Table of Contents
- 1. Introduction
- 2. Writing Container Security Descriptor
- 3. Writing Service Security Descriptors
- 4. Writing Resource Security Descriptor
- 5. Common Configuration for server-side security descriptors
- 6. Writing Client Security Descriptors
- 7. Other configuration
- 8. Configuring Security Descriptor Programmatically
- Glossary
Table of Contents
Security descriptors contain various security properties like credentials, the grid map file location, required authentication and authorization mechanisms and so on. There are four types of security descriptors in the code base for setting container, service, resource and client security properties:
| Descriptor Type | Functionality |
| container security descriptor | determines the container level security requirement that needs to be enforced. |
| service security descriptor | determines the service level security requirement that needs to be enforced. |
| resource security descriptor | determines the resource level security requirement that needs to be enforced. |
| client security descriptor | determines the security properties that need to be used for a particular invocation. |
The security descriptors (container, security and resource) can be created and altered programmatically (as opposed to writing a security descriptor file), as described in Chapter 8, Configuring Security Descriptor Programmatically . For the service and container descriptor, we recommend writing a security descriptor file so that the security properties are initialized at start up.
Service and container security descriptors can be configured as XML files in the global and service deployment descriptor as shown below. Resource security descriptors can only be created dynamically, either programmatically or from a descriptor file. Client security descriptor can be configured as a XML file and set as property on Stub.
All security descriptor files need to comply with a defined schema and should be written within the defined namespace.
Table 1.1. Security descriptor schema
| Descriptor | Schema | Namespace | Root Element |
| Container security descriptor | http://www.globus.org/security/descriptor/container | containerSecurityConfig | |
| Service security descriptor | http://www.globus.org/security/descriptor/service | serviceSecurityConfig | |
| Resource security descriptor |
Schema, (Same schema as service) | http://www.globus.org/security/descriptor/service | serviceSecurityConfig |
| Client security descriptor | http://www.globus.org/security/descriptor/client | clientSecurityConfig |
If a security descriptor is configured to be read from a file, it is loaded as follows:
- As a file if an absolute file path is specified.
- As a resource (can be included as part of jar file).
- As a file, assuming that the specified path is relative to the
installation root, typically pointed to by the environment
variable
GLOBUS_LOCATION.
If the security descriptor file is altered at runtime, it will not be reloaded
Table of Contents
This section describes configuration of the container security descriptor.
The container security descriptor can be configured in the <globalConfiguration> section of the Java WS Core deployment descriptor. That file is in
wsrf/java/core/source/deploy-server.wsddif editing the source, prior to deploying, or$GLOBUS_LOCATION/etc/globus_wsrf_core/server-config.wsddin a binary install.... <globalConfiguration> ... <parameter name="containerSecDesc" value="/path/to/container/descrptor/file.xml"> ... <globalConfiguration> ...The descriptor file name can also be specified as a parameter when the Java WS Core continer is started up. The option is -containerSecDesc "/path/to/container/descriptor/file.xml"
![[Note]](/docbook-images/note.gif)
Note This setting takes precendence over 1
This is represented by
org.globus.wsrf.impl.security.descriptor.ContainerSecurityDescriptor.If a container security descriptor file is configured as described in Section 1, “Configuring Container Security Descriptor” , then an object is created and stored. To alter the values, use the API provided in
org.globus.wsrf.impl.security.descriptor.ContainerSecurityConfig.This is useful to configure containers that are started up for notifications. An instance of
ContainerSecurityDescriptorobject can be set as propertyorg.globus.wsrf.container.CONTAINER_DESCRIPTOR.
To configure container level credentials, refer to Section 1, “Credentials”
To configure authorization at container level for use if not overridden by service or resource level policy, refer to Section 5, “Authorization”
Other than the container/service/resource authorization, an administrative-level
authorization chain can be configured using the
<adminAuthz> element. That is, if the administrator's
authorization chain returns a deny, the rest of the configured authorization (at
container/service/resource) is not evaluated and the operation
is denied. If the administrator's chain returns the permit, the rest of the
configuration is evaluated to see if the operation is allowed.
The element has the same schema as described inSection 5, “Authorization”, with the outer element called
adminAuthz in place ofauthzChain.
Example:
<containerSecurityConfig
xmlns="http://www.globus.org/security/descriptor/container">
...
<adminAuthz>
<pips>
<interceptor name="scope2:org.globus.sample.PIP1"/>
</pips>
<pdps>
<interceptor name="foo1:org.foo.authzMechanism bar1:org.bar.barMechanism"/>
</pdps>
</adminAuthz>
...
<containerSecurityConfig/>This element is used to configure default properties for any interceptor configured in authorization chains. The schema for this is similar to the authorization chain specification as described in Section 5, “Authorization” and allows for xsd:any as the interceptor parameter.
<defaultAuthzParam>
<interceptor name="scope1:org.globus.sample.SamplePDP"/>
<parameter>
<param:nameValueParam>
<param:parameter name="policy-file"
value="/home/user1/samplePDPConfig"/>
</param:nameValueParam>
</parameter>
</interceptor>
</defaultAuthzParam>
Container can choose to require that clients use full proxies for access and reject limited proxies. To configure such a policy, refer to Section 2, “Reject Limited Proxy”
You can control the lifetime of the context with GSI Secure Conversation as an authentication mechanism, as described inSection 4, “Context lifetime”.
You can control the replay attack window for services that allow for GSI Secure Message, as desribed inSection 3, “Replay attack prevention”.
When GSI Secure Conversation is used, a security context is established and a worker thread cleans up expired contexts. This parameter sets the interval on the timer thread that collects expired contexts established when GSI Secure Conversation is used. The value is the number of seconds between each run and defaults to 10 minutes.
<containerSecurityConfig xmlns="http://www.globus.org/security/descriptor/container">
...
<context-timer-interval value="100000"/>
...
</containerSecurityConfig>
This parameter sets the interval on the timer thread that collects expired message digest ids, stored to prevent replay attack in the case of Secure Message. The value is set in seconds and the default value is 1 minute.
<containerSecurityConfig xmlns="http://www.globus.org/security/descriptor/container"> ... <replay-timer-interval value="100"/> ... </containerSecurityConfig>
This parameter sets the location of trusted certificates to be used. The value should be a comma-separated list of locations.
<containerSecurityConfig xmlns="http://www.globus.org/security/descriptor/container"> ... <trusted-certificates value="/home/user1/trustedCerts,/home/user1/newCerts"/> ... </containerSecurityConfig>
If this configuration is not set, the underlying CoG JGlobus library is used to pick up trusted certificates. The library attempts to load the certificates as described in Section 1, “Trusted Certificates Location” .
Table of Contents
All security properties of a service can be configured using a descriptor file. Each section in this chapter explains the various properties and how they can be configured.
The following section explains how a descriptor can be configured at the service level.
The service security descriptor can be configured in the service's deployment descriptor section as a parameter. The parameter is a name/value that provides the path to the security descriptor file.
<service name="MyDummyService" provider="Handler" style="document"> ... <parameter name="securityDescriptor" value="org/globus/wsrf/impl/security/descriptor/security-config.xml"/> ... </service>
A
org.globus.wsrf.impl.security.descriptor.ServiceSecurityDescriptorobject can be created and initialized in the service's contructor.public class MyDummyService { public MyDummyService() throws Exception { ServiceSecurityDescriptor serviceDesc = new ServiceSecurityDescriptor(); // set security properties on the above object using get/set methods // in the API ServiceSecurityHelper.setSecurityDescriptor("DummyServiceName" serviceDesc); } }Note This method takes precedence over 1
A ServiceSecurityDescriptor object can be created similar to above, but initialized from a file and set in the constructor.
public class MyDummyService { public MyDummyService() throws Exception { ServiceSecurityDescriptor serviceDesc = new ServiceSecurityDescriptor("/path/to/security/file"); ServiceSecurityHelper .setSecurityDescriptor("DummyServiceName",serviceDesc); } }Note This method takes precedence over 1
Programmatic creation and altering of a service security descriptor is not discussed in detail here. Refer to Chapter 8, Configuring Security Descriptor Programmatically for some details on using the API to modify a descriptor.
To configure credentials specific to your service rather than use the container level configuration, refer to Section 1, “Credentials”
This section describes configuring policy on the authentication mechanism required by your service. This specifies the security policy that determines the authentication methods clients should use for contacting your service.
The authentication method required for accessing a service can be configured in
the descriptor using the <auth-method> element. A per
method configuration can also be done as described inSection 5, “Authentication and run-as per-method”.
Currently, the following authentication methods are supported:
Table 3.1. Authentication methods
| Authentication Method | Element | Options/Notes |
| No Authentication |
<none/>
|
This method cannot be specified with any other authentication method. |
| GSI Secure Message |
<GSISecureMessage/>
|
The
|
| GSI Secure Conversation |
<GSISecureConversation/>
|
The
|
| GSI Secure Transport Authentication |
<GSITransport/>
|
The
|
Notes:
- Multiple authentication methods can be specified under the
<auth-method>element (except for the<none/>method, see above). As long as one of the specified authentication methods is used, access to the service is allowed. - If multiple authentication methods are specified, they need to be in alphabetical order. That is, the following order needs to be maintained: 1) GSISecureConversation, 2) GSISecureMessage, 3) GSISecureTransport. This does not imply that all three need to be specified, but that the specified authentication mechanisms need to comply with the above order.
- If no
<protection-level>sub-element is specified, then all protection levels are available to clients. However, if the<protection-level>sub-element is specified, then the service will only accept the protection levels listed under said element. - The
org.globus.wsrf.impl.security.authentication.SecurityPolicyHandlerhandler must be installed properly in order for this to work. This handler is installed by default. - If a security descriptor is not specified, authentication method enforcement is not performed.
Example:
<serviceSecurityConfig xmlns="http://www.globus.org/security/descriptor/service">
<!-- default auth-method for any other method -->
<auth-method>
<GSISecureConversation/>
</auth-method>
</securityConfig>
This section describes the credentials your service should use for the operation being invoked. This is important if remote secure operations are being invoked from your service, since it determines what credentials are used for such an access.
The <run-as> element is used to configure the JAAS
run-as identity under which the service method will be executed. The run-as identity
can be configured on a per method basis also as described inSection 5, “Authentication and run-as per-method”. Currently, the following
run-as identities are supported:
Table 3.2. Run-as methods
| Element | Functionality |
<run-as value="caller"/>
|
The service method will be run with the security identity of the client. The caller Subject will contain the following:
|
<run-as value="service"/>
| The service method will be run with the security identity of the service itself (if the service has one, otherwise the container identity will be used). |
<run-as value="resource"/>
| The service method will be run with the security identity of the resource. If no resource is specified or if the resource does not have a configured subject, credentials in this order of occurrence will be used: service credential, container credential. |
<run-as value="system"/>
| The service method will be run with the security identity of the container. |
Notes:
- resource-identity is the default setting.
- The
org.globus.wsrf.impl.security.authentication.SecurityPolicyHandlerhandler must be installed properly in order for this to work. It is installed by default. - If the security descriptor is not specified, then the run-as identity is not set and there will be no JAAS subject associated with the execution of the operation. This means that any method calls that require credentials and that are invoked by the service method itself will fail.
Example:
<servicesecurityConfig xmlns="http://www.globus.org/security/descriptor/service">
<!-- default run-as for any other method -->
<run-as>
<service-identity/>
</run-as>
</serviceSecurityConfig>
This section describes configuring the authentication and run-as mechanism per method, rather than for the whole service.
A per-method configuration can be used to define expected authentication methods
for the method and also a run-as configuration. The element
methodAuthentication is used to list all the method's
configuration. For each method, element method with method name
as attribute needs to be used. The method name attribute can either be the local
name of the method or a string representation of the QName of the method. If the
QName is used, the toString() representation from the
javax.xml.namespace.QName.toString(), should be used. For
example,{http://foo.bar}methodName. If a method does not have such
a configuration, the default configuration, as described in the last two sections,
is used.
Example
<serviceSecurityConfig
xmlns="http://www.globus.org/security/descriptor/service">
...
<method name="findServiceData">
<auth-method>
<none/>
</auth-method>
</method>
<method name="{http://foo.bar}subtract">
<run-as>
<service-identity/>
</run-as>
</method>
<method name="destroy">
<auth-method>
<GSISecureMessage/>
<GSISecureConversation>
<protection-level>
<integrity/>
</protection-level>
</GSISecureConversation>
</auth-method>
</method>
<!-- default run-as for any other method -->
<run-as>
<system-identity/>
</run-as>
<!-- default auth-method for any other method -->
<auth-method>
<GSISecureConversation/>
</auth-method>
...
</serviceSecurityConfig>
In the above example:
- the
findServiceData()operation does not require any authentication. Since no run-as per method is specified, the default specification, system-identity, is used. - the
destroy()operation requires either GSI Secure Message authentication with either level of protection or GSI Secure Conversation authentication with integrity protection. Default run-as is used. - substract method does not have a specific authentication specified, so the default GSI Secure Conversation is used. But the operation is run with service-identity.
- all other operations must be authenticated with GSI Secure Conversation with either level of protection.
To configure authorization policy at the service level, refer to Section 5, “Authorization”. In addition to the authorization mechanisms shipped, you can write custom authorization mechanism for a service as described in Section 6, “Writing a custom authorization mechanism”
Your service can choose to require that clients use full proxies for access and reject limited proxies. To configure such policy, refer to Section 2, “Reject Limited Proxy”
If your service allows for GSI Secure Conversation as an authentication mechanism, you can control the lifetime of the context as described inSection 4, “Context lifetime”.
If your service allows for GSI Secure Message, you can control the replay attack window at the service level as desribed inSection 3, “Replay attack prevention”.
Table of Contents
Secure resources must implement the
org.globus.wsrf.security.SecureResource interface.
A
ResourceSecurityDescriptorobject can be created and initialized in the resource's constructor. The object should be returned as a part of thegetSecurityDescriptormethod:public MyDummyResource implements SecureResource { private ResourceSecurityDescriptor desc = null; public MyDummyResource() throws Exception { this.desc = new ResourceSecurityDescriptor(); // set security properties on the above object using get/set methods // in the API } public ResourceSecurityDescriptor getSecurityDescriptor() { return this.desc; } }A
ResourceSecurityDescriptorobject can be created similar to above, but initialized from a file and set in the constructor:public MyDummyResource implements SecureResource { private ResourceSecurityDescriptor desc = null; public MyDummyResource() { this.desc = new ResourceSecurityDescriptor("/path/to/security/file"); this.desc.initialize(); } public ResourceSecurityDescriptor getSecurityDescriptor() { return this.desc; } }
Resource level security can be set up using a resource security descriptor. The
configuration properties and schema are identical to the service security
descriptor. A resource security descriptor overrides any service or container level
security settings. To make a resource secure, it needs to implement
org.globus.wsrf.impl.security.SecureResource. This interface has a
method that returns an instance of
org.globus.wsrf.impl.security.descriptor.ResourceSecurityDescriptor .
If null is returned, it is assumed that no security is set on
the resource.
A resource security descriptor object can be created by reading settings from a descriptor file. The file needs to be written as described in Chapter 5, Common Configuration for server-side security descriptors. Refer to Section 1, “Configuring Resource Security Descriptor” for information on configuring resource security descriptors.
The ResourceSecurityDescriptor object also exposes an API to
set and get all properties that are described inChapter 5, Common Configuration for server-side security descriptors. The descriptor can be set up
programmatically using the API.
Examples:
The following code snippet creates a resource descriptor object directly:
ResourceSecurityDescriptor desc = new ResourceSecurityDescriptor();
desc.setRejectLimitedProxy("true");
To set default gridmap:
GridMap gridmap = new GridMap(); // set GridMap mappings desc.setDefaultGridMap(gridmap);
To set credentials:
import javax.security.auth.Subject; Subject subject = new Subject; // set public/private credentials on subject object desc.setSubject(subject);
To set up an authorization chain:
String[] pdpChain = new String[2];
pdpChain[0] = "prefix1:some.PDP";
pdpChain[1] = "prefix2:some.other.PDP";
// Similar API for PIPs and Bootstrap PIP
String[] pips = new String[1];
pips[0] = "pip1:some.PIP";
ResourcePropertiesChainConfig config = new
ResourcePropertiesChainConfig();
config.setProperty("prefix1", "property1", value1);
AuthorizationEngine engine =
AuthzUtil.getAuthzEngine("Chain name", pips, pdpChain, config);
desc.setAuthzEngine(engine);
Table of Contents
The next few sections deal with writing server-side security descriptor files, that is, container, service and resource descriptor files to set various properties. Only the properties that are common to all these descriptors are discussed here. Other properties specific to each descriptor are discussed in sections specific to the container/service or resource descriptor.
When parameters are configured in multiple descriptors the order of predence as described in Section 3, “Security Descriptor Precedence”
The container and each service can each be configured with a separate set of credentials. The credentials can be set using either: a) the path to a proxy file, or b) the path to a certificate and key file. If the configured credential file is modified/updated at runtime, the credentials will be automatically reloaded. The credentials can be configured by adding one of the following blocks to the container or service security descriptor.
Example for option (a):
<serviceSecurityConfig xmlns="http://www.globus.org/security/descriptor/service"> ... <proxy-file value="proxyFile"/> ... </serviceSecurityConfig>
Example for option (b):
<serviceSecurityConfig
xmlns="http://www.globus.org/security/descriptor/service">
...
<credential>
<cert-key-files>
<key-file value="keyFile"/>
<cert-file value="certFile"/>
</cert-key-files>
</credential>
...
</serviceSecurityConfig>
| Note |
|---|---|
The above examples show use in the service security descriptor. If setting in the container security descriptor, the namespace and outer element should also be set as shown inSection 1, “Security Descriptor Schemas”. |
Credentials can be configured at the resource, service or container level and the framework will look for credentials in the following order:
- Resource credentials
- Service credentials
- Container credentials
- Default credentials. If credentials are not configured using any of the above methods, then the underlying CoG JGlobus library is used. This will attempt to load the proxy certificate of the user that is running the container as described in Section 5, “Proxy file Location” .
This parameter can be used to configure if clients that present limited proxies can be allowed to authenticate successfully. By default, limited proxies are accepted.
<serviceSecurityConfig
xmlns="http://www.globus.org/security/descriptor/service">
...
<reject-limited-proxy value="true"/>
...
</serviceSecurityConfig> | Note |
|---|---|
The above example shows use in the service security descriptor. If setting in the container security descriptor, set the namespace and outer element as shown inSection 1, “Security Descriptor Schemas”. (fixme doublecheck link) |
For message-level security, one may also set the amount of time for which to track received messages for the purpose of preventing replay attacks. Messages outside of this window will be rejected automatically, whereas messages within this window are checked against recently received messages through the use of the message UUID.
Parameter replay-attack-filter can be set to true or false to enable or disable replay attack prevention framework. By default, this feature is enabled.
<serviceSecurityConfig xmlns="http://www.globus.org/security/descriptor/service"> ... <replay-attack-filter value="true"/> ... </serviceSecurityConfig>Parameter replay-attack-window can be set to the number of minutes the replay window should be. By default it is 5 minutes.
<serviceSecurityConfig xmlns="http://www.globus.org/security/descriptor/service"> ... <replay-attack-window value="100"/> ... </serviceSecurityConfig>
| Note |
|---|---|
The above examples show use in the service security descriptor. If setting in the container security descriptor, set the namespace and outer element as shown inSection 1, “Security Descriptor Schemas”. |
When GSI Secure Conversation is used, a security context is established and, by default, the life of the context is determined by the least lifetime of the chain of certificates used in establishing the context. The value of the lifetime can be altered to be less than the above value by setting the value for the following parameter in milliseconds:
<serviceSecurityConfig
xmlns="http://www.globus.org/security/descriptor/service">
...
<context-lifetime value="1000"/>
...
</serviceSecurityConfig>
| Note |
|---|---|
The above example shows use in the service security descriptor. If setting in the container security descriptor, the namespace and outer element must be set as shown inSection 1, “Security Descriptor Schemas”. |
The container and each service/resource can be configured with a chain of
interceptors, where each interceptor is a Policy Decision Point (PDP) or Policy
Information Point (PIP). Refer to Section 2, “Authorization framework overview” for details on the authorization framework. The element authzChain can be used to
configure this.
Each chain can contain an optional list of Bootstrap PIPs, an optional list of PIPs and a list of PDPs (with at least one PDP).
Each interceptor name is scoped and the format is prefix:FQDN of the interceptor. For example, self:org.globus.wsrf.impl.security.authorization.SelfAuthorization . The prefix is used to allow multiple instances of the same interceptor to exist in the same PDP chain.
Example:
<serviceSecurityConfig xmlns="http://www.globus.org/security/descriptor/service"> ... <authzChain> <pips> <interceptor name="scope2:org.globus.sample.PIP1"/> </pips> <pdps> <interceptor name="foo1:org.foo.authzMechanism bar1:org.bar.barMechanism"/> </pdps> </authzChain> ... <serviceSecurityConfig/>Bootstrap PIPs are optional and by default, org.globus.wsrf.impl.security.authorization.X509BootstrapPIP is used by the framework. Any other PIPs listed within the <bootstrapPips> element is appended to the default PIP. If the configuration should override it (that is,
X5009BootstapPIPshould not be used), the optional attributeoverwritecan be set to true.<serviceSecurityConfig xmlns="http://www.globus.org/security/descriptor/service"> ... <authzChain combiningAlg="org.globus.sample.SampleAlg> <bootstrapPips overwrite="true" <interceptor name="scope1:org.globus.sample.BootstrapPIP1"/> </bootstrapPips> <pips> <interceptor name="scope2:org.globus.sample.PIP1"/> </pips> <pdps> <interceptor name="scope3:org.globus.sample.PDP1"/> </pdps> </authzChain> ... </serviceSecurityConfig>In the above case,
X509BootstrapPIPwill not be used and theBoostrapPIP1will be used.<serviceSecurityConfig xmlns="http://www.globus.org/security/descriptor/service"> ... <authzChain combiningAlg="org.globus.sample.SampleAlg> <bootstrapPips> <interceptor name="scope1:org.globus.sample.BootstrapPIP1"/> </bootstrapPips> <pips> <interceptor name="scope2:org.globus.sample.PIP1"/> </pips> <pdps> <interceptor name="scope3:org.globus.sample.PDP1"/> </pdps> </authzChain> ... </serviceSecurityConfig>In the above case,
X509BootstrapPIPfollowed byBoostrapPIP1will be used.The authorization chain can be configured with a combining algorithm using the attribute combiningAlg. The value should be a FQDN of a class that implements
org.globus.wsrf.security.authorization.AuthorizationEngineSpi. The attribute is optional and theorg.globus.wsrf.impl.security.authorization.providers.PermitOverrideAlgorithmis used by default.Other than PermitOverrideAlgorithm, FirstApplicableAlg and DenyOverrideAlg, in the same package are supported. FirstApplicableAlg returns the first permit or deny decision from walking down the authorization chain in the order specified. DenyOverrideAlg, returns a deny if atleast one of the PDPs returns a deny, is supported out of the box.
Example:
<serviceSecurityConfig xmlns="http://www.globus.org/security/descriptor/service"> ... <authzChain combiningAlg="org.globus.sample.SampleAlg> <pips> <interceptor name="scope2:org.globus.sample.PIP1"/> </pips> <pdps> <interceptor name="scope3:org.globus.sample.PDP1"/> <interceptor name="scope4:org.globus.sample.PDP2"/> </pdps> </authzChain> ... </serviceSecurityConfig>In the above example, the default
X509BootstrapPIPwill be used (fixme - don't see x509..pip shown in above code). Following that, the PIPs,PIP1, will be invoked to collect attributes. Finally, theSampleAlgcombining algorithm with the configured PDPs (PDP1andPDP2) are run to determine the decision.Each interceptor can specify a parameter value and the schema defines it as
xsd:anyto allow for any user defined parameters. The parser extracts the elements in the <parameter> element and returns them as a DOM Element. It is left up to the interceptor to parse the element. The DOM object created is placed in theChainConfigobject passed to the authorization engine as a parameter calledparameterObject. The prefix will be the scope specified in the interceptor name.Since schema validation is done, a schema must be supplied for the user-defined parameters. The schema location is loaded as a resource and hence can be included in some jar placed in the
GLOBUS_LOCATIONlib directory.The toolkit provides a parameter schema by default that allows for a name/value pair, where the value is a string. Example :
<containerSecurityConfig xmlns="http://www.globus.org/security/descriptor/container" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.globus.org/security/descriptor name_value_type.xsd" xmlns:param="http://www.globus.org/security/descriptor"> <authzChain> <pdps> <interceptor name="gridmapAuthz:org.globus.wsrf.impl.security.GridMapPDP"> <parameter> <param:nameValueParam> <param:parameter name="gridmap-file" value="/home/user1/grid-mapfile"/> </param:nameValueParam> </parameter> </interceptor> </pdps> </authzChain> </containerSecurityConfig>When the above is parsed, a DOM Element is constructed with element
<param:nameValuParam>and stored in theChainConfigobject as parameter with namegridmapAuthz:parameterObject. TheGridMapPDP, usesObjectDeserializerto retrieve the name/value pairs.
All PDPs and PIPs shipped with the toolkit are provided here: PIP Reference andPDP Reference.
The following PDPs are included in GT and are configured using short tags. The framework maps and plugs in the scoped name of the PDP at the time of authorization.
Table 5.1. Builtin PDPs
| Default Descriptor Configuration | Default Prefix | Reference |
acl
|
aclAuthz
| Access Control List PDP |
none
|
noneAuthz
| NoAuthorization PDP |
self
|
selfAuthz
| |
gridmap
|
gridmapAuthz
| |
identity
|
idenAuthz
| |
host
|
hostAuthz
| |
samlCallout
|
samlAuthz
| |
userName
|
userNameAuthz
| |
samlAssertion
|
samlAssertionAuthz
| SAML Authz Assertion PDP |
Other than these, any custom authorization scheme could be configured with its own configuration information. Refer to Section 6, “Writing a custom authorization mechanism” , for details on writing a custom authorization mechanism.
The authorization handler can be configured to call out to a custom PIP or PDP.
The custom PDP class must implement the interface
org.globus.wsrf.security.PDP and the custom PIP class must
implement the interfaceorg.globus.wsrf.security.PDP.
Example Bootstrap PIP:
package org.foobar;
import ....;
import org.globus.security.authorization.BootstrapPIP;
public class FooBootstrapPIP implements BootstrapPIP {
public void initialize(String chainName, String prefix_,
ChainConfig config) throws InitializeException {
logger.debug("Initialize called");
}
public void collectRequestAttributes(RequestEntities requestAttrs)
throws AttributeException {
// add attributes to RequestEntities
}
public NonRequestEntities collectAttributes(RequestEntities requestAttr) {
// any attributes for non request entities
}
public void close() throws CloseException {
}
}
To use the above Bootstrap PIP, configure security descriptor as follows
<authzChain combiningAlg="org.globus.sample.SampleAlg>
<bootstrapPips "
<interceptor name="scope1:org.foobar.GooBootstrapPIP"/>
</bootstrapPips>
</authzChain>
Example PIP:
package org.foobar;
import ....;
public class FooPIP implements PIPInterceptor {
public void initialize(String chainName, String prefix, ChainConfig config)
throws InitializeException {
// initialize
}
public NonRequestEntities collectAttributes(RequestEntities requestAttr)
throws AttributeException {
// collect attributes, both for request entities and others
}
public void close() throws CloseException {
}
}
To use the above PIP one would configure a service security descriptor with the following authorization settings:
<authzChain>
<pips>
<interceptor name="scope2:org.foobar.FooPIP"/>
</pips>
</authzChain>
Example PDP:
package org.foobar;
import ....;
public class FooPDP implements PDP {
public void initialize(String chainName, String prefix_,
ChainConfig config) throws InitializeException {
// use to read in configuration
}
public Decision canAccess(RequestEntities requestEntities,
NonRequestEntities nonRequestEntities)
throws AuthorizationException {
// evaluate to see if Subject can access
}
public Decision canAdminister(RequestEntities requestEntities,
NonRequestEntities nonRequestEntities)
throws AuthorizationException {
// evaluate to see if Subject can administer
}
public void close() throws CloseException {
}
}
To use the above PDP one would configure a service security descriptor with the following authorization settings:
<authzChain>
<pdps>
<interceptor name="scope2:org.foobar.FooPDP"/>
</pdps>
</authzChain>
Table of Contents
Client security descriptors from a file can be configured directly on the stub as follows:
// Client security descriptor file String CLIENT_DESC = "org/globus/wsrf/samples/counter/client/client-security-config.xml"; //Set descriptor on Stub ((Stub)port)._setProperty(Constants.CLIENT_DESCRIPTOR_FILE, CLIENT_DESC);
A
ClientSecurityDescriptorobject can be constructed from a file and configured directly on the stub as follows:// Client security descriptor file String CLIENT_DESC = "org/globus/wsrf/samples/counter/client/client-security-config.xml"; ClientSecurityDescriptor desc = new ClientSecurityDescriptor(CLIENT_DESC); //Set descriptor on Stub ((Stub)port)._setProperty(Constants.CLIENT_DESCRIPTOR, desc);
Note This takes precedence over 1
A client security descriptors object can be created and get/set methods can be used to set security properties. The object can then be configured on the stub as follows:
ClientSecurityDescriptor desc = new ClientSecurityDescriptor(); // set security properties on the above object using set/get object //Set descriptor on Stub ((Stub)port)._setProperty(Constants.CLIENT_DESCRIPTOR, desc);
To initialize the descriptor, use the API in
org.globus.wsrf.impl.security.descriptor.ClientSecurityConfig.Note This takes precedence over 1
The client can be configured with credentials using the descriptor. The credentials can be set using either: a) the path to a proxy file, or b) the path to a certificate and key file. The credentials can be configured by adding one of the following blocks to the client security descriptor.
Example for option (a):
<clientSecurityConfig xmlns="http://www.globus.org/security/descriptor/client">
...
<proxy-file value="proxyFile"/>
...
</clientSecurityConfig>
Example for option (b):
<clientSecurityConfig xmlns="http://www.globus.org/security/descriptor/client">
...
<credential>
<cert-key-files>
<key-file value="keyFile"/>
<cert-file value="certFile"/>
</cert-key-files>
</credential>
...
</clientSecurityConfig>
If credentials are not configured using any of the above methods, then the underlying CoG JGlobus library is used. This will attempt to load the proxy certificate of the user that is running the container as described inSection 5, “Proxy file Location”.
The <authz> element is used to determine the mechanism
to use to authorize the server that is being contacted. Note that the security
descriptor cannot be used to configure custom client authorization. Refer to Chapter 10, Authorization domain-level interface for
details. The following values are currently supported:
| Configuration | Funcationality |
none
| No authorization is done. |
self
| Self authorization is done, i.e the server should be running with the same credentials as the client. |
host
| Host authorization is done, i.e the server should be running with credentials that have the host name it is running on embedded in it. |
hostSelf
| Host authorization is done (i.e the server should be running with credentials that have the host name it is running on embedded in it). If that fails, an attempt at self authorization (i.e the server should be runnign with same credentials as client) is made. |
| any other string | Identity authorization is done using the value as the identity, i.e the server should be running with identity specified as value. |
The following sample configures self authorization:
<clientSecurityConfig xmlns="http://www.globus.org/security/descriptor/client"> ... <authz value="self"/> ... </clientSecurityConfig>
The client can be configured to do GSI Secure Conversation using the element
<GSISecureConversation>. The following subelements
can be used to set various properties
| Element | Functionality |
<integrity>
| Sets protection level to signature. |
<privacy>
| Sets protection level to encryption (signature is also done). |
<anonymous>
| Server is accessed as anonymous. |
<delegation value="
type of delegation
">
| Determines the type of delegation to be done. The value can
be set to full or
limited. If the
delegation element is not used, no
delegation is done. If delegation is enabled, some form of
client authorization is required. |
<context-lifetime>
| Determines the lifetime of the context established. If not specified, the least lifetime of the chain of certificates used in establishing the context is used as the context lifetime. |
The following sample sets GSI Secure Conversation with privacy and full delegation:
<clientSecurityConfig xmlns="http://www.globus.org/security/descriptor/client">
...
<GSISecureConversation>
<privacy/>
<delegation value="full"/>
</GSISecureConversation>
...
</clientSecurityConfig>
The client can be configured to do GSI Secure Message using the element
<GSISecureMessage>. The following subelements can be
used to set various properties:
| Element | Functionality |
<integrity>
| Sets protection level to signature |
<privacy>
| Sets protection level to encryption (signature is also done) |
<peer-credential value="
path to file with credentials to encrypt with
">
| Sets the path to the file containing the credential to use if privacy protection is chosen. |
The following sample sets GSI Secure Message with integrity:
<clientSecurityConfig xmlns="http://www.globus.org/security/descriptor/client">
...
<GSISecureMessage>
<integrity/>
</GSISecureMessage>
...
</clientSecurityConfig>
The client can be configured to do GSI Secure Transport using the element
<GSISecureTransport>. The following subelements can
be used to set various properties
| Element | Functionality |
<integrity>
| Sets protection level to signature. |
<privacy>
| Sets protection level to encryption (signature is also done). |
<anonymous>
| Server is accessed as anonymous. |
The following sample sets GSI Secure Transport with privacy and anonymous:
<clientSecurityConfig xmlns="http://www.globus.org/security/descriptor/client">
...
<GSISecureTransport>
<privacy/>
<anonymous/>
</GSISecureTransport>
...
</clientSecurityConfig>
Username/password can be used for authentication by the client. This is configured
using the <username> and <passwordType>
elements. The username element allows for a string to be
configured and the password configuration consists of a
password and a type string.
Example configuration:
<clientSecurityConfig xmlns="http://www.globus.org/security/descriptor/client">
<usernameType>
<username value="tester1"/>
<passwordType>
<password value="TY^*(Hyu"/>
<type value="someType"/>
</passwordType>
</usernameType>
</clientSecurityConfig>
Client side trusted credentials are configured similar to the container security descriptor as described inSection 11, “Trusted Certificates”. The outer element and schema for client security descriptor should be used as described in Section 1, “Security Descriptor Schemas”.
If this configuration is not set, the underlying CoG JGlobus library is used to pick up trusted certificates. The library attempts to load the certificates as described in Section 1, “Trusted Certificates Location” .
Table of Contents
The gridmap file is a common configuration in the toolkit and is typically
configured within the GridmapPDP configuration. To specify a
default value to be used across the toolkit, if not specified with in the
GrimapPDP configuration, the
defaultAuthz element in container security descriptor is used
as described inSection 5, “Default Authorization Chain”.
The gridmap authorization can be specified with any prefix, but the default
configuration uses gridmapAuthz as shown in the example below.
Example:
<containerSecurityConfig xmlns="http://www.globus.org/security/descriptor/container" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.globus.org/security/descriptor name_value_type.xsd" xmlns:param="http://www.globus.org/security/descriptor">
<defaultAuthzParam>
<interceptor name="gridmapAuthz:org.globus.wsrf.impl.security.GridMapPDP">
<parameter>
<param:nameValueParam>
<param:parameter name="gridmap-file"
value="/etc/grid-security/grid-mapfile"/>
</param:nameValueParam>
</parameter>
</interceptor>
</defaultAuthzParam>
</containerSecurityConfig>
If the gridmap file is updated at runtime, it will be reloaded.
The security descriptor (container, security and resource) can be created and altered programmatically (as opposed to writing a security descriptor file). For the service and container descriptor, we recommend writing a security descriptor file so that the security properties are initialized at start up.
Table 8.1. Descriptor classes
| Descriptor Type | Java Class Representation |
| Container Security Descriptor |
This is represented by If a container security descriptor file is configured as
described in Section 1, “Configuring Container Security Descriptor”, then an
object is created and stored. To alter the values, use the
API provided in
|
| Service Security Descriptor |
This is represented by
If a service security descriptor file is configured as
described in Section 1, “Configuring Service Security Descriptor”, then an
object is created and stored. To alter the values, use the
API provided in
|
| Resource Security Descriptor |
This is represented by To initialize the descriptor, i.e. load credentials and gridmap, use
the API in |
| Client Security Descriptor |
This is represented by To initialize the descriptor, use
the API in |
G
- grid map file
A file containing entries mapping certificate subjects to local user names. This file can also serve as a access control list for GSI enabled services and is typically found in
/etc/grid-security/grid-mapfile. For more information see the Gridmap section here.
P
- proxy certificate
A short lived certificate issued using a EEC. A proxy certificate typically has the same effective subject as the EEC that issued it and can thus be used in its place. GSI uses proxy certificates for single sign on and delegation of rights to other entities.
For more information about types of proxy certificates and their compatibility in different versions of GT, see http://dev.globus.org/wiki/Security/ProxyCertTypes.