GCube Clients Integration with security
Overview
GCube Client Security is implemented by common-security library, based on the new FeatherWeightStack (FWS). An high level description of the library is provided in the section Client Security Library, while more details can be found in SOA3 Connector.
The library is used in GHNs and standalone clients. Standalone clients are integrated with common-security library and explicitly use it to set the required credentials (username/password, certificate of assertion id): it is up to the developer to define the way by which the end user passes the credentials to the client (command line, configuration file...).
GHNs transparently set the default credentials in outgoing messages by using the library: defaults credentials are tickets for identity propagation (GCube Credentials).
There is the possibility to use different credentials: in particular it is possible to configure the container for using only TLS (GHN Security Configuration). If more a specific behavior is requested, for example a GHN should use its own Message Level Security credentials (username/password or assertion ID) for performing calls, it is possible to obtain it by modifying the code of the service in the same way of standalone clients.
Common Security Library
The library is composed by two jars:
-
common-security.jar
-
gcube-security-utils.jar
both the jars are part of SOA3 connector and are part of the libraries of the container. They can also be used standalone because their only dependency is common-gcore-stub
library, which is built on FWS stack.
The library provides two main interfaces:
-
CredentialManager
-
Credentials
The Interface CredentialManager defines a singleton InheritableThreadLocal
Object with methods to set
', get
and remove
the credentials for the current Thread. The InheritableThreadLocal feature allows the inserted Credential to be valid for this thread and its descendents till the next call to the method set
.
The interface Credentials defines the nature of the objects containing the actual credentials, several implementations are provided:
-
X509TLSCredentials
, defining TLS and X509 based credential -
UserNamePasswordCredentials
, for username/password based Message Level Security -
FederatedCredentials
, for SAML Assertion ID based authentication -
X509CombinedCredentials
, to be used in combination with another Credentials object to combine TLS with Message Level Security -
Base64EncodedCredentials
, to be used in combination with another Credentials object to Base64 encode the Message Level Security data
Use of the Library
The Developer should only define the Credentials object and set it in the CredentialManager. The FWS, in the background, will add the Credentials just before sending the message. It is important to remember that in gCube infrastructure Message Level Security data must be Base64 encoded.
For example, let's suppose to implement a client for a gCube Service sample using the credentials Username=gCube, Password=gCube. The code is the following:
UserNamePasswordCredentials pureCredentials = new UserNamePasswordCredentials("gCube", "gCube".toCharArray()); Base64EncodedCredentials encodedCredentials = new Base64EncodedCredentials(pureCredentials); //Base64 encodes the credentials CredentialManager.instance.set(encodedCredentials); //sets the credentials in the Credential Manager stub = stubFor(stateless).at(URI.create("http://localhost:9999/wsrf/services/acme/sample/stateless")); // creates the stub
More information on the use of the Credentials implementations can be found in the javaDocs.