentials for the current thread. In particular, in a GHN each service can use its credentials with its propagation policy: the InheritableThreadLocal feature allows to get specific Service Credentials, if set, or default container credentials otherwise.
The library includes org.gcube.soa3.connector.common.security.handlers.SOA3Handler
, an implementation of org.gcube.common.clients.stubs.jaxws.handlers.CallHandler
, dynamically loaded using Java ServiceLoader feature. SOA3Handler adds the Message Security Header to the outgoing message without any explicit intervention of the User or the Developer. The handler works also for TLS: if a specific certificate is associated to a certain service and is defined using common-security X509TLSCredentials class, SOA3Handler
adds the certificate to the specific request for the specific service (using the InheritableThreadLocal feature).
The described features are valid for both clients running in a GHN and standalone clients.
GCube Server Security Integration Library
This library is a bridge between the Common Security Library and GSS stack used in the GHN. It also provides the implementation of the classes providing the controls to be performed on received messages.
The main control class is org.gcube.security.soa3.connector.integration.server.SOA3IntegrationSecurityController
: it implements the interface org.gcube.common.core.security.GCUBEServiceAuthorizationController
, used in the old version of gCube Security Framework. This class sets the security configuration in org.gcube.security.soa3.connector.SOA3SecurityController
class, which actually extecutes the controls. The two levels of encapsulation are due to the compatibility with the current version of GCF: in the next versions, which will use less features of GSS framework, the Integration Library will be progressively deprecated, allowing to use directly only the common-security library and few control classes.
The class org.gcube.security.soa3.connector.SOA3SecurityController
is called by GCubeHandler
, intercepts all the incoming messages, checks the security related information (Message Level security header and TLS Certificate DN) and checks the authentication and authorization privileges. At first it asks a local cache, and, if there are no information, the request is forwarded to SOA3Connector Service. The answer (successful or fail), is stored in the cache in case of other call with the same credentials. In case of successful authentication, if the identity propagation is enabled, the controller sets a TicketCredentials
object in the CredentialManager to be used if the request should be propagated to another GHN.
SOA3 Connector Service
The high level a