How To Configure Service Security
This page contains useful information for DILIGENT developers about configuration of services to comply with the DILIGENT Security Model.
Contents
Configure service authentication
This configuration protect the service against unauthenticated access, setting it each client is forced to present valid credentials. Please notice that authorization is still not enforced on the service (every authenticated client is entitled to use service operations).
Create Web Service Security Descriptor (WSSD)
Create the Web Service Security Descriptor. A different security descriptor file should be created for each interface of your service in the etc/
directory of your service. See Media:YourService-security-config-1.xml for an example.
Modify Web Service Deployment Descriptor (WSDD)
Modify the Web Service Deployment Descriptor to refer the Web Service Security Descriptor. Add following line to the service tag:
<parameter name="securityDescriptor" value="@config.dir@/YourService-security-config.xml"/>
(of course the value must be set to the name of the WSSD you just created) See Media:deploy-server-1.wsdd for an example
Then redeploy your service in the DHN container.
Access a service using authentication
In this step you'll try to access the deployed service with a client using authentication First of all try to contact your service using an unauthenticated client, you should get following Axis fault:
... GSI Secure Conversation authentication required for "{http://www.diligentproject.org/namespaces/..." operation.
This means that the GSI Secure Conversation mechanism is required to invoke the service. To enable it perform following steps.
Set credentials on service stubs
Use following lines to load your proxy credentials and use them to contact the service
import org.diligentproject.dvos.authentication.util.ConfigureSecurity; import org.ietf.jgss.GSSCredentials; ... GSSCredentials cred = ConfigureSecurity.loadProxyCredentials("yourProxyFile"); ... YourServicePortType port = ...<getPortType> ConfigureSecurity.setSecurity(((javax.xml.rpc.Stub) port), cred);
Don't forget to add the client-config.wsdd
file in the directory where you run the client. You can, instead, add the $GLOBUS_LOCATION
as the first entry of your classpath.
Then you should be able to contact your service using your credentials
Get the DL of the caller
!!!!!!!!!!!!!!!!!! TO DO : Describe authentication API functionalities !!!!!!!!!!!!!!!!!!!!!!!!!!!!
Provide your service with credentials
This step enable your service to authenticating itself in outcoming requests it performs to other services
Register to the local Delegation service
!!!!!!!!!!!!!! TO DO : Two scenario with different listeners !!!!!!!!!!!!!!!!!!!!
In your service, usually during initialization, you should create a new CredentialsListener
and register it to the local DelegationLocalInterface
. The listener will be notified when fresh credentials will be received for your service.
credentialsListener = new SimpleCredentialsListener(); DelegationLocalInterface.registerCredentialsListener(this.credentialsListener);
Then you can get credentials from the listener and use it to authenticate invocations to other services. Previous lines of codes are usually added to the constructor of the class implementing service operations
E.g:
public class VOAdministrationService { ... private SimpleCredentialsListener credentialsListener; ... /* Constructor */ public VOAdministrationService() throws ResourceContextException, ResourceException { credentialsListener = new SimpleCredentialsListener(); DelegationLocalInterface.registerCredentialsListener(this.credentialsListener); }
At this point compile and redeploy your service and restart the container
Use delegated credentials to invoke services
!!!!!!!!!!!!!!!!!!! TO DO : Two scenario with different listeners !!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Add Authorization
Create the VO-Handler configuration file
In order to enforce authorization you have to create a mapping between service operations and logical operations. This mapping is keep in the YourServiceHandler.properties
in the "etc" directory of your service. For an example see Media:YourServiceHandler.properties
Modify WSSD to add VO-Handler
The WSSD must be modified to enforce authorization using the VOAuthorizationHandler You have to replace the element
<authz value="none"/>
with following content:
<authz value= "VOAuthorizationPDP:org.diligentproject.dvos.authorization.handler.VOAuthorizationPDP"/>
Modify WSDD to set handler properties
You have also to tells the VOAuthorization handler where to find the configuration file and the VOMS certificates to verify authorizations. To do this add following lines to your WSDD file:
<parameter name="VOAuthorizationPDP-VOAuthorizationHandlerFile" value="@config.dir@/YourServiceHandler.properties"/> <parameter name="VOAuthorizationPDP-VOMSCertificateDirectory" value="/etc/grid-security/vomsdir/*"/>
Now the service part of the authorization is set up. Redeploy your service and restart the container.
Extend DILIGENT authorization
COMING SOON