GT 3.9.1 Java WSRF Core Preview: Security Support

Please report any errors or suggestions to our Bugzilla system.

1. Introduction
2. Features
3. Message Level Security
4. Service side security
5. Client side security
6. Tips for Initializing GSI
7. Installation Issues
8. Testing security features
9. Secure Counter Sample
10. Features to be added

1. Introduction

Java GSI in WSRF Core is based on the implementation of GSI in the Java CoG Kit and provides message level security. It is based on the WS-Security, XML Encryption and XML Signature standards. The Java GSI implementation is an implementation of the Java GSS-API. It supports the GSS-API extensions and the new proxy certificate format specifications as defined by the Global Grid Forum and the IETF PKIX working group.

2. Features

Java WSRF Core security library features:

• Message level security.
  
• Resource-based and service-based security.
  Each resource/service can have its own security properties like credentials, gridmap file, etc.
  
• Declarative security
  The security behavior of a service can be specified in a security deployment descriptor. Note that this is not the case for client, including service acting as client, security properties. Client-side security properties still have to be specified in the client code itself.
  
• Programmatic security
  Security APIs are provided to service developers for fine grained security control.
  
• JAAS integration.
  Permits services to be independent from underlying authentication technologies.

3. Message Level Security

Disclaimer: Please note that the message-level security protocols included in this release may change before 4.0 Final. A move to adopt the Apache WSS4J implementation for SOAP message security is currently under consideration by the Globus development team. Originally based on the Globus implementation, the Apache WSS4J library has since evolved and is now compliant with the final version of the Web Services security standard from OASIS, ensuring future interoperability with other Web Services software stacks. As the two implementations are very similar, such a move would consist of little more than namespace changes.

3.1 Introduction

The message level security is based on the WS-Security, XML Encryption and XML Signature standards. Java WSRF Core provides two different message level authentication mechanisms: GSI Secure Conversation and GSI Secure Message.

GSI Secure Conversation	A security context is first established between a client and the service. This context is then used to sign/verify/encrypt/decrypt messages.
GSI Secure Message	A message is signed or encrypted with the given (X509) credentials. Encryption in this case is done in two steps: 1. A symmetric key, generated using AES with key size of 128 bits, is used to encrypt the body of the message. 2. The symmetric key itself is encrypted using RSA/OAEP with the recipient (specified) public key.

GSI Secure Conversation requires three more round trips than GSI Secure Message, which makes GSI Secure Message more suitable for single request-response interactions.

3.2 Deployment Configuration

Message level security is handled by a few client- and server- side Axis/JAX-RPC handlers and an authentication service. The handlers and the authentication service must be properly installed in order for message level security to work.

Note: All these client- and server-side handlers as well as the gsi/AuthenticationService service are installed by default.

3.2.1 Configuring server-config.wsdd

The server-config.wsdd file must define the request and response flows as shown below:

 <requestFlow>
  <handler type="java:org.globus.wsrf.handlers.AddressingHandler"/>
  <handler type="java:org.globus.wsrf.handlers.URLMapper"/>
  <handler type="java:org.globus.axis.handlers.ServiceDescHandler"/>
  <handler type="AuthenticationServiceHandler"/>
  <handler type="java:org.globus.wsrf.handlers.MessageLoggingHandler"/>
  <handler type="java:org.globus.wsrf.handlers.JNDIHandler"/>
  <handler type="java:org.apache.axis.handlers.JAXRPCHandler">
    <parameter name="className" value="org.globus.wsrf.impl.security.authentication.wssec.WSSecurityHandler"/>
  </handler>
  <handler type="java:org.globus.wsrf.impl.security.authentication.SecurityPolicyHandler"/>
  <handler type="java:org.globus.wsrf.impl.security.authorization.AuthorizationHandler"/>
  <handler type="java:org.globus.wsrf.handlers.FaultHandler"/>
 </requestFlow>
 <responseFlow>
  <handler type="java:org.globus.wsrf.handlers.WSDLHandler"/>
  <handler type="java:org.apache.axis.message.addressing.handler.AddressingHandler"/>
  <handler type="java:org.apache.axis.handlers.JAXRPCHandler">
    <parameter name="className" value="org.globus.wsrf.impl.security.authentication.secureMsg.X509EncryptHandler"/>
  </handler>
  <handler type="java:org.apache.axis.handlers.JAXRPCHandler">
    <parameter name="className" value="org.globus.wsrf.impl.security.authentication.secureMsg.X509SignHandler"/>
  </handler>  <handler type="java:org.apache.axis.handlers.JAXRPCHandler">
  <parameter name="className" value="org.globus.wsrf.impl.security.authentication.secureConv.GSSHandler"/>
  </handler>
  <-- Other handlers -->
 </responseFlow>

It should also contain the entry for the gsi/AuthenticationService service:

 <service name="gsi/AuthenticationService" provider="java:RPC" use="literal" style="document">
  <parameter name="allowedMethods" value="*"/>
  <parameter name="className"
    value="org.globus.wsrf.impl.security.authentication.secureConv.service.AuthenticationServiceImpl"/>
  <wsdlFile>share/schema/core/security/authentication/secureConv/gss_secure_conversation_service.wsdl</wsdlFile>
 </service>

3.2.2 Configuring client-config.wsdd

The client-config.wsdd file must define the following request and response flows:

 <requestFlow>
  <handler type="java:org.apache.axis.message.addressing.handler.AddressingHandler"/>
  <handler type="java:org.apache.axis.handlers.JAXRPCHandler">
     <parameter name="className" value="org.globus.wsrf.impl.security.authentication.secureMsg.X509EncryptHandler"/>
  </handler>
  <handler type="java:org.apache.axis.handlers.JAXRPCHandler">
    <parameter name="className" value="org.globus.wsrf.impl.security.authentication.secureMsg.X509SignHandler"/>>
  </handler>
  <handler type="java:org.apache.axis.handlers.JAXRPCHandler">
    <parameter name="className" value="org.globus.wsrf.impl.security.authentication.secureConv.SecContextHandler"/>
    <parameter name="authService" value="auto"/>
  </handler>
  <handler type="java:org.apache.axis.handlers.JAXRPCHandler"<
    <parameter name="className" value="org.globus.wsrf.impl.security.authentication.secureConv.GSSHandler"/>
  </handler>
  <-- Other handlers -->
 </requestFlow>
 <responseFlow>
    <handler type="java:org.apache.axis.message.addressing.handler.AddressingHandler"/>
  <handler type="java:org.globus.wsrf.handlers.MessageLoggingHandler"/>
  <handler type="java:org.apache.axis.handlers.JAXRPCHandler">
    <parameter name="className" value="org.globus.wsrf.impl.security.authentication.wssec.WSSecurityClientHandler"/>
  </handler>
 </responseFlow>

4. Server side Security

Please see the server security document.

5. Client side Security

Please see the client security document.

6. Tips for Speeding up GSI Initialization

Initializing GSI on both the client and the server might be a very time-consuming process on some platforms. It depends on the initialization of a secure seed needed by the random number generator for security purposes. The default seeding algorithm of Sun's VM is somewhat slow but it can be easily replaced by a better one by installing a new SecureRandom provider. The following are two examples for Windows and Unix/Linux machines:

Windows: We recommend installing the InfiniteMonkey provider from ISNetworks.com. Just follow the installation instructions in the included README.TXT file and put the infinitemonkey.dll in the c:\WINNT\system32 directory.

Unix/Linux: We recommend installing the /dev/urandom device. In the future, we will provide a SecureRandom implementation for machines without this device.

7. Installation Issues

7.1 JAAS installation

This step is only necessary for J2SE 1.3.1.

To install JAAS library:

1. Download "JAAS 1.0_01 Class Libraries" from http://java.sun.com/products/jaas/index-10.html.
2. Extract the jaas-1_0_01.zip file into a temporary directory
3. Copy the "jaas1_0_01/lib/jaas.jar" file to the <distribution directory>/java/common/source/lib directory. Alternatively, it can be placed in $JAVA_HOME/jre/lib/ext

7.2 Sun JVM 1.4.0/1.4.1 Issues

The message level security code is based on Apache's XML Security library, which requires a newer version of Xalan than was shipped with Sun's JVM 1.4.0/1.4.1. Please see the XML Security library installation instructions for details and a workaround.

The xalan.jar file found in our distribution can be used for the suggested workaround. Even without the workaround, our command line clients that are invoked by a shell script wrapper will pick the right version of the xalan.jar file.

When invoking a client by directly calling Java in an environment where the above suggested workaround is not in place you should use:

 java  -Djava.endorsed.dirs=$GLOBUS_LOCATION/endorsed  <other options>  <client class> <args> 

8. Testing Security Features

ant testSecurity

9. Secure Counter Sample

The distribution has a sample counter service that uses security. The sample service requires:

• GSI Secure Conversation for createCounter and destroy operations.
• GSI Secure Message for add operation.
• No authentication for all other operations.
• Self authorization.

$GLOBUS_LOCATION\bin\secure-counter-client

F:\>bin\secure-counter-client.bat
Counter service: http://localhost:8080/wsrf/services/SecureCounterService
Counter created, adding
Got notification with value: 3
Counter has value: 3
Got notification with value: 13
F:\>

10. Features to be added

• Client side security descriptor.
• Secure notifications.
• Credential refresh.