GT 3.9.5 Component Guide to Public Interfaces: WS A&A CAS

Semantics and syntax of APIs

Programming Model Overview

The CAS service allows for managing fine grained access policy of resources in a VO. The service has a backend database that stores data about users/resources/actions and the assocaited rights. It provides an administrator interface to be able to manage the data and a query interface for users to be able to retrieve this information. One of the operations in the query interface includes a means to get a signed SAML assertion, that the client can present to a resource for authorization purposes.

Component API

Some relevant API:

  • org.globus.cas.CasPortType
  • org.globus.cas.impl.CasConstants
  • org.globus.cas.impl.client.CasProxyHelper

Complete API:

Semantics and syntax of the WSDL

Protocol overview

This component is used to store and retieve assertions about the rights a user has on some resource to do some action on a service type. It uses Security Assertion Markup Language (SAML) to express an authorization query and return an assertion about the objects in the query. It also provides a WSDL interface to do administrative tasks like manage information about users and resources and also grant and revoke rights on them.

Operations

  • addUser: Adds a new user.
  • removeUser: Removes a user.
  • addTrustAnchor: Adds a new trust anchor.
  • removeTrustAnchor: Removes a trust anchor.
  • createGroup: Creates a new user, object or action group
  • deleteGroup: Deletes a user, object or action group
  • createObject: Creates a new object (resource)
  • deleteObject: Deletes an object (resource)
  • createObjectNamespace: Creates a new object namespace
  • deleteObjectNamespace: Delete an object namespace
  • manageObjectGroups: Adds/deletes objects to an object group
  • manageUserGroups: Adds/deletes objects to an user group
  • createServiceType: Create a new service type
  • deleteServiceType: Delete service type
  • manageServiceAction: Add/delete service type and action mapping
  • manageServiceActionGroups: Creates/Deletes a new service/action group
  • grant: Grants a user the right to do service/action (or a group of service/actions) on a resource (or a group of resources)
  • revoke: Revokes a user's right
  • whoami: Returns the CAS nickame associated with the user
  • list: Returns the list of users/objects/service/action types
  • findApplicablePolicy: Returns all relevant policy for a said user/object/service/action
  • getCasObject: Returns the user/object/service/action represented by Object given a id.
  • getGroupMembers: Returns all members for a given user/object/servce/action group
  • getAssertion: Returns an assertion for a said query, that contians the rights that the user for the action and resource specified in the query

Resource properties

  • ServerDN: The DN from the credentials used by the CAS Service
  • VODescription: This is a string that describes the VO relevant to CAS Service.

Faults

  • NoPermissionFault: Thrown if the client is not allowed to invoke the operation
  • CasFault: Throws if any other error occurs

WSDL and Schema Definition

Command-line tools

CAS User Clients

These are clients that a user would use to get a signed CAS assertion and have it embedded in the user proxy. A script is also provided for the user to use the proxy with the CAS assertion to run arbitraty command.

cas-proxy-init

cas-proxy-init contacts a CAS server and obtains a CAS credential for the user to be used to access CAS-enabled services. 
        cas-proxy-init [options] [ -t tag | -p proxyfile ]
where

-p proxyfile

 Specific the file in which to store the CAS credential. Cannot be used with the -t option.

-t tag

 Choose a filename in which to store the CAS credential based on the value tag. Cannot be used with the -p option.

-c url

Contact URL for the CAS server. This typically looks like, 

    http://Host:Port/ogsa/services/base/cas/CASService
where Host and Port are host and port where container with CAS service is running.

-s server_identity

When doing mutual authentication with the CAS server, expect server_identity as the remote identity.

-f policy_file

Generate a CAS credential that includes only those permissions specified in file policy_file (the default is to generate a credential with all the userŐs permissions).

-l hours

Generate a credential that will time out after hours hours. This is a request for lifetime, but the CAS server may have a set maximum for the assertion lifetime which will be enforced.

-m messageType

 Used to set the chosen security mechanism. It can be set to 'msg' for Secure Message, 'conv' for Secure Conversation and 'trans' for Transport security. If not set and the server URL starts with 'https', Transport Security is used, else Secure Message is used.

-n protectionType

 Used to set the protection type required with the security mechanism. Can be set to 'sig' or 'enc' to indicate signature or encryption. Defaults to signature.
Getting specific CAS rights using cas-proxy-init

It is possible to request specific permissions from the CAS server using the -f option. This option causes cas-proxy-init to read a set of requested rights from a file.

This file should contain one or more resource identifiers:


        Resource: ResourceNamesapce|ResourceName

For each resource, one or more actions identifers:

        serviceType action

For example, if the client needed assertions for "file/read" service/action for resource "ftp://sample.org" and "ftp://sample3.org", both in "FTPNamespace" and "directory/read" and "directory/write" permissions on the former resource only, the policy file should have the following entries:

        Resource: FTPNamespace|ftp://sample1.org
        file read
        directory read
        directory write
        Resource: FTPNamespace|ftp://sample3.org
        file read

To indicate any resource, the following wildcard notation should be used.

uri:samlResourceWildcard

To indicate any action, the following wildcard notation for serviceType and action should be used. Note that this should be the first (and clearly the only action) in the list of action specified. All other actions in the list are ignored and if it is not the first, it is not treated as wildcard.

uri:samlActionNSWildcard uri:samlActionWildcard

For example, if the client needs assertions for all resources and all actions the policy file should look like.

       Resource: uri:samlResourceWildcard
       uri:samlActionNSWildcard uri:samlActionWildcard

If the client needs assertions for all actions on resource "FTPNamespace|ftp://sample1.org", the policy file should be as follows

       Resource: FTPNamespace|ftp://sample1.org
       uri:samlActionNSWildcard uri:samlActionWildcard

cas-wrap

The cas-wrap program runs a grid-enabled program, causing it to use previously-generated CAS credentials.

        cas-wrap [-t tag | -p proxyfile ] command args

cas-wrap invokes the given command with the given argument using the specified previously-generated CAS credential. For example: 

        % cas-wrap -t my-community gsincftp myhost.edu

will look for a credential generated by a previous execution of:

        % cas-proxy-init -t my-community

and then set the environment to use that credential while running the command

        % gsincftp myhost.edu

The second form should be used if cas-proxy-init was run with the -p option; for example,

        % cas-wrap -p /path/to/my/cas/credential gsincftp myhost.edu

will look for a credential generated by a previous execution of:

        % cas-proxy-init -p /path/to/my/cas/credential

and then set the environment to use that credential while running the command

        % gsincftp myhost.edu

CAS Administrator Clients

The CAS administrator clients can be used to manipulate and maintain the data in CAS database. It allows one to enroll (and unenroll) CAS Objects, create (and delete) groups, add (and remove) members from groups, add (and remove) service type and action mappings. Typically these operation are performed by the CAS Administrator.

All enroll operations involve granting cas/grantAll permission on the enrolled object to some user group (to which the user may belong to or otherwise).

All operations require that the user have specific permissions to perform the operation. Permissions and policies are given and applied to user groups. Hence a user is said to have permission to perform an operation if one of the user groups that the user belongs to has permission to perform that operation.

If some user group to which the user belongs to, has permission "superuser" on cas server object, then they may perform any operation, even if they donot have specific rights that are outlined below for each operation.

If a user has cas/grantAll permission on any object, then the user is permitted to perform any operations on that object.

Enrolling and Unenrolling Trust Anchors

To enroll a trust anchor, the user must have cas/enroll_trustAnchor permission on that cas server object(that is, must have permission to perform the enroll_trustAnchor action on the cas service type). The enroll operation allows the user to choose a user group to which cas/grantAll permission on the enrolled object should be granted. The nickname should be unique across the CAS database and is used to refer to this trust anchor.

  casAdmin$ cas-enroll [options] trustAnchor userGpName nickname authMethod authData
where:
  • options : client options
  • userGpName : the user group to which cas/grantAll permission should be granted on this trust anchor entity
  • nickname : trust anchor nickname
  • authMethod : authentication method used by the trust anchor
  • authData : data used for authentication, typically the DN

To unenroll a trust anchor, the user must have cas/unenroll permission on that trust anchor. The trust anchor must also be unused, that is there may not be any users in the database that have this trust anchor or it may not be a part of any object group.

  casAdmin$ cas-remove [options] trustAnchor nickname
where:
  • options : client options
  • nickname : nickname of the trust anchor to be unenrolled

If the trust anchor nickname specified does not exist, an error is not thrown. If the unenroll operation is successfull all policy data on that trust anchor is purged.

Enrolling and Unenrolling Users

To enroll a user, the user must have cas/enroll_user permission (that is, must have permission to perform the enroll_user action on the cas service type). The enroll operation allows the user to choose a user group to which cas/grantAll permission on the enrolled object should be granted. The enrolled user also gets all the privileges granted to the community. The nickname should be unique across the CAS database and is used to refer to this user.

  casAdmin$ cas-enroll [options] user userGpName nickname subjectName trustAnchorNick
where:
  • options : client options
  • userGpName : the user group to which cas/grantAll permission should be granted on this trust anchor entity
  • nickname : user nickname
  • subjectName: subject name from the user's credentails.
  • trustAnchorNick: Name of the user's trust anchor. (Must exist in the CAS database)

To unenroll a user, the user must have cas/unenroll permission on that user. The user must also be unused, that is, there may not be any user groups in the database that have this user as a member.

  casAdmin$ cas-remove [options] 
	  user nickname
where:
  • options : client options
  • nickname : nickname of the user to be unenrolled

If the user nickname specified does not exist, an error is not thrown. If the unenroll operation is successfull all policy data on that user is purged.

Enrolling and Unenrolling Namespaces

To enroll a namespace, the user must have cas/enroll_namespace permission (that is, must have permission to perform the enroll_namespace action on the cas service type). The enroll operation allows the user to choose a userGroup to have cas/grantAll permission on the enrolled object. The comparison algorithm specified should be the name of the Comparison class that needs to be used to compare objects that belong to this namespace. The nickname should be unique across the CAS database and is used to refer to this user.

casAdmin$ cas-enroll [options] namespace userGpName nickname basename comparisonAlg
where:
  • options : client options
  • userGpName : the user group to which cas/grantAll permission should be granted on this trust anchor entity
  • nickname : namespace nickname
  • basename : base URL for the name space
  • comparisonAlg : Comparison algorithm to be used. Unless the standard comparison algorithms described below are used, the fully qualified name of the class that needs to be used should be given. The class needs to extend from the abstract class org.globus.ogsa.impl.base.cas.server.ObjectComparison.
The two comparison classes provided as a part of the distribution are
  • ExactComparison : This class does a case-sensitive exact comparison of the object names. If comparisonAlg in the above method is set to "ExactComparison", the class in the distribution is loaded and used.
  • WildcardComparison: This class does wild card matching as described in "CAS Simple Policy Language". (FIXME link to that doc) It assumes that the wild card character is "*" and "/" is file separator. If comparisonAlg in the above method is set to "WildCardComparison", the class in the distribution is loaded and used.

Also two namespaces are added to the CAS database at bootup time, other than the inherent CAS Namespace.

  • FTPDirectoryTree : Uses the WildCardComparison Algorithm and has the base URL set to current directory.
  • FTPExact : Uses the ExactComparison Algorithm and has the base URL set to current directory.

To unenroll a namespace, the user must have cas/unenroll permission on that namespace. The namespace must also be unused, that is, there may not be any object in the database that belongs to this namespace.

  casAdmin$ cas-remove [options] namespace nickname
where:
  • options : client options
  • nickname : nickname of the namespace to be unenrolled

If the namespace nickname specified does not exist, an error is not thrown. If the unenroll operation is successfull all policy data on that namespace is purged.

Enrolling and Unenrolling Objects

To enroll a object, the user must have cas/enroll_object permission (that is, must have permission to perform the enroll_object action on the cas service type). The enroll operation allows the user to choose a userGroup to have cas/grantAll permission on the enrolled object. The name of the object and the the namespace this object belongs to identifies an object in the database and should be unique across the CAS database.

  casAdmin$ cas-enroll [options] object userGpName objectName namespaceNick
where:
  • options : client options
  • userGpName : the user group to which cas/grantAll permission should be granted on this trust anchor entity
  • objectName : name of the object
  • namespaceNick: nickname of the namespace this object belongs to.

To unenroll a object, the user must have cas/unenroll permission on that object. The object must also be unused, that is, there may not be any object group in the database that this object belongs to

casAdmin$ cas-remove [options] object objName namespaceNick
where:
  • options : client options
  • objName : name of the object to be unenrolled
  • namespaceNick: nickname of the namespace this object belongs to

If the object specified does not exist, an error is not be thrown. If the unenroll operation is successfull all policy data on that object is purged.

Enrolling and Unenrolling Service Type

To enroll a service type, the user must have cas/enroll_serviceType permission (that is, must have permission to perform the enroll_serviceType action on the cas service type). The enroll operation allows the user to choose a userGroup to have cas/grantAll permission on the enrolled service type. The service type name should be unique across the CAS database.

  casAdmin$ cas-enroll [options] serviceType userGpName serviceTypeName
where:
  • options : client options
  • userGpName : the user group to which cas/grantAll permission should be granted on this trust anchor entity
  • serviceTypeName: service type name

To unenroll a service type, the user must have cas/unenroll permission on that service type. The service type must also be unused, that is, there may not have any service type to action mapping.

  casAdmin$ cas-remove [options] serviceType serviceTypeName
where:

If the service type specified does not exist, an error is not be thrown. If the unenroll operation is successfull all policy data on that service type is purged.

Maintaining Service Types

To add an action mapping to a service type, the user must have cas/create_group_entry permission on the service type.

  casAdmin$ cas-action [options] add serviceTypeName actionName
where:
  • options : client options
  • serviceTypeName: service type name
  • actionName: action name

To remove a service type action mapping, the user must have cas/delete_group_entry permission on the service type.

  casAdmin$ cas-action [options] remove serviceTypeName actionName
where:
  • options : client options
  • serviceTypeName: service type name
  • actionName: action name

If the group member being removed does not exist, an error is not thrown.

Maintaining User Groups

To create a new user group, the user must have cas/create_user_group permission(thats is, must have permission to perform create_user_group action on cas service type). The user group name should be unique across the CAS database. The create operation allows the user to choose a user group to have cas/grantAll permission on the created user group. If the user group that is chosen to have cas/grantAll permission is the new group created, then the user making this request is added to the new group.

  casAdmin$ cas-group-admin [options] user create userGpName groupName
where :
  • options : client options
  • userGpName : the user group to which cas/grantAll permission should be granted on this trust anchor entity
  • groupName : name of the user group being created

To add to a user to a user group, the user must have cas/add_group_entry permission on that particular user group. Only user nicknames that exist in the CAS database can be valid members.

  casAdmin$ cas-group-add-entry [options] user groupName nickname
where:
  • options : client options
  • groupName : user group name to which the memeber needs to be added
  • nickname : nickname of the user to be added to this group.

To remove a user from a user group, the user must have cas/remove_group_entry permission on that particular user group.

  casAdmin$ cas-group-remove-entry [options] user groupName nickname
where:
  • options : client options
  • groupName : user group name to which the memeber needs to be added
  • nickname : nickname of the user to be added to this group.

If the group member being removed does not exist, an error is not thrown.

To delete a user group, the user must have cas/delete_user_group entry permission on that user group. The group must be empty and also not be referenced from other entities in the database(for example should not be a memeber of some object group and such).

  casAdmin$ cas-group-admin [options] user delete groupName
where:
  • options : client options
  • groupName : name of the user group to be deleted

If the user group specified does not exist, an error is not be thrown. If the unenroll operation is successfull all policy data on that user group is purged.

Maintaining Object Groups

To create a new object group, the user must have cas/create_object_group permission(thats is, must have permission to perform create_object_group action on cas service type). The object group name should be unique across the CAS database. The create operation allows the user to choose a user group to have cas/grantAll permission on the created object group.

  casAdmin$ cas-group-admin [options] object create userGpName groupName
where:
  • options : client options
  • userGpName : the user group to which cas/grantAll permission should be granted on this trust anchor entity
  • groupName : name of the user group being created

To add to a member, (an object group can have the following CasObjects as members, object, user, user group, service type, namespace or trust anchor) to a object group, the user must have cas/add_group_entry permission on that particular object group.

  casAdmin$ cas-group-add-entry [options] object groupName objectSpecDesc objcetSpec
where:
  • options : client options
  • groupName : object group name to which the memeber needs to be added
  • objectSpecDesc: type of CasObject (trustAnchor (or) user (or) userGroup (or) object (or) namespace (or) service Type)
  • objectSpec : the identifier for the CasObject the user is adding (nickname (or) nickname (or) groupName (or) objectNamespace objectName (or) nickname (or) serviceTypeName)

To remove an object from a object group, the user must have cas/remove_group_entry permission on that particular object group:

  casAdmin$ cas-group-remove-entry [options] object groupName objectSpec objectSpecDesc
where
  • options : client options
  • groupName : user group name to which the memeber needs to be added
  • objectSpecDesc: type of CasObject (trustAnchor (or) user (or) userGroup (or) object (or) namespace (or) service Type
  • objectSpec : the identifier for the CasObject the user is adding (nickname (or) nickname (or) groupName (or) objectNamespace objectName (or) nickname (or) serviceTypeName)

If the group member being removed does not exist, an error is not thrown.

To delete a object group, the user must have cas/delete_user_group entry permission on that object group. The group must be empty.

  casAdmin$ cas-group-admin [options] object delete groupName
where:
  • options : client options
  • groupName : name of the object group to be deleted

If the object group specified does not exist, an error is not be thrown. If the unenroll operation is successfull all policy data on that user group is purged.

Maintaining Service/Action Groups

To create a new service/action group, the user must have cas/create_serviceAction_group permission(that is, must have permission to perform create_serviceAction_group action on cas service type). The serviceAction group name should be unique across the CAS database. The create operation allows the user to choose a user group to have cas/grantAll permission on the created serviceAction group.

  casAdmin$ cas-group-admin [options] serviceAction create userGpName groupName
where:
  • options : client options
  • userGpName : the user group to which cas/grantAll permission should be granted on this trust anchor entity
  • groupName : name of the serviceAction group being created

To add to a service/Action to a serviceAction group, the user must have cas/add_group_entry permission on that particular serviceAction group (that is, must have permission to perform add_group_entry action on that service action group)

  casAdmin$ cas-group-add-entry [options] serviceAction groupName serviceTypeName actionName
where
  • options : client options
  • groupName : user group name to which the member needs to be added
  • serviceTypeName : service type name part of mapping to be added to group
  • actionName : action name part of mapping to be added to group

To remove a service/Action from a serviceAction group, the user must have cas/remove_group_entry permission on that particular serviceAction group.

  casAdmin$ cas-group-remove-entry [options] serviceAction groupName serviceTypeName actionName
where:
  • options : client options
  • groupName : user group name to which the memeber needs to be added
  • serviceTypeName : service type name part of mapping to be added to group
  • actionName : action name part of mapping to be added to group
If the action being removed does not exist, an error is not thrown.

To delete a serviceAction group, the user must have cas/delete_user_group entry permission on that serviceAction group. The group must be empty and also must not be referenced from any other entity in the database. (for example should not be a memeber of some object group and such)

  casAdmin$ cas-group-admin [options] serviceAction delete groupName
where:
  • options : client options
  • groupName : name of the user group to be deleted

If the service action group specified does not exist, an error is not thrown. If the unenroll operation is successfull all policy data on that serviceAction group is purged.

Maintaining Permissions

The user may grant permissions to a user group, on a object or object group to perform a service action or service action group (that is to perform any action that is a member of the service action group to which permission is granted), provided the user has has both:

  • cas/grant permission on the object or object group
  • permission to perform the service action or service action group on the object or object group. 
  casAdmin$ cas-rights-admin [options] grant userGroupName  objectSpecDesc objectSpec  actionSpecDesc actionSpec
where:
  • options : client options
  • userGroupName : the user group to grant permission for.
  • objectSpec : identifier for object or object group
  • objectSpecDesc : type (object or objectGroup)
  • actionSpec : identifier for action or action group
  • actionSpecDesc : type (serviceAction or serviceActionGp)

The user may revoke a policy in the CAS database provided the user has cas/revoke permission on the object or object group on whch the policy is defined.

  casAdmin$ cas-rights-admin [options] revoke userGroupName  objectSpecDesc objectSpec  actionSpecDesc actionSpec
where:
  • options : client options
  • userGroupName : the user group to grant permission for.
  • objectSpecDesc: type of CasObject (trustAnchor (or) user (or) userGroup (or) object (or) namespace (or) serviceType (or) userGroup (or)
  • objectSpec : identifier for object or object group
  • actionSpec : identifier for action or action group
  • actionSpecDesc : type (serviceAction or serviceActionGp)

CAS Query Clients

The CAS Query commands donot alter the state of the database and any CAS user who has cas/query permissions may use the commands to retrieve data from the CAS server.

The following queries can be run against the CAS server. These are typically used by CAS clients (who may not be administrators).

The user need cas/query permissions to perform these operations, that is the user must have permission to query on the cas server object.

Getting user's CAS identity

  casUser$ cas-whoami [options]
where Returns the CAS user nick of the client.

Getting object list

  casUser$ cas-list-object [options] type
where
  • options : client options
  • type : trustAnchor (or) user (or) userGroup (or) object (or) objectGroup (or) objectGroup (or) namespace (or) serviceType (or) serviceAction (or) serviceActionGp
Returns a list of CasObjects in the database of the requested type.

Getting CAS object 

  casUser$ cas-get-object [options] type name
where
  • options : client options
  • type : trustAnchor (or) user (or) object (or) namespace (or) service Type
  • name : nickname (or) nickname (or) objectNamesapce objectName (or) nickname (or) serviceTypeName (corresponding to the type)
Returns the particular object of the said type and name.

Getting group memebers 


  casUser$ cas-group-list-entries [options] type name
where
  • options : client options
  • type : Type of group. user (or) object (or) serviceAction
  • name : Name of group
Returns list of group members.

Getting policy information 

  casUser$ cas-find-policies [-c cas-url] type name
where
  • [-c cas-url] : the URL of the CAS service
  • type : trustAnchor (or) user (or) userGroup (or) object (or) objectGroup (or) namespace (or) service Type (or) serviceAction (or) serviceActionGroup
  • name : nickname (or) nickname (or) groupName (or) objectNamespace|objectName (or) groupName (or) nickname (or) serviceTypeName (or) serviceType/Action (or) groupName (corresponding to the type)
Returns all applicable policies, both policies that are implicit to the CAS server and those that are external.

CAS Client common options

The options that are common to all clients are 
 [-debug -help -v -c cas-url -s server-identity -m mechanism -p protection]
  • CAS Service URL: The -c cas-url option can be used to set CAS Service instance, where cas-url is the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.

    The instance URL typically looks like http://Host:Port/ogsa/services/base/cas/CASService, where Host and Port are host and port where container with CAS service is running.

  • CAS Service Identity:

    The -s server-identity option can be used to set the expected CAS server identity, where server-identity is the identity of the CAS service. Alternatively, an environment variable can be set as shown here. If neither is set, host authorization is done and the expected server credential is cas/<fqdn>, where <fqdn> is the fully qualified domain name of the host on which the CAS service is up.

  • Debug: To run the client with debug message traces and error stack traces, -debug flag must be used
  • Usage: The -help flag prints the usage message for the client.
  • Version number: The -v flag prints the version number.
  • Security Mechanism: The -m flag is used to set the chosen security mechanism. It can be set to 'msg' for Secure Message, 'conv' for Secure Conversation and 'trans' for Transport security. If not set and the server URL starts with 'https', Transport Security is used, else Secure Message is used.
  • Protection type: The -p flag is used to set the protection type required with the security mechanism. Can be set to 'sig' or 'enc' to indicate signature or encryption. Defaults to signature.
Note: If you have a asterix (*) in your command, you might have to escape it with backslash.

Overview of Graphical User Interface

There is no GUI for CAS.

Semantics and syntax of domain-specific interface

Listed below are some helper methods in the client package that maybe used for writing clients for the CAS service. Refer to code and/or Java Docs for more information.

  • Getting handle to CAS service port type

    org.globus.cas.impl.client.CasClientSetup is used.

    Code:

    • To get a handle to CAS service with instance URL, instanceURL and identity serviceIdentity, 
       CasClientSetup clientSetup = new CasClientSetup();
 CommunityAuthorizationServicePortType casPort = 
	    clientSetup.getCASPort(instanceURL, serverIdentity);
    • To get a handle to CAS service with instance URL, instanceURL and use host authorization, 
       CasClientSetup clientSetup = new CasClientSetup();
 CommunityAuthorizationServicePortType casPort = 
	    clientSetup.getCASPort(instanceURL);

    

    


  •   Generating proxy with CAS assertions embedded 


     API in class
org.globus.cas.impl.client.CasProxyHelper can be used to
generate a proxy with CAS assertions embedded. To pass in relevant
parameters, class org.globus.cas.impl.client.ClientParams
is used. The datatype,
org.globus.cas.impl.client.ResourceActionsMap is used to
represent the resource/actions mapping for which assertions are
requested on.
    


     Listed below are steps to use the
API. org.globus.cas.impl.client.CasProxyInit has sample
code that generates a proxy embedded with CAS assertions.
    


     Code:

      

    1. 


      ClientParams class is used to construct the parameter. If the
default constructor is used and none of the values are set, requested
assertion lifetime is set to 24 hours, default proxy file is used, the
proxy with assertions embedded is named with a ".cas" tag at
the end of proxy file.


       ClientParams clientParams = new ClientParams();
      


    2.  Sets assertion lifetime. If not set, 24 hours is used.


       clientParams.setAssertionLifetime(lifetime);

      


    3.  Sets file name of the proxy to use. If not set, defualt credential is used..

       clientParams.setProxyFileName(proxyFilename);

      


    4.  Sets file name of the proxy with CAS assertions to be written
to. If not set, original proxy file name is appended with a tag.


       clientParams.setCasProxyFileName(casProxyFilename);

      


    5.  Sets tag to append to original proxy filename. If not set, the
tag "cas" is used. The tag is used if a filename for assertion
embedded proxy is not set.

       clientParams.setCasProxyTag(tag);

      

    6.  Sets the resource/actions for which assertion is requested on. It
uses an array of data type ResourceActionsMap (explained below)


       clientParams.setResourceActionsMap(resActions);

      


    7.  ResouceActionsMap datatype is used to represent the
resource and the actions on the resource for which the permissions are
required. It has a String to represent resource and a vector of string
sto represent the actions.


       The resource should be of the form,
"objectNamespace|objectName". The action
should be of the form, "serviceType actionName"


    8.  Instance of Helper class:

       CasProxyHelper casProxyHelper = new CasProxyHelper(instanceURL, serverIdentity);

      
where, 

        
 
      •  instanceURL is the URL to contact CAS service.
        
 
      •  serverIdentity is the expected identity of the server. If null,
      host authorization is used.


      


    9.  Generating proxy with CAS assertions


       String casProxyFilename = casProxyHelper.getCasProxy(clientParams);

      

This methods contacts the CAS service, retrieves assertions, embeds in
credetial and returns the path to the proxy file with CAS proxy
embedded.


    






Configuration interface


Configuration overview



The CAS service can be configured with a description of the VO the
CAS service serves and the maximum lifetime of the assertion it can
issue. Also, the service needs to be configured with information about
the backend database it uses. Any JDBC compliant database can be used,
PostGres was used for development and testing. The database needs to
be set up such that it can receive requests over TCP/IP. The CAS
database schema to be used with PoseGres has been provided in
$GLOBUS_LOCATION/etc/globus_cas_utils/casDbSchema/cas_pgsql_database_schema.sql. 



Other than that, the security configuration of the service can be
modifying the security descriptor. It allows for configuring in the
credentials that will be used by the service, type of authentication
and authorization that needs to be enforced.By default, the following
security configuration is installed:


    

  •  Credentials set for use by container is used. If that is not
specified, default credentials are used.

  •  GSI Secure conversation authentication is enforced for
all meethods

  •  The security framework is not used for authorization, but the the
service uses the backend database to determine if the call is
permitted.




Note: Changing required authentication and authorization
method will require suitable changes to the clients that contact this
service. 


Syntax of the interface



    

  •  To change the maximum assertion lifetime and VO description, set
the parameters maxAssertionLifetime and voDescription in
$GLOBUS_LOCATION/globus_cas_service/jndi-config.xml to required
values.


  •  To alter the configuration of database backend, edit
databseConfiguration section of
$GLOBUS_LOCATION/globus_cas_service/jndi-config.xml as follows:


    

    driver  The JDBC driver to be used
    

    connectionURL  JDBC connection url to be used to connect to database
    

    userName  user name to connect to database as
    

    password  database password for the said username 
    

    activeConnections  Maximum number of active connections at any given instance 
    

    onExhaustAction  Action to perform when pool is exhausted. If value is, 0 - fail, 1 - block, 2 - grow (get more connections)
    

    maxWait  Maximum time in milliseconds pool will wait for a connection to be returned 
    

    idleConnections  Maximum number of idle connections at any given instance  
    

    


  •  
     To alter security descriptor configuration refer to Security
Descriptors. The file to be altered is
$GLOBUS_LOCATION/globus_cas_service/security-config.xml
    




Environment variable interface



All CAS client program use the following environment variables to
determine the appropriate URL to connect to and server identity to
expect. In all cases, the command line option takes precedence over
the environmant variables.



    

  •  The URL is determined using this algorithm:


      

    • If the -c commandline option was specified, the URL
specified with that option is used.
      • 


    • Otherwise, the CAS_SERVER_URL environment variable must be
set, and its value is used.
      

      • 

    


  •   The server identity (i.e. the
expected subject name of the CAS server certificate) is determined as
follows:


      

    • If the -s commandline option was specified, the
value specified with that option is used as the identity
      • 


    • Otherwise, if the CAS_SERVER_IDENTITY environment variable
is set, use the value of that variable as the expected server
identity.
      • 


    • If neither is set, host authorization is done and the expected
server credential is cas/<fqdn>, where <fqdn> is
the fully qualified domain name of the host on which the CAS service
is up.
      •