GT 3.9.4 Component Guide to Public Interfaces: WS A&A Authorization Framework

Semantics and syntax of APIs

Programming Model Overview

Independent authorization settings can be configured on the server and client side. The security programming model on the server side is declarative and all configuration is done by setting a security descriptor. The descriptor can be a resource, service or container descriptor, depending on the required scope for the property. On the other hand, on the client side the configuration is done by setting required properties on the stub used to make the method invocation. The security properties and hence the authorization settings, can be set directly as a property on the stub or a client security descriptor maybe written with all properties encapsulated.

Component API

  • Stable API
    • org.globus.wsrf.security.Constants
    • org.globus.wsrf.security.SecureResource
    • org.globus.wsrf.security.SecurityManager
    • org.globus.wsrf.security.authorization.PDP
    • org.globus.wsrf.security.authorization.PIP
    • org.globus.wsrf.security.authorization.PDPConfig
    • org.globus.wsrf.security.authorization.PDPConstants
    • org.globus.wsrf.security.authorization.Interceptor
    • org.globus.wsrf.security.impl.authorization.Authorization

  • Less stable API
    • org.globus.wsrf.impl.security.descriptor.ClientSecurityDescriptor
    • org.globus.wsrf.impl.security.descriptor.ServiceSecurityDescriptor
    • org.globus.wsrf.impl.security.descriptor.ResourceSecurityDescriptor

Complete API Documentation

Semantics and syntax of the WSDL

SAML Authorization Callout

The authorization framework as such does not have a WSDL interface. As one of the authorization scheme in the toolkit, a callout to an authorization service compliant with the specification by OGSA Authorization Working Group (OGSA-AuthZ) is included. The callout makes a query on the configured authorization service, which returns an authorization decision.

Protocol overview

The authorization service takes a query as input and returns an authorization decision. Security Assertion Markup Language (SAML) is used for expressing the query and decision. If any fault occurs, it is embeded as a part of the decision. The decision can be a permit, deny or indeterminate.

Operations

Resource properties

  • supportedPolicies : Contains identifiers for any or all access control policies that the authorization service is capable of rendering decisions regarding
  • supportsIndeterminate : Indicates whether the authorization service returns decision of indeterminate. If not, only permit or deny is returned.
  • signatureCapable : Indicates if the authorization service is capable of signing the decision returned. If not, only unsigned decisions are returned.

Faults

Schema Definition

OGSA-AuthZ Authorization Service WSDL

Command-line tools

There is no support for this type of interface.

Overview of Graphical User Interface

There is no support for this type of interface.

Semantics and syntax of domain-specific interface

Interface introduction

On the client side the authorization configuration is set on the service port instance used for method invocation. Proeprties can be directly set on the serivce port instance or set using a client security descriptor.

  • Setting property on the stub: 
     // Create endpoint reference
     EndpointReferenceType endpoint = new EndpointReferenceType();
     // Set address of service
     String counterAddr = 
    	"http://localhost:8080/wsrf/services/CounterService";
     // Get handle to port 
     CounterPortType port = locator.getCounterPortTypePort(endpoint);
     // set client authorization to self
     ((Stub)port)._setProperty(Constants.AUTHORIZATION,
                                  SelfAuthorization.getInstance());
  • Setting property using client descriptor: 
      // Client security descriptor file
      String CLIENT_DESC = 
        "org/globus/wsrf/samples/counter/client/client-security-config.xml";
     // Create endpoint reference
     EndpointReferenceType endpoint = new EndpointReferenceType();
     // Set address of service
     String counterAddr = 
    	"http://localhost:8080/wsrf/services/CounterService";
     // Get handle to port 
     CounterPortType port = locator.getCounterPortTypePort(endpoint);
     //Set descriptor on Stub
     ((Stub)port)._setProperty(Constants.CLIENT_DESCRIPTOR_FILE, CLIENT_DESC);

    The descriptor file is defined by the following Client Security Descriptor Schema. A sample is shown below that sets, security settings to be equivalent to the previous example (self authorization):

      <?xml version="1.0" encoding="UTF-8"?>
      <securityConfig xmlns="http://www.globus.org">
        <authz value="self"/>
      </securityConfig>

Syntax of the interface

Authorization
Sets the type of client authorization to perform.
Stubs setting:

Property: 

org.globus.wsrf.impl.security.Constants.AUTHORIZATION

Value equals the org.globus.wsrf.impl.security.authorization.Authorization instance

Descriptor setting

The client side authorization scheme can be configured using the element <authz value="someMethod"/>. Currently the following methods are supported:

none No authorization is performed.
self

Asserts that the client and service have the same identity
host Host authorization is performed.
identity of service Identity authorization with the specified value is performed.

Note: By default, if nothing is specified, host authorization is performed.

Configuration interface

Configuration overview

The authorization framework can be configured at resource, service or container level using security descriptors. The descriptors can be read off a file or can be created programatically. Refer to Configuring Security Descriptor for more details.

The authorization configuration involves setting a chain of authorization schemes (also known as Policy Decision Point (PDP)), that are then evaluated to a permit/deny decision.

Syntax of the interface

Refer to Configuring authorization mechanism

Environment variable interface

There is no support for this type of interface.