Home -> Toolkit -> Docs -> Development -> 3.9.4 -> Security -> Authzframe -> Admin

GT 3.9.4 Authorization Framework: System Administrator's Guide

• Introduction
• Building and Installing
• Configuring
• Deploying
• Testing
• Security Considerations
• Troubleshooting

Introduction

This component determines the authorization enforced on the server and the client side. Admin configuration could include, determining container/service level authorization mechanism, and setting up and managing authorization policy, for instance entries in gridmap file and so on.

The Security Descriptors document describes configuring in authorization mechanism and also the configuration required for each of the schemes that are distributed with the toolkit.

Building and Installing

[information about installing the component - may link to Installation Guide]

Configuring

Information on configuration settings and environment variables can be found in the public interface guide.

Deploying

This component is deployed as a part of Java WS Core.

Testing

To execute security tests ensure that Ant with JUnit are configured. Also make sure to copy junit.jar found in JUnit distribution to the $GLOBUS_LOCATION/lib directory.

Also all these tests require a valid credential. FILLME: some notes on how to get a user credential ?

The security tests are included in $GLOBUS_LOCATION/lib/wsrf_test_unit.jar - contains all other tests

To execute the tests pass the said jar file from the above to the test script as described in the Java WS Core Developer's Guide. To ensure that only security tests are run, set -DsecurityTestsOnly=true. These run WS Authentication and WS Authorization tests.

These tests by default, require that the container and tests run using the same credentials, i.e self authorization is done on secure calls.

The tests allow for one another configuration where in the container can be configured with host credentials and the tests can be run with any credentials.

• Configure container to use host credentials using security descriptor as described in container descriptor section.
• Edit $GLOBUS_LOCATION/etc/globus_wsrf_test_unit/server-config.wsdd
  • Comment out the configured descriptor in SecurityTestService and AuthzCalloutTestService that specified self authorization.

       <!-- Does self authz by default -->
    
       <!-- parameter name="securityDescriptor" value="@config.dir@/security-config.xml"/ -->

  • Uncomment configuration for identity authorization and set the value of property idenAuthz-identity to the subject DN of the credentials used to run the tests.

            <!-- For use only when identity authz is used-->
    
            <parameter name="securityDescriptor" value="@config.dir@/identity-security-config.xml"/>
    
            <parameter name="idenAuthz-identity" value="Identity used by client"/>

• To run tests without starting up an external container, run

   ant test -Dsecurity.test.client.authz=host 

  
  To run tests on starting up external container, secure and insecure, on localhost port 8180 and 8181 respectively, the command would be

  ant testServer -Dsecurity.test.client.authz=host -Dtest.server.url=http://127.0.0.1:8181/wsrf/services/ -Dsecure.test.server.url=https://127.0.0.1:8180/wsrf/services/

Security Considerations

[describe security considerations relevant for this component]

Troubleshooting

[help for common problems sysadmins may experience]