GCube Credentials

From Gcube Wiki
Revision as of 17:34, 2 December 2013 by Ciro.formisano (Talk | contribs) (Created page with '==Overview== SOA3 Framework provides the API to manage several kinds of credentials. GCube Nodes communicate each other by propagating the identity of the original caller usung …')

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Overview

SOA3 Framework provides the API to manage several kinds of credentials. GCube Nodes communicate each other by propagating the identity of the original caller usung a reference ticket. The original caller, that can be an user or a process (i.e. a service) can be identified by the following credentials:

  • Username/Passrword, used especially by human callers
  • SAML Assertion Id, for federated authentication
  • X509 Certificate, used by human callers or by batch processes (i.e. services that needs authonomous authentication)

This section will briefly describe the supported credentials and show how Client Security Library provides the possibility to use those credentials.

Credentials

SOA3 authenticates and authorizes requests basing on the credentials of the caller: no explicit distinction between Message Level Security and Transport Level Security is done. However the integration layer combines TLS and MLS in the following way:


1. each node checks authonomously the TLS signature of the HTTPS received message: if it is not valid, the process is interrupted and an unauthorized error is returned

2. the node checks if any Message Level Credential is present in the received SOAP message. If it is found, is sent to SOA3 that checks its validity: if it is valid, the message is authenticated, if it is not valid, an error is returned, if it is not found, the process goes to the point 3

3. the node extracts the DN of the certificate used to sign the HTTPS request and sends it to SOA3

The communications between the Nodes and SOA3 are in HTTPS and the information is send by REST messages. The Message Level Credentials are send by the client of the caller to the Nodes in the security header of SOAP messages: the Portal, which contacts the service by ASL, works in the same way. The Common Security library adds the credentials to all the requests.

Username/Password

SOA3 Framework supports common Username/Password authentication. Username and Password are set in the security header of the SOAP Message and currently are send in clear text: this means that HTTPS must be used to encrypt the communication and the credentials. When a GCube Node receives Username/Password credentials, it sends a REST Access Request to SOA3: if the Access Request (authentication and authorization) succeeds, a ticket is returned. This ticket will replace the credentials if they needs to be propagated in gCube infrastrucure.

Username/Password and Common Security

The following piece of code shows how to set Username/Password credentials in a gCube client and encode them in Base 64. 

UserNamePasswordCredentials pureCredentials = new UserNamePasswordCredentials("gCube", "gCube".toCharArray());
Base64EncodedCredentials encodedCredentials = new Base64EncodedCredentials(pureCredentials); //Base64 encodes the credentials
CredentialManager.instance.set(encodedCredentials); //sets the credentials in the Credential Manager
stub = stubFor(stateless).at(URI.create("http://localhost:9999/wsrf/services/acme/sample/stateless")); // creates the stub
Retrieved from "https://wiki.gcube-system.org/index.php?title=GCube_Credentials&oldid=20512"