How To Configure Service Security

From Gcube Wiki
Revision as of 18:42, 16 March 2007 by Roccetti (Talk | contribs) (Use delegated credentials to invoke services)

Jump to: navigation, search

This page contains useful information for DILIGENT developers about configuration of services to comply with the DILIGENT Security Model.

Configure service authentication

This configuration protect the service against unauthenticated access, setting it each client is forced to present valid credentials. Please notice that authorization is still not enforced on the service (every authenticated client is entitled to use service operations).

Create Web Service Security Descriptor (WSSD)

Create the Web Service Security Descriptor. A different security descriptor file should be created for each interface of your service in the etc/ directory of your service. See Media:YourService-security-config-1.xml for an example.

Modify Web Service Deployment Descriptor (WSDD)

Modify the Web Service Deployment Descriptor to refer the Web Service Security Descriptor. Add following line to the service tag:

<parameter name="securityDescriptor" value="@config.dir@/YourService-security-config.xml"/> 

(of course the value must be set to the name of the WSSD you just created) See Media:deploy-server-1.wsdd for an example

Then redeploy your service in the DHN container.

Access a service using authentication

In this step you'll try to access the deployed service with a client using authentication First of all try to contact your service using an unauthenticated client, you should get following Axis fault:

... GSI Secure Conversation authentication required for
"{http://www.diligentproject.org/namespaces/..." operation.

This means that the GSI Secure Conversation mechanism is required to invoke the service. To enable it perform following steps.

Set credentials on service stubs

Use following lines to load your proxy credentials and use them to contact the service

import org.diligentproject.dvos.authentication.util.ConfigureSecurity;
import org.ietf.jgss.GSSCredentials;
...
GSSCredentials cred = ConfigureSecurity.loadProxyCredentials("yourProxyFile");
...
YourServicePortType port = ...<getPortType>
ConfigureSecurity.setSecurity(((javax.xml.rpc.Stub) port), cred);

Don't forget to add the client-config.wsdd file in the directory where you run the client. You can, instead, add the $GLOBUS_LOCATION as the first entry of your classpath.

Then you should be able to contact your service using your credentials

Provide your service with credentials

This step enable your service to authenticating itself in outcoming requests it performs to other services

Register to the local Delegation service

TO DO : Prevedere i due scenari con i due listener

In your service, usually during initialization, you should create a new CredentialsListener and register it to the local DelegationLocalInterface. The listener will be notified when fresh credentials will be received for your service.

credentialsListener = new SimpleCredentialsListener();
DelegationLocalInterface.registerCredentialsListener(this.credentialsListener);

Then you can get credentials from the listener and use it to authenticate invocations to other services. Previous lines of codes are usually added to the constructor of the class implementing service operations

E.g:

public class VOAdministrationService {
 ...   
 private SimpleCredentialsListener credentialsListener;
 ...
 /* Constructor */
 public VOAdministrationService() throws ResourceContextException, ResourceException {
  credentialsListener = new SimpleCredentialsListener();
  DelegationLocalInterface.registerCredentialsListener(this.credentialsListener);
 }

At this point compile and redeploy your service and restart the container

Use delegated credentials to invoke services

TO DO

Add Authorization

Create the VO-Handler configuration file

In order to enforce authorization you have to create a mapping between service operations and logical operations. This mapping is keep in the YourServiceHandler.properties in the "etc" directory of your service. For an example see Media:YourServiceHandler.properties

Modify WSSD to add VO-Handler

The WSSD must be modified to enforce authorization using the VOAuthorizationHandler You have to replace the element

<authz value="none"/>

with following content:

<authz value=
"VOAuthorizationPDP:org.diligentproject.dvos.authorization.handler.VOAuthorizationPDP"/>

Modify WSDD to set handler properties

You have also to tells the VOAuthorization handler where to find the configuration file and the VOMS certificates to verify authorizations. To do this add following lines to your WSDD file:

<parameter name="VOAuthorizationPDP-VOAuthorizationHandlerFile"
  value="@config.dir@/YourServiceHandler.properties"/>

<parameter name="VOAuthorizationPDP-VOMSCertificateDirectory" value="/etc/grid-security/vomsdir/*"/>

Now the service part of the authorization is set up. Redeploy your service and restart the container.

Extend DILIGENT authorization

COMING SOON

Check for Authorization using the VOQuery API library

Define new authorization handlers