Software Links
Getting Started
- Doc Structure
- A Globus Primer
- Globus Is Modular!
- Quickstart
- Installing GT
- Platform Notes
- GT Developer's Guide
- GT User's Guide (coming soon)
- Migrating from GT2
- Migrating from GT3
Reference
- Best Practices
- Coding Guidelines
- API docs
- Public Interfaces (coming soon)
- Resource Properties
- Samples
- Glossary
- Performance Studies (coming soon)
Manuals
Common Runtime
Security
- Non-WS (General) Security
- WS Java Security
- Message-level
- Authz Framework
- CAS
- Delegation Service
- MyProxy
- GSI-OpenSSH
- SimpleCA
- SGAS
Data Mgt
MDS4
Execution Mgt
Table of Contents
Client side security is set up by either setting individual properties on the javax.xml.rpc.Stub object used for the web service method invocation or by setting properties on a client side security descriptor object, which in turn is propagated to client side security handlers by making it available as a stub object property. Here are examples for the two approaches:
Setting property on the stub:
// Create endpoint reference EndpointReferenceType endpoint = new EndpointReferenceType(); // Set address of service String counterAddr = "http://localhost:8080/wsrf/services/CounterService"; // Get handle to port CounterPortType port = locator.getCounterPortTypePort(endpoint); // set client authorization to self ((Stub)port)._setProperty(Constants.AUTHORIZATION, SelfAuthorization.getInstance());Setting properties using a client descriptor:
// Client security descriptor file String CLIENT_DESC = "org/globus/wsrf/samples/counter/client/client-security-config.xml"; // Create endpoint reference EndpointReferenceType endpoint = new EndpointReferenceType(); // Set address of service String counterAddr = "http://localhost:8080/wsrf/services/CounterService"; // Get handle to port CounterPortType port = locator.getCounterPortTypePort(endpoint); //Set descriptor on Stub ((Stub)port)._setProperty(Constants.CLIENT_DESCRIPTOR_FILE, CLIENT_DESC);
The descriptor file is described in detail in Section 1, “Security Descriptors Introduction”.
![[Note]](/docbook-images/note.gif) | Note |
|---|---|
If the client needs to use transport security, the following API must be used to register the Axis transport handler for "https":
import org.globus.axis.util.Util;
static {
Util.registerTransport();
}
|
Table 1. Client side security properties
| Number | Task | Stub Configuration | Descriptor Configuration |
| 1. | Allows for configuration of credentials for authentication. |
Property: org.globus.axis.gsi.GSIConstants.GSI_CREDENTIALS Value equals the Instance of | |
| 2. | Allows for configuring client side authorization. |
Property: org.globus.wsrf.security.Constants.AUTHORIZATION Value equals the Instance of
If GSI Secure Transport or GSI Secure Conversation is used the value should be an instance of | Refer to Section 4.1.2.2, “Configuring authorization mechanism ” |
| 3. | Enable GSI Secure Conversation with specified message protection level. |
Property: org.globus.wsrf.security.Constants.GSI_SEC_CONV Values equal one of the following:
Furthermore, you can set the SOAP Actor of the GSI signed/encrypted
SOAP message by using the | Refer Section 4.1.2.3, “Configuring GSI Secure Conversation ”. |
| 4. | Sets the GSI delegation mode. Used for GSI Secure Conversation only. If limited or full delegation is chosen, then some form of client side authorization needs to be done (i.e client side authorization cannot be set to none). |
Property: org.globus.axis.gsi.GSIConstants.GSI_MODE Value equals one of following:
|
Refer Section 4.1.2.3, “Configuring GSI Secure Conversation ” |
| 5. | Enables GSI Secure Transport with some protection level. |
Property: org.globus.gsi.GSIConstants.GSI_TRANSPORT Values equal one of the following:
| |
| 6. | Enables anonymous authentication. This option only applies to GSI Secure Conversation and GSI Transport. |
Property: org.globus.wsrf.security.Constants.GSI_ANONYMOUS Value equals one of following:
|
Refer Section 4.1.2.3, “Configuring GSI Secure Conversation ” abd Section 4.1.2.5, “Configuring GSI Secure Transport ” |
| 7. | Enable GSI Secure Message with specified message protection level. |
Property: org.globus.wsrf.security.Constants.GSI_SEC_MSG Values equal one of the following:
You can set the SOAP Actor of the signed message using the | |
| 8. | Enable WS-Security username/password authentication |
Properties: org.globus.wsrf.security.Constants.USERNAME Value equals the username. org.globus.wsrf.security.Constants.PASSWORD Value equals the password. | |
| 9. | Sets the credential that is used to encrypt the message (typically, the recipient's public key). Used for GSI Secure Message only. |
Property: org.globus.wsrf.impl.security.authentication
.Constants.PEER_SUBJECT
Value equals the instance of The credential object needs to be wrapped in For example, if Subject subject = new Subject();
X509Certificate serverCert =
CertUtil.loadCertificate(publicKeyFilename);
EncryptionCredentials encryptionCreds =
new EncryptionCredentials(
new X509Certificate[] { serverCert });
subject.getPublicCredentials().add(encryptionCreds);
stub._setProperty(Constants.PEER_SUBJECT, subject);
| |
| 10. | Sets the trusted certificates location. |
Property: org.globus.wsrf.security.TRUSTED_CERTIFICATES Value should be a comma separated list of directories and file neams | Refer Section 4.1.2.7, “Configuring trusted credentials ” |
| 11. | Sets the SAML Authorization Assertion to embed in SOAP Headee. |
Property: org.globus.wsrf.impl.security.authentication.Constants.SAML_AUTHZ_ASSERTION Value should be an instance of org.opensaml.SAMLAssertion; | Cannot be configured using descriptors. |