Software Links
Getting Started
- A Globus Primer
- Globus Is Modular!
- Quickstart
- Installing GT
- Platform Notes
- GT Developer's Guide
- GT User's Guide
- Migrating Guides
Reference
Manuals
Common Runtime
Security
- GSI C
- GSI Java
- Java WS A&A
- C WS A&A (coming soon)
- CAS
- Delegation Service
- MyProxy
- GSI-OpenSSH
- SimpleCA
Data Mgt
WS MDS
Execution Mgt
Table of Contents
Abstract
Java WS A&A is configured using security descriptors. The following describes configuration settings specific for authorization and authentication. You can read the entire Java WS A&A Security Descriptor documentation here.
Security descriptors are mechanisms used to configure authorization mechanism and policy. The authorization on the server side can be configured at the container, service or resource level.
On the client side, authorization can be configured using security descriptors or as a property on the stub. This configuration can be done on a per invocation granularity
The server side authorization can be configured at the container, service or resource level using
Security descriptors using files. Refer to Section 1, “Configuring Using Files”
Security descriptors programmatically. Refer to Section 2, “Configuring Programmatically ”
To write and configure a server-side custom authorization mechanism refer to Section 2.3, “Writing a custom server-side authorization mechanism”.
The client side authorization can be configured for each invocation.
Security descriptors using files. Refer to Section 1, “Configuring Using Files”, specifically Section 1.2.2, “Configuring authorization mechanism ”.
Security descriptors programmatically. Refer to Section 2, “Configuring Programmatically ”
Properties on the Stub. Refer to Section 2.1, “Configuring client-side authorization on the stub”
To write and configure custom authorization mechanism refer to Section 2.2, “Writing custom client-side authorization scheme”.
If no authorization mechanism has been specified, HostOrSelf authorization is used. In this scheme host authorization is tried first, if it fails, self authorization is attempted
Configuration of service-side security settings can be achieved by using container or service security descriptor. Some of the security configuration, like the credential to use and trusted certificates location, can also be configured using CoG properties or rely on default location. The preferred way is to provide these settings in a security descriptor.
The next section provides details on the relevant properties. An overview of the syntax of security descriptors can be found in Java WS A&A Security Descriptor Framework. Available CoG security properties can be found in Configuring
The following properties are relevant to authentication and message/transport security:
Table 1. Configuring server side authentication and message/transport security
| Number | Task | Descriptor Configuration | Alternate Configuration |
| 1 | Credentials | Container or service descriptor configuration |
If no explicit configuration is found, the default proxy is read from |
| 2 | Trusted Certificates | Container security descriptor configuration | CoG Configuration |
| 3 | Limited proxy policy configuration | Container or service descriptor configuration | None. |
| 4 | Replay Attack Window | Container or service descriptor configuration | None. |
| 5 | Replay Attack Filter | Container or service descriptor configuration | None. |
| 6 | Replay timer interval | Container descriptor configuration | None. |
| 7 | Context timer interval | Container descriptor configuration | None. |