Software Links
Getting Started
- Doc Structure
- A Globus Primer
- Quickstart
- Installing GT
- Platform Notes
- Migrating from GT2
- Migrating from GT3
Reference
- PDF version
- Best Practices
- Coding Guidelines
- API docs
- Public Interfaces
- Resource Properties
- Samples
- Glossary
- Index
- Performance Studies
Common Runtime
Security
Data Mgt
Information Svcs
Execution Mgt
Table of Contents
- 1. Introduction
- 2. Configuring security descriptors
- 3. Reading security descriptor files
- 4. Security Descriptor Schemas
- 5. Common Configuration for server-side security descriptors
- 6. Container-only security configuration
- 7. Service Security Descriptor Configuration
- 8. Writing client side security descriptors
- 9. Programmatic altering of security descriptors
- 10. Resource security descriptors
- 11. Other configuration
Security descriptors contain various security properties like credentials, the grid map file location, required authentication and authorization mechanisms and so on. There are four types of security descriptors in the code base for setting container, service, resource and client security properties:
| container security descriptor | determines the container level security requirement that needs to be enforced. |
| service security descriptor | determines the service level security requirement that needs to be enforced. |
| resource security descriptor | determines the resource level security requirement that needs to be enforced. |
| client security descriptor | determines the security properties that need to be used for a particular invocation. |
Each of these is represented as a Java object and can be altered programmatically. If the security descriptor file is altered at runtime, it will not be reloaded
Service and container security descriptors can be configured as XML files in the global and service deployment descriptor as shown below. Resource security descriptors can only be created dynamically, either programmatically or from a descriptor file. Client security descriptor can be configured as a XML file and set as property on Stub.
The container security descriptor can be configured in the <globalConfiguration> section of the Java WS Core deployment descriptor. That file is in
wsrf/java/core/source/deploy-server.wsddif editing source, prior to deploy or$GLOBUS_LOCATION/etc/globus_wsrf_core/server-config.wsddin a binary install.<globalConfiguration> ... <parameter name="containerSecDesc" value="/path/to/container/descrptor/file.xml"> ... <globalConfiguration> ...The descriptor file name can also be specified as a parameter when the Java WS Core continer is started up. The option is -containerSecDesc "/path/to/container/descrptor/file.xml"
![[Note]](/docbook-images/note.gif)
Note This setting takes precendence over 1
The service security descriptor can be configured in the service's deployment descriptor section as parameter. The parameter is a name/value that provides the path to the security descriptor file.
<service name="MyDummyService" provider="Handler" style="document"> ... <parameter name="securityDescriptor" value="org/globus/wsrf/impl/security/descriptor/security-config.xml"/> ... </service>
A ServiceSecurityDescriptor object can be created and initialized in the service's contructor.
public MyDummyService() throws Exception { ServiceSecurityDescriptor serviceDesc = new ServiceSecurityDescriptor(); // set security properties on the above object using get/set methods // in the API ServiceSecurityHelper .setSecurityDescriptor("DummyServiceName" serviceDesc);Note This method takes precendence over 1
A ServiceSecurityDescriptor object can be created similar to above, but initialized from a file and set in the constructor.
public MyDummyService() throws Exception { ServiceSecurityDescriptor serviceDesc = new ServiceSecurityDescriptor("/path/to/security/file"); ServiceSecurityHelper .setSecurityDescriptor("DummyServiceName" serviceDesc);Note This method takes precendence over 1
A ServiceSecurityDescriptor object can be created and initialized in the service's contructor.
public MyDummyService() throws Exception { ServiceSecurityDescriptor serviceDesc = new ServiceSecurityDescriptor(); // set security properties on the above object using get/set methods // in the API ServiceSecurityHelper .setSecurityDescriptor("DummyServiceName" serviceDesc);A ServiceSecurityDescriptor object can be created similar to above, but initialized from a file and set in the constructor.
public MyDummyService() throws Exception { ServiceSecurityDescriptor serviceDesc = new ServiceSecurityDescriptor("/path/to/security/file"); ServiceSecurityHelper .setSecurityDescriptor("DummyServiceName" serviceDesc);
Client security descriptors from a file can be configured directory on stub as follows:
// Client security descriptor file String CLIENT_DESC = "org/globus/wsrf/samples/counter/client/client-security-config.xml"; //Set descriptor on Stub ((Stub)port)._setProperty(Constants.CLIENT_DESCRIPTOR_FILE, CLIENT_DESC);
Client security descriptors object can be constructed from a file and configured directory on stub as follows:
// Client security descriptor file String CLIENT_DESC = "org/globus/wsrf/samples/counter/client/client-security-config.xml"; ClientSecurityDescriptor desc = new ClientSecurityDescriptor(CLIENT_DESC); //Set descriptor on Stub ((Stub)port)._setProperty(Constants.CLIENT_DESCRIPTOR, desc);
Note This takes precedence over 1
Client security descriptors object can be created and get/set methods can be used to set security properties. The object then ca be configured on stub as follows:
ClientSecurityDescriptor desc = new ClientSecurityDescriptor(); // set security properties on the above object using set/get object //Set descriptor on Stub ((Stub)port)._setProperty(Constants.CLIENT_DESCRIPTOR, desc);
Note This takes precedence over 1
If security descriptor is configured to be read from a file, it is loaded as follows:
- As a file if an absolute file path is specified.
- As a resource (can be included as part of jar file).
- As a file, assuming that the specified path is relative to the installation root, typically pointed to by environment variable
GLOBUS_LOCATION.
All security descriptor files need to comply with a defined schema and should be written within the defined namespace.
Table A.1. Security descriptor schema
| Descriptor | Schema | Namespace | Element |
| Container security descriptor | http://www.globus.org/security/descriptor/container | containerSecurityConfig | |
| Service security descriptor | http://www.globus.org/security/descriptor/service | serviceSecurityConfig | |
| Resource security descriptor | Same schema as service, (Schema) | http://www.globus.org/security/descriptor/service | serviceSecurityConfig |
| Client security descriptor | http://www.globus.org/security/descriptor/client | clientSecurityConfig |
The next few sections deal with writing server side security descriptor files—that is, container, service and resource descriptor files to set various properties. Only the properties that are common across these descriptor are discussed here. Other specific properties are discussed in following sections.
When parameters are configured in multiple descriptors the order of precendence is resource, service and then container.
The container and each service can each be configured with a separate set of credentials. The credentials can be set using either: a) the path to a proxy file, or b) the path to a certificate and key file. If the configured credential file is modified/updated at runtime, the credentials will be automatically reloaded. The credentials can be configured by adding one of the following blocks to the container or service security descriptor.
Example for option (a):
<serviceSecurityConfig xmlns="http://www.globus.org/descriptor/server"> ... <proxy-file value="proxyFile"/> ... </serviceSecurityConfig>
Example for option (b):
<serviceSecurityConfig
xmlns="http://www.globus.org/security/descriptor/service">
...
<credential>
<cert-key-files>
<key-file value="keyFile"/>
<cert-file value="certFile"/>
</cert-key-files>
</credential>
...
</serviceSecurityConfig>
| Note |
|---|---|
The above examples show use of service security descriptor. If setting in container security descriptor, set namespace and outer element as shown in Section 4, “ Security Descriptor Schemas ”. |
Credentials can be configured at resource, service or container level and the framework will look for credentials in the following order:
- Resource credentials
- Service credentials
- Container credentials
- Default credentials. This uses the underlying security library to acquire the credentials. It will typically result in finding the proxy certificate of the user that is running the container.
For message level security one may also set the amount of time for which to track received messages for the purpose of preventing replay attacks. Messages outside of this window will be rejected automatically, whereas messages within this window are checked against recently received messages through the use of the message UUID.
Parameter replay-attack-fileter can be set to true or false to enable or disable replay attack prevention framework. By default, this feature is enabled.
<serviceSecurityConfig xmlns="http://www.globus.org/security/descriptor/service"> ... <replay-attack-filter value="true"/> ... </serviceSecurityConfig>Parameter replay-attack-window can be set to number of minutes the replay window should be. By default it is 5 minutes.
<serviceSecurityConfig xmlns="http://www.globus.org/security/descriptor/service"> ... <replay-attack-window value="100"/> ... </serviceSecurityConfig>
| Note |
|---|---|
The above examples show use of service security descriptor. If setting in container security descriptor, set namespace and outer element as shown in Section 4, “ Security Descriptor Schemas ”. |
This parameter can be used to configure if clients that present limited proxies can be allowed to authenticate successfully. By default, limited proxes are accepted.
<serviceSecurityConfig
xmlns="http://www.globus.org/security/descriptor/service">
...
<reject-limited-proxy value="true"/>
...
</serviceSecurityConfig> | Note |
|---|---|
The above examples show use of service security descriptor. If setting in container security descriptor, set namespace and outer element as shown in Section 4, “ Security Descriptor Schemas ”. |
When GSI Secure Conversation is used, a security context is established and by default the life of the context is determined by the least lifetime of the chain of certificates used in establishing the context. The value of the lifetime can be altered to be lesser than the above value by setting the value for following parameter in milliseconds.
<serviceSecurityConfig
xmlns="http://www.globus.org/security/descriptor/service">
...
<context-lifetime value="1000"/>
...
</serviceSecurityConfig> | Note |
|---|---|
The above examples show use of service security descriptor. If setting in container security descriptor, set namespace and outer element as shown in Section 4, “ Security Descriptor Schemas ”. |
The container and each service/resource can be configured
with a chain of interceptor, where each interceptor is a Policy
Decision Points (PDPs) or Policy Information Points (PIPs). The
element authzChain can be used to configure
it.
Each chain can contain an optional list of Bootstrap PIPs, an optional list of PIPs and a list of PDPs (with atleast one PDP).
Each interceptor name is scoped and the format is prefix:FQDN of the interceptor. For example, self:org.globus.wsrf.impl.security.authorization.SelfAuthorization. The prefix is used to allow multiple instances of the same intercepor to exist in the same PDP chain.
Example:
<serviceSecurityConfig xmlns="http://www.globus.org/security/descriptor/service"> ... <authzChain> <pips> <interceptor name="scope2:org.globus.sample.PIP1"/> </pips> <pdps> <interceptor name="foo1:org.foo.authzMechanism bar1:org.bar.barMechanism"/> </pdps> </authzChain> ... <serviceSecurityConfig/>Bootstap PIPs are optional and by default, org.globus.wsrf.impl.security.authorization.X509BootstrapPIP is used by the framework. Any other PIPs listed with in the <bootstrapPips> element is appended to the default PIP. If the configuration should override (that is X5008BootstapPIP should not be used), the optional attribute
overwritecan be set to true.<serviceSecurityConfig xmlns="http://www.globus.org/security/descriptor/service"> ... <authzChain combiningAlg="org.globus.sample.SampleAlg> <bootstrapPips overwrite="true" <interceptor name="scope1:org.globus.sample.BootstrapPIP1"/> </bootstrapPips> <pips> <interceptor name="scope2:org.globus.sample.PIP1"/> </pips> <pdps> <interceptor name="scope3:org.globus.sample.PDP1"/> </pdps> </authzChain> .. </serviceSecurityConfig>In the above case, X509BootstrapPIP will not be used adn the BoostrapPIP1 will be used.
<serviceSecurityConfig xmlns="http://www.globus.org/security/descriptor/service"> ... <authzChain combiningAlg="org.globus.sample.SampleAlg> <bootstrapPips> <interceptor name="scope1:org.globus.sample.BootstrapPIP1"/> </bootstrapPips> <pips> <interceptor name="scope2:org.globus.sample.PIP1"/> </pips> <pdps> <interceptor name="scope3:org.globus.sample.PDP1"/> </pdps> </authzChain> .. </serviceSecurityConfig>In the above case, X509BootstrapPIP followed by BoostrapPIP1 will be used.
The authorization chain can be configured with a combining algorithm using the attribute combiningAlg. The value should be a FQDN of a class that implements
org.globus.wsrf.security.authorization.AuthorizationEngineSpi. The attribute is optional and by default theorg.globus.wsrf.impl.security.authorization.providers.PermitOverrideAlgorithmis used.Example:
<serviceSecurityConfig xmlns="http://www.globus.org/security/descriptor/service"> ... <authzChain combiningAlg="org.globus.sample.SampleAlg> <pips> <interceptor name="scope2:org.globus.sample.PIP1"/> </pips> <pdps> <interceptor name="scope3:org.globus.sample.PDP1"/> <interceptor name="scope4:org.globus.sample.PDP2"/> </pdps> </authzChain> .. </serviceSecurityConfig>In the above, the default
X509BootstrapPIPwill be used. Following that, the PIPs,PIP1will be invoked to collect attributes. Finally theSampleAlgcombining algorithm is used with the configured PDPs (PDP1andPDP2) are run to determine the decision.Each interceptor can specify a parameter value and the schema defines it as xsd:any to allow for any user defined parameters. The parser extracts the elements in <parameter> element and returns them as DOM Element. It is left up to the Interceptor to parse the Element. The DOM object created is placed in the ChainConfig object passed to the authorization engine as a parameter called "parameterObject". The prefix will be the scope specified in the interceptor name.
Since schema validation is done, a schema must be supplied for the user defined parameters. The schema location is loaded as a resource and hence can be included in some jar placed in GLOBUS_LOCATION lib directory.
The toolkit provides a parameter schema by default, that allows for a name/value pair, where the value is a string. Example :
<containerSecurityConfig xmlns="http://www.globus.org/security/descriptor/container" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.globus.org/security/descriptor name_value_type.xsd" xmlns:param="http://www.globus.org/security/descriptor"> <authzChain> <pdps> <interceptor name="gridmapAuthz:org.globus.wsrf.impl.security.GridMapAuthorization"> <parameter> <param:nameValueParam> <param:parameter name="gridmap-file" value="/home/user1/grid-mapfile"/> </param:nameValueParam> </parameter> </interceptor> </pdps> </containerSecurityConfig>When the above is parsed, a DOM Element is constructed with element <param:nameValuParam> and stored in the ChainConfig object as parameter with name "gridmapAuthz:parameterObject". The GridMapAuthorization PDP, uses ObjectDeserializer to retrieve the name/value pairs.
The following PDPs are a part of the toolkit and are configured as shown. The framework maps and plugs in the scoped name of the PDP at the time of authorization.
Table A.2. Builtin PDPs
none
| No authorization is performed. |
self
|
|
gridmap
|
|
identity
|
|
host
|
|
samlCallout
|
|
userName
|
|
Table A.3. SAML Callout PDP Parameters
<prefix>-authzService
| The URL of the authorization service. |
<prefix>-authzServiceIdentity
| The identity to use for authorizing the authorization service. If no identity was specified then the service is authorized using the identity associated with the entity performing the callout (self-authorization). |
<prefix>-authzServiceCertificateFile
| A filename identifying the certificate to use when encrypting messages and verifying responses signed at the SAML level. This is only required if using GSI Secure Message with privacy protection or if the user requested SAML signing. |
<prefix>-authzServiceCertificate
| This parameter is equivalent to the above, but can only be used programmatically. It must be set to a value of type java.security.cert.X509Certificate. |
<prefix>-securityMechanism
| The security mechanism to use. Recognized values are none, msg (GSI-Secure Message) and conv (GSI-Secure Conversation).
Transport security may be indicated by specifying a HTTPS URL in the <prefix>-authzService property. This property defaults to transport security if indicated by the URL and GSI-Secure Message otherwise. |
<prefix>-protectionLevel
| The protection level to use. Recognized values are sig (integrity protection) and enc (privacy and integrity protection). Defaults to sig. |
<prefix>-samlAuthzReqSigned
| Determines if the request is internally signed or not. SAML requests can include a signature in the request and response documents. This is separate from any security mechanism applied at either the SOAP or transport level. Recognized values are true and false. Defaults to false. |
<prefix>-samlAuthzSimpleDecision
| Determines whether to request a simple decision statement or not. More information on this setting can be found here. Recognized values are true and false. Defaults to true. |
Other than these, any custom authorization scheme could be configured with its own configuration information. Refer to Section 5.6, “Writing a custom authorization mechanism”, for details on writing a custom authorization mechanism.
The authorization handler can be configured to call out to a custom authorization
class. The class must implement the interface org.globus.wsrf.security.PDP.
Example:
package org.foobar;
import ....;
public class FooPDP implements PDP
{
private Principal authorizedIdentity;
/* Not used by the current code */
public String[] getPolicyNames() {
return new String[0];
}
/* Not used by the current code */
public Node getPolicy(Node query)
throws InvalidPolicyException {
return null;
}
/* Not used by the current code */
public Node setPolicy(Node policy)
throws InvalidPolicyException {
return null;
}
public boolean isPermitted(Subject peerSubject,
MessageContext context,
QName operation)
throws AuthorizationException {
if (peerSubject == null) {
return false;
}
Set peerPrincipals = peerSubject.getPrincipals();
if ((peerPrincipals == null) || peerPrincipals.isEmpty()) {
return false;
}
/* Check if the peer identity and the authorized
* identity match
*/
return peerPrincipals.contains(this.authorizedIdentity);
}
public void initialize(PDPConfig config,
String name,
String id)
throws InitializeException {
/* Read the initialization information from the service
* specific WSDD parameter <name>-authorizedIdentity
*/
this. authorizedIdentity =
new GlobusPrincipal((String) config.getProperty(
name, "authorizedIdentity"));
}
public void close() throws CloseException {
this. authorizedIdentity = null;
}
}To use the above PDP one would configure a service security descriptor with the following authorization settings:
<securityConfig xmlns="http://www.globus.org"> ... <authz value="foo1:org.foobar.FooPDP"/> ... <securityConfig/>
This security descriptor (identified as /.../foo-pdp-security-config.xml below) can then be used by a service. The association is created by adding a couple of parameters to the service's WSDD entry:
...
<service name="MyDummyService"
provider="Handler"
style="document">
...
<parameter name="securityDescriptor"
value="/.../foo-pdp-security-config.xml"/>
<parameter name="foo1-authorizedIdentity"
value="/DC=org/DC=doe/OU=People/CN=John D"/>
...
</service>Note that the parameter <parameter>foo1-authorizedIdentity</parameter> in the above configures the identity the PDP uses for authorizing incoming requests. The parameter name is derived by composing the prefix (<parameter>foo1</parameter>) used when specifying the PDP in the security descriptor with the property (<parameter>authorizedIdentity</parameter>) used in the PDP code.
Other than the security properties that have been described in previous section, few more properties are exclusive to the container security descriptor.
Other than the container/service/resource authorization, a administrative level authorization chain can be configured using the <adminAuthz> element. The decision returned by this chain, overrides subsequent authorization decision. That is, if the administator's authorizaiton chain returns a deny, the rest of the configured authorization (at container/service/resource) is not evaluated and the operation is denied. If the the administattor's chain returns the permit, the rest of the configuration is evaluated to see if the operation is allowed.
The element has the same schema as described in Section 5.5, “Configuring authorization mechanisms”, with the outer element called adminAuthz in palce of authzChain.
Example:
<containerSecurityConfig
xmlns="http://www.globus.org/security/descriptor/container">
...
<adminAuthz>
<pips>
<interceptor name="scope2:org.globus.sample.PIP1"/>
</pips>
<pdps>
<interceptor name="foo1:org.foo.authzMechanism bar1:org.bar.barMechanism"/>
</pdps>
</adminAuthz>
...
<containerSecurityConfig/>This element is used to configure default properties for any interceptor configured in authorization chains. The schema for this is similar to the authorization chain specification as described in Section 5.5, “Configuring authorization mechanisms” and allows for xsd:any as interceptor parameter.
<defaultAuthzParam>
<interceptor name="scope1:org.globus.sample.SamplePDP"/>
<parameter>
<param:nameValueParam>
<param:parameter name="policy-file"
value="/home/user1/samplePDPConfig"/>
</param:nameValueParam>
</parameter>
</interceptor>
</defaultAuthzParam>
When GSI Secure Conversation is used, a security context is established and a worker thread cleans up expired contexts. This parameter sets the interval on the timer thread that collects expired contexts established when GSI Secure Conversation is used. The value is the number of seconds between each run and defaults to 10minutes.
<containerSecurityConfig
xmlns="http://www.globus.org/security/descriptor/container">
...
<context-timer-interval value="100000"/>
...
</containerSecurityConfig>This parameter sets the interval on the timer thread that collects expired message digest ids, stored to prevent replay attack in the case of Secure Message. The value is set in seconds and the default value is 1 minute.
<containerSecurityConfig
xmlns="http://www.globus.org/security/descriptor/container">
...
<replay-timer-interval value="100"/>
...
</containerSecurityConfig>This parameter sets location of trusted certificates to be used. The value should be a comma separated list of locations.
<containerSecurityConfig
xmlns="http://www.globus.org/security/descriptor/container">
...
<trusted-certificates value="/home/user1/trustedCerts /home/user1/newCerts"/>
...
</containerSecurityConfig> The authentication method required for accessing a service can be configured in the descriptor using the <auth-method> element. A per method configuration can also be done as described in Section 7.3, “Configuring per method authentication and run-as”.
Currently, the following authentication methods are supported:
Table A.4. Authentication methods
| Authentication Method | Element | Options/Notes |
| No Authentication |
<none/>
|
This method cannot be specified with any other authentication method. |
| GSI Secure Message |
<GSISecureMessage/>
|
The
|
| GSI Secure Conversation |
<GSISecureConversation/>
|
The
|
| GSI Secure Transport Authentication |
<GSITransport/>
|
The
|
Notes:
- Multiple authentication methods can be specified under the
<auth-method>element (except for the<none/>method, see above). As long as one of the specified authentication methods is used, access to the service is allowed. - If no
<protection-level>sub element is specified, then all protection levels are available to clients. However, if the<protection-level>sub element is specified, then the service will only accept the protection levels listed under said element. - The
org.globus.wsrf.impl.security.authentication.SecurityPolicyHandlerhandler must be installed properly in order for this to work. This handler is installed by default. - If a security descriptor is not specified, authentication method enforcement is not performed.
Example:
<serviceSecurityConfig xmlns="http://www.globus.org/security/descriptor/service">
<!-- default auth-method for any other method -->
<auth-method>
<GSISecureConversation/>
</auth-method>
</securityConfig>The <run-as> element is used to configure the
JAAS run-as identity under which the service method will be
executed. The run-as identity can be configured on a per method
basis also as described in Section 7.3, “Configuring per method authentication and run-as”. Currently, the following run-as identities are
supported:
Table A.5. Run-as methods
<run-as value="caller"/>
|
The service method will be run with the security identity of the client. The caller Subject will contain the following:
|
<run-as value="service"/>
| The service method will be run with the security identity of the service itself (if the service has one, otherwise the container identity will be used). |
<run-as value="resource"/>
| The service method will be run with the security identity of the resource. If no resource is specified or if the resource does not have a configured subject, credentials in this order of occurrence will be used: service credential, container credential. |
<run-as value="system"/>
| The service method will be run with the security identity of the container. |
Notes:
- resource-identity is the default setting.
- The
org.globus.wsrf.impl.security.authentication.SecurityPolicyHandlerhandler must be installed properly in order for this to work. It is installed by default. - If the security descriptor is not specified, then the run-as identity is not set and there will be no JAAS subject associated with the execution of the operation. This means that any method calls that require credentials and that are invoked by the service method itself will fail.
Example:
<servicesecurityConfig xmlns="http://www.globus.org/security/descriptor/service">
<!-- default run-as for any other method -->
<run-as>
<service-identity/>
</run-as>
</serviceSecurityConfig> A per method configuration can be used to define expected authentication method for the method and also a run-as configuration. The element methodAuthentication is used to list all the method configuration. For each method, element method with method name as attribute needs to be used. If a method does not have such a configuration, default configuration, described in the last two sections are used.
Example
<serviceSecurityConfig
xmlns="http://www.globus.org/security/descriptor/service">
...
<method name="findServiceData">
<auth-method>
<none/>
</auth-method>
</method>
<method name="subtract">
<run-as>
<service-identity/>
</run-as>
</method>
<method name="destroy">
<auth-method>
<GSISecureMessage/>
<GSISecureConversation>
<protection-level>
<integrity/>
</protection-level>
</GSISecureConversation>
</auth-method>
</method>
<!-- default run-as for any other method -->
<run-as>
<system-identity/>
</run-as>
<!-- default auth-method for any other method -->
<auth-method>
<GSISecureConversation/>
</auth-method>
...
</serviceSecurityConfig>
In the above example:
- the
findServiceData()operation does not require any authentication. Since no run-as per method is specified, default specification, system-identity is used. - the
destroy()operation requires either GSI Secure Message authentication with either level of protection or GSI Secure Conversation authentication with integrity protection. Default run-as is used. - substract method does not have a specific authentication speicifed, so the default GSI Secure Conversation is used. But the operation is run with service identity.
- all other operations must be authenticated with GSI Secure Conversation with either level of protection.
Client side credentials are configured similar to server side credentials as described in Section 5.1, “Configuring credentials”. The outer element and schema for client security descriptor as described in Section 4, “ Security Descriptor Schemas ” should be used.
The <authz> element is used to determine the mechanism to use to authorize the server that is being contacted. The following values are currently supported:
none | No authorization is done. |
self | Self authorization is done, i.e the server should be running with the same credentials as the client. |
host | Host authorization is done, i.e the server should be running with credentials that have the host name it is running on embedded in it. |
hostSelf | Host authorization is done (i.e the server should be running with credentials that have the host name it is running on embedded in it). If that fails, an attempt at self authorization (i.e the server should be runnign with same credentials as client) is made. |
| any other string | Identity authorization is done using the value as the identity, i.e the server should be running with identity specified as value. |
The following sample configures self authorization:
<clientSecurityConfig xmlns="http://www.globus.org/security/descriptor/client">
...
<authz value="self"/>
...
</clientSecurityConfig>
The client can be configured to do GSI Secure Conversation using the element <GSISecureConversation>. The following subelements can be used to set various properties
<integrity> | Sets protection level to signature. |
<privacy> | Sets protection level to encryption (signature is also done). |
<anonymous> | Server is accessed as anonymous. |
<delegation value="type of delegation"> | Determines the type of delegation to be done. The value can be set to full or limited. If the delegation element is not used, no delegation is done. |
<context-lifetime> | Determines the lifetime of the context established. If not specified, the least lifetime of the chain of certificates used in establishing the context is used as context lifetime. |
The following sample sets GSI Secure Conversation with privacy and full delegation:
<clientSecurityConfig xmlns="http://www.globus.org/security/descriptor/client">
...
<GSISecureConversation>
<protection-level>
<privacy/>
<delegation value="full"/>
</GSISecureConversation>
...
</clientSecurityConfig>
The client can be configured to do GSI Secure Message using the element <GSISecureMessage>. The following subelements can be used to set various properties:
<integrity> | Sets protection level to signature |
<privacy> | Sets protection level to encryption (signature is also done) |
<peer-credential value="path to file with credentials to encrypt with"> | Sets the path to the file containing the credential to use if privacy protection is chosen. |
The following sample sets GSI Secure Message with integrity:
<clientSecurityConfig xmlns="http://www.globus.org/security/descriptor/client">
...
<GSISecureMessage>
<integrity/>
</GSISecureMessage>
...
</clientSecurityConfig>
This property cannot be set using security descriptor as yet. Refer to http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=4535 . If the service endpoint starts with "https", then this mechanism with integrity is configured. To configure privacy, the descriptor needs to be modify programatically.
Username/password can be used for authentication by the client. This is configured using <username> and <passwordType> element. The usernam element allows for a string to be configured and the password configuration consists of a password and a type string.
Example configuration:
<clientSecurityConfig xmlns="http://www.globus.org/security/descriptor/client">
<usernameType>
<username value="tester1"/>
<passwordType>
<password value="TY^*(Hyu"/>
<type value="someType"/>
</passwordType>
</usernameType>
</clientSecurityConfig>
Client side trusted credentials are configured similar to container security descriptor as described in Section 6.5, “Trusted Certificates”. The outer element and schema for client security descriptor as described in Section 4, “ Security Descriptor Schemas ” should be used.
The security descriptor (container, security and resource) can be created and altered programmatically (as opposed to writing a security descriptor file). For the service and container descriptor, we recommend writing a security descriptor file so that the security properties are initialized at start up.
Table A.6. Descriptor classes
| Container Security Descriptor |
This is represented by If a container security descriptor file is configured as
described in Section 2, “Configuring security descriptors ”, then an
object is created and stored. To alter the values, use the
API provided in
|
| Service Security Descriptor |
This is represented by
If a service security descriptor file is configured as
described in Section 2, “Configuring security descriptors ”, then an
object is created and stored. To alter the values, use the
API provided in
|
| Resource Security Descriptor |
This is represented by To initialize the descriptor, i.e. load credentials and gridmap, use
the API in |
| Client Security Descriptor |
This is represented by To initialize the descriptor, use
the API in |
Resource level security can be set up using a resource security
descriptor. A resource security descriptor overrides any service or container level
security settings. To make a resource secure, it needs to implement
org.globus.wsrf.impl.security.SecureResource. This
interface has a method that returns an instance of
org.globus.wsrf.impl.security.descriptor.ResourceSecurityDescriptor. If
null is returned, it is assumed that no security is set
on the resource.
The resource security descriptor is identical to the service security descriptor and exposes an API to set and get all properties that are described in Section 5, “Common Configuration for server-side security descriptors ”. A resource security descriptor object can also be created by reading settings from a descriptor file. The file needs to be written as described in Section 5, “Common Configuration for server-side security descriptors ”.
Examples:
The following code snippet creates a resource descriptor object directly:
ResourceSecurityDescriptor desc = new ResourceSecurityDescriptor();
desc.setRejectLimitedProxy("true");The following code snippet creates a resource descriptor object from a file:
ResourceSecurityConfig config = new ResourceSecurityConfig("resDescFileName");
config.init();
ResourceSecurityDescriptor desc = config.getSecurityDescriptor();FILLME: details on using the API
The gridmap file is a common configuration in the toolkit and is typically configured within the GridmapPDP configuration. To specify a default value to be used across the toolkit, if not specified with in the GrimapPDP configuration, the defaultAuthz element in container security descriptor is used as described in Section 6.2, “ Default Authorization Chain”.
The gridmap authorization can be specified with any prefix, but the default configuration uses "gridmapAuthz" as shown in the example below.
Example:
<containerSecurityConfig xmlns="http://www.globus.org/security/descriptor/container" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.globus.org/security/descriptor name_value_type.xsd"
xmlns:param="http://www.globus.org/security/descriptor">
<defaultAuthzParam>
<interceptor name="gridmapAuthz:org.globus.wsrf.impl.security.GridMapAuthorization">
<parameter>
<param:nameValueParam>
<param:parameter name="gridmap-file"
value="/etc/grid-security/grid-mapfile"/>
</param:nameValueParam>
</parameter>
</interceptor>
</containerSecurityConfig>
If the grid map file is updated at runtime, it will be updated.