Prev   Next

Software Links

Usage Statistics
Release Notes
Versioning
Downloads
Advisories
Licenses
CVS & Dev Tools

Getting Started

A Globus Primer
Globus Is Modular!
Installing GT
Quickstart
Platform Notes
GT Developer's Guide
GT User's Guide
Migrating Guides

Reference

Best Practices
Coding Guidelines
API docs
GT Commands
Public Interfaces
Resource Properties
Samples
Glossary

Manuals

Common Runtime

Java WS Core
C WS Core
Python WS Core
XIO
CoG jGlobus
pyGlobus
C Common Libs

Security

GSI C
GSI Java
Java WS A&A
C WS A&A
CAS
Delegation Service
MyProxy
GSI-OpenSSH
SimpleCA

Data Mgt

GridFTP
RFT
RLS
WS RLS
DRS

WS MDS

Index Service
Trigger Service
WebMDS
Aggregator Framework
UsefulRP
Info Providers

Execution Mgt

GRAM4
GridWay
GRAM2 (legacy)

Chapter 6. Service Access PIP (Since GT 4.2.1)

Table of Contents

1. Class name
2. Overview
3. Installation
4. Configuration
5. Attributes Collected
6. Related interceptors

1. Class name

org.globus.wsrf.impl.security.authorization.ServiceAccessPIP

2. Overview

The PIP is used to collect information about the service and operation being invoked by the client. The attribute it constructs can be sent to an XACML authorization service, using the XACML Authorization Callout. Three sets of attributes are collected:

  • Subject attributes: Subject DN and Issuer DN of the client certificate.

    Action attributes: Local name of the operation invoked by the client.

    Resource attributes: String representation of the EPR of the resource being accessed

3. Installation

This component is installed part ofSection 3, “Installation”.

4. Configuration

No additional configuration is required for this PIP.

5. Attributes Collected

This PIP collects the following attributes described in the following tables:

Table 6.1. Attribute I

Description of attributeSubject DN of the client
Identity attributeTrue
Attribute IDorg.globus.wsrf.impl.security.authorization.XACMLConstants.SUBJECT_X509_ID
Datatypeorg.globus.wsrf.impl.security.authorization.XACMLConstants.STRING_DATATYPE
IssuerContainer Issuer Entity
Validity fromCurrent time
Validity toInfinity

Table 6.2. Attribute II

Description of attributeSubject DN of the issuer of client credential
Identity attributeNo
Attribute IDorg.globus.wsrf.impl.security.authorization.XACMLConstants.SUBJECT_X509_ISSUER
Datatypeorg.globus.wsrf.impl.security.authorization.XACMLConstants.STRING_DATATYPE
IssuerContainer Issuer Entity
Validity fromCurrent time
Validity toInfinity

Table 6.3. Attribute III

Description of attribute Local part of the operation being invoked.
Identity attributeTrue
Attribute IDorg.globus.wsrf.impl.security.authorization.XACMLConstants.ACTION_ID
Datatypeorg.globus.wsrf.impl.security.authorization.XACMLConstants.STRING_DATATYPE
IssuerContainer Issuer Entity
Validity fromCurrent time
Validity toInfinity

Table 6.4. Attribute IV

Description of attributeString representation of the EPR contacted by the client.
Identity attributeTrue
Attribute IDorg.globus.wsrf.impl.security.authorization.XACMLConstants.RESOURCE_ID
Datatypeorg.globus.wsrf.impl.security.authorization.XACMLConstants.STRING_DATATYPE
IssuerContainer Issuer Entity
Validity fromCurrent time
Validity toInfinity

6. Related interceptors

This PIP can be used in tandem with XACML Authorization Callout PDP to obtain authorization decision from a XACML Authorization Callout about the service access.

Prev   Next
Chapter 5. Parameter PIP Home Chapter 7. Execution Service PIP (Since GT 4.2.1)