Difference between revisions of "GCube Clients Integration with security"

From Gcube Wiki
Jump to: navigation, search
(Overview)
(Common Security Library)
Line 7: Line 7:
 
The library is composed by two jars:
 
The library is composed by two jars:
  
* common-security.jar
+
* <code>common-security.jar</code>
* gcube-security-utils.jar
+
* <code>gcube-security-utils.jar</code>
  
both the jars are part of SOA3 connector and are integrated in the libs of the containes. They can also be used standalone because their only dependency is on common-gcore-stub library, which is built on FWS stack.
+
both the jars are part of SOA3 connector and are part of the libraries of the container. They can also be used standalone because their only dependency is <code>common-gcore-stub</code> library, which is built on FWS stack.
  
 
The library provides two main interfaces:
 
The library provides two main interfaces:
  
* CredentialManager
+
* <code>CredentialManager</code>
* Credentials
+
* <code>Credentials</code>
  
The Interface CredentialManager defines a singleton [http://docs.oracle.com/javase/6/docs/api/java/lang/InheritableThreadLocal.html <code>InheritableThreadLocal</code>] Object with methods to ''set'', ''get'' and ''remove'' the credentials for the current Thread. The ''InheritableThreadLocal'' feature allows the inserted Credential to be valid for this thread and its descendents till the next call to the method ''set''.
+
The Interface ''CredentialManager'' defines a singleton [http://docs.oracle.com/javase/6/docs/api/java/lang/InheritableThreadLocal.html <code>InheritableThreadLocal</code>] Object with methods to <code>set</code>', <code>get</code> and <code>remove</code> the credentials for the current Thread. The ''InheritableThreadLocal'' feature allows the inserted Credential to be valid for this thread and its descendents till the next call to the method <code>set</code>.
  
The interface Credentials defines the nature of the objects containing the actual credentials, several implementations are provided:
+
The interface ''Credentials'' defines the nature of the objects containing the actual credentials, several implementations are provided:
  
* ''X509TLSCredentials'', defining TLS and X509 based credential
+
* <code>X509TLSCredentials</code>, defining TLS and X509 based credential
* ''UserNamePasswordCredentials'', for username/password based Message Level Security
+
* <code>UserNamePasswordCredentials</code>, for username/password based Message Level Security
* ''FederatedCredentials'', for SAML Assertion ID based authentication
+
* <code>FederatedCredentials</code>, for SAML Assertion ID based authentication
* ''X509CombinedCredentials'', to be used in combination with another Credentials object to combine TLS with Message Level Security
+
* <code>X509CombinedCredentials</code>, to be used in combination with another Credentials object to combine TLS with Message Level Security
* ''Base64EncodedCredentials'', to be used in combination with another Credentials object to Base64 encode the Message Level Security data
+
* <code>Base64EncodedCredentials</code>, to be used in combination with another Credentials object to Base64 encode the Message Level Security data
  
 
==Use of the Library==
 
==Use of the Library==

Revision as of 12:31, 12 March 2013

Overview

GCube Client Security is implemented by common-security library, based on the new FeatherWeightStack (FWS). An high level description of the library is provided in the section Client Security Library, while more details can be found in SOA3 Connector. This section describes how to set credentials in a gCube call, for both standalone clients and clients running in a GHN: in the latter case the container transparently sets the default credentials in the message. This default behavior can be overridden by code using the provided information.

Common Security Library

The library is composed by two jars:

  • common-security.jar
  • gcube-security-utils.jar

both the jars are part of SOA3 connector and are part of the libraries of the container. They can also be used standalone because their only dependency is common-gcore-stub library, which is built on FWS stack.

The library provides two main interfaces:

  • CredentialManager
  • Credentials

The Interface CredentialManager defines a singleton InheritableThreadLocal Object with methods to set', get and remove the credentials for the current Thread. The InheritableThreadLocal feature allows the inserted Credential to be valid for this thread and its descendents till the next call to the method set.

The interface Credentials defines the nature of the objects containing the actual credentials, several implementations are provided:

  • X509TLSCredentials, defining TLS and X509 based credential
  • UserNamePasswordCredentials, for username/password based Message Level Security
  • FederatedCredentials, for SAML Assertion ID based authentication
  • X509CombinedCredentials, to be used in combination with another Credentials object to combine TLS with Message Level Security
  • Base64EncodedCredentials, to be used in combination with another Credentials object to Base64 encode the Message Level Security data

Use of the Library

The Developer should only define the Credentials object and set it in the CredentialManager. The FWS, in the background, will add the Credentials just before sending the message. It is important to remember that Message Level Security data must be Base64 encoded.

For example, let's consider to implement a client for a gCube Service sample using the credentials Username=gCube, Password=gCube. The code is the following:

UserNamePasswordCredentials pureCredentials = new UserNamePasswordCredentials("gCube", "gCube".toCharArray());
Base64EncodedCredentials encodedCredentials = new Base64EncodedCredentials(pureCredentials); //Base64 encodes the credentials
CredentialManager.instance.set(fedCredentials); //sets the credentials in the Credential Manager
stub = stubFor(stateless).at(URI.create("http://localhost:9999/wsrf/services/acme/sample/stateless")); // creates the stub

More information on the use of the Credentials implementations can be found in the javaDocs.