Table of Contents
The Web Services portion of GT 4.2.0 uses SOAP over HTTP for communicating messages. WS Authentication & Authorization in Java (Java WS A&A) implements the WS-Security standard and the WS-SecureConversation specification to provide message protection for SOAP messages. Features include:
- authentication of the sender
- encryption of the message
- integrity protection of the message
- replay attack protection
Java WS A&A provides a secure channel by using HTTP over SSL/TLS (HTTPS) for transporting the messages. This security mechanism supports all of the security features provided by SSL/TLS with the addition of support for X.509 Proxy Certificates. The Authorization Framework component of Java WS A&A provides the infrastructure to process attributes and protect resource access based on access policy. It allows for authorization policy to be configured and enforced at various levels of granularity (container, service or resource). It also provides client-side authorization to allow clients to authorize the services they access. The framework is pluggable and can be configured to use custom mechanisms for attribute collection and policy evaluation. It also provides multiple authorization module implementations; for example, support for gridmap-based authorization, a callout module that uses the SAML protocol to query a external service for an authorization decision and such.
Features new in GT 4.2.0
None.
Other Supported Features
- Compliance with published IBM/Microsoft WS-Trust and WS-SecureConversation specifications
- Compliance with the Web Services Security 1.0 standard
- HTTPS support
- Message encryption, integrity protection and replay attack prevention
- Establishment of a session key for light-weight message protection
Deprecated Features
- None.
Features new in GT 4.2.0:
Enhanced server-side attributed-based authorization framework: The server-side authorization framework has been reworked to support attribute based authorization with delegation of rights. The framework allows for configuring a chain of Policy Information Points(PIPs) and Policy Decision Points(PDPs) and a combining alogorithm that processes the individual decisions returned by the PDPs. Some of the key changes from the previous versions are:
Java Server side authorization framework has been moved to an independent module. Refer to Changes Summary for details.
Authorization framework uses a set of attributes to identify entities
The authorization engine uses Java Security provider framework to allow different combining algorithms to be plugged in.
A default implementation of permit override combining algorithm, which looks for a permit decision chain, to allow for fine grained delegation of rights.
Refer Architecture and design overview for detailed information on the architecture.
Host or Self Authoriation: Support for a pluggable PDP that does host authorization, and if that fails, tries self authorization.
The security descriptor framework, used to configure security properties for the security framework has been enhanced. Detailed information about the framework is provided Java WS A&A Security Descriptor Framework.
Other Supported Features
- Authorization based on
grid-mapfileand other access control lists. - Ability to implement custom authorization modules.
- A SAML callout authorization module enables outsourcing of authorization decisions to an authorization service (e.g. PERMIS).
Deprecated Features
- None
Added support for signing policy enforcement. Disabling the enforcement is provided directly by the CoG JGlobus library, Section 2, “Signing Policy Location”.
The security descriptor framework, used to configure security properties for the security framework, has been enhanced. Detailed information about the framework is provided at Introduction.
Java WS Authentication code honors environment variables to pick up the credential to use as described here.
Java WS Authentication code allows configuration of trust certificate in non-default location as described here.
The server side authorization framework has been reworked to support attribute-based authorization. The APIs and framework have been enhanced to deal with a representation where each entity is identified by a bag of attributes.
Also, the default engine used for combining the individual Policy Decision Point (PDP) decisions has been changed from a deny-override algorithm to a permit-override scheme that looks for a chain of delegation of rights from the resource owner to the requestor.
Refer to Architecture and design overview for detailed information on the architecture.
![[Important]](/docbook-images/important.gif) | Important |
|---|---|
The WS authorization interfaces have been frozen as of the GT 4.1.2 release. |
![[Note]](/docbook-images/note.gif) | Note |
|---|---|
All the PDPs that were distributed with the previous version have been ported to the new framework and are supported. |
The Java WS server-side authorization code has been moved to a
separate module called authorization. The work was tracked
as part of Bug
5559 and while this does not change any interface on the server
side, it separates the code from the Java WS Core module.
A migration guide that outlines the changes needed for services that build on Java WS Core is provided here.
- Bug 2535: <proxy-file> causes container to fail
- Bug 2651: /dev/random vs. /dev/urandom
- Bug 2743: grid-mapfile location should be in global security descriptor
- Bug 2207: Missing security error 'timestampNotOk'
- Bug 2651: /dev/random vs. /dev/urandom
- Bug 2743: grid-mapfile location should be in global security descriptor
- Bug 2899: relative path does not work for credentials in Security Descriptor
- Bug 2900: Job submssion does not work using relative path in global_security_descriptor.xml and absolute path in sudoers.
- Bug 2955: Job submission fails when container is started from non GLOBUS_LOCATION
- Bug 2969: Too relaxed rules on DN comparisons (all versions of GT)
- Bug 3849: Container descriptor is shared across containers in one JVM
- Bug 3689 Possible royalty / patent issue with BouncyCastle jar IDEA Algorithm
- Bug 3891: Public credentials of client in peer subject
- Bug 3965: Credential refresh problems
- Bug 4021: globus-start-container -containerDesc not working
- Bug 4136: At least one of the headers used in dispatch was not secured error
- Bug 4146: setting default container security via environment
- Bug 4507: Problem with corrupted CRL
- Bug 4535 Client security descriptor does not allow for GSI Transport configuration
- Bug 4584: security descriptor uses operation field name instead of QName
- Bug 4837: Username/password not working.
- Bug 4846: Authorization framwork should preserve the order of attributes
- Bug 4893: Improve ParameterPIP test
- Bug 5076: Authorization interface declares serializable, but impls are not
- Bug 5544: Interceptor initializes twice
- Bug 5608: More details in security logging please
- Bug 5756: allow developer to bypass secure msg consistency check
- Bug 5757: allow developer to bypass sending cert chain in secure message
The following problems and limitations are known to exist for Java WS A&A at the time of the 4.2.0 release:
- Bug 2362: location of user proxy for java inconsistencies
- Bug 2445: Holder problem
- Bug 2907 Secure Conversation (Encryption) does not provide any message level security for the SOAP headers
- Bug 3027: Kerberos based authentication option for GT4
- Bug 3171: add RFC 2253 principal name to JAAS subject
- Bug 3449 ERROR container.GSIServiceThread
- Bug 3603: Remotte exceptions thrown contain server specific information
- Bug 3928: IPv6 addresses in reverse lookups - fix or faq?
- Bug 3941: Expired credentials detected - candidate for sec error msg improvements
- Bug 4222 Allow for credential refresh in subscriptions
- Bug 4403Secure calls for secure context establishment
- Bug 4442 Security descriptor refresh
- Bug 5008 voms-proxy-init creates non-critical KeyUsage extension which causes Java GSI to raise exception
- Bug 5026 Signarure validation failure on GRAM/RFT interaction on some cases
Java WS A&A depends on the following GT components:
- Java WS Core.
Authentication and message-protection depends on the following 3rd party software:
- Apache WSFX Security Libraries
- PureTLS Libraries
- BouncyCastle JCE provider
- Cryptix Libraries
- Apache XML Security Libraries
The authorization framework depends on the following 3rd party software:
- OpenSAML
Java WS A&A should work on any platform that supports J2SE 1.3.1 or higher.
Tested Platforms for Java WS A&A:
- Linux (Red Hat 7.3)
- Windows 2000
- Solaris 9
Since GT 4.0.x release, some incompatible changes have been made:
- Security Descriptors: The security descriptor schema has changed since GT 4.0.x and the descriptors from GT 4.0.x cannot be used as is.
- Secure Conversation port type: The WS Addressing version in Java WS Core has been updated and the secure conversation port type has changed to reflect this. Therefore, GT 4.0.x secure conversation clients are incompatible with GT 4.2.x servers and vice versa.
The authorization framework has been reworked as described in Change Summary. The configuration and authorization interfaces have since changed and a Migration Guide is provided.
Associated standards for Java WS A&A:
- WS-Security
- WS-Security: X.509 Certificate Tokens
- WS-Security: Username Tokens
- WS-Trust
- WS-Secure Conversation
- WS-I Basic Security Profile
- RFC 3820 Proxy Certificates
- RFC 2818 HTTP over TLS
- RFC 2246 TLS
- JAAS
Associates standards for the authorization framework:
See Java WS A&A for more information about this component.