GT 3.9.5 Component Guide to Public Interfaces: WS A&A Message-level and Transport-level Security
- Semantics and syntax of APIs
- Semantics and syntax of WSDL
- Framework-level Protocols
- Command-line tools
- GUIs
- Description of domain-specific interface data
- Configuration settings
- Environment variables
Semantics and syntax of APIs
Programming Model Overview
The security programming model differs between the client and server side. The client side model is programmatic in nature, i.e. security related code is driven by making actual function calls, whereas the server side model is declarative, i.e. security related settings are declared in a security descriptor. For more information on the available client side calls see here. More information about the security descriptor can be found here.Component API
- Stable interfaces:
- org.globus.wsrf.security.Constants
- org.globus.wsrf.security.SecureResource
- org.globus.wsrf.security.SecurityManager
- org.globus.wsrf.security.SecurityException
- Less stable interfaces:
- org.globus.wsrf.impl.security.descriptor.ClientSecurityDescriptor
- org.globus.wsrf.impl.security.descriptor.ResourceSecurityDescriptor
Documentation for these interfaces can be found here.
Semantics and syntax of the WSDL
Secure Conversation Service
Protocol overview
This service provides a mechanism for generating a security session, i.e the negotiation of a shared secret which may be used to secure a set of subsequent messages. It is based on the WS-Trust and WS-SecureConversation specifications.
Operations
RequestSecurityToken: This operation initiates a new security session negotiation. Furthermore, since the actual schema for this message is not unambiguously defined by the specfications, this is the actual schema used:
<xs:element name='RequestSecurityToken' type='wst:RequestSecurityTokenType'/>
<xs:complexType name='RequestSecurityTokenType'>
<xs:sequence>
<xs:element ref='wst:TokenType'/>
<xs:element ref='wst:RequestType'/>
<xs:element ref='wst:BinaryExchange'/>
</xs:sequence>
<xs:attribute name='Context' type='xs:anyURI'/>
</xs:complexType>
<xs:element name='RequestSecurityTokenResponse' type='wst:RequestSecurityTokenResponseType' />
<xs:complexType name='RequestSecurityTokenResponseType' >
<xs:sequence>
<xs:element ref='wst:TokenType'/>
<xs:element ref='wst:RequestType'/>
<xs:element ref='wst:BinaryExchange'/>
</xs:sequence>
<xs:attribute name='Context' type='xs:anyURI'/>
</xs:complexType>
RequestSecurityTokenResponse: This operation continues a security session negotiation. Furthermore, since the actual schema for this message is not unambiguously defined by the specfications, this is the actual schema used:
<xs:element name='RequestSecurityTokenResponse' type='wst:RequestSecurityTokenResponseType' />
<xs:complexType name='RequestSecurityTokenResponseType' >
<xs:sequence>
<xs:element ref='wst:TokenType'/>
<xs:element ref='wst:RequestType'/>
<xs:element ref='wst:BinaryExchange'/>
</xs:sequence>
<xs:attribute name='Context' type='xs:anyURI'/>
</xs:complexType>
<xs:element name='RequestSecurityTokenResponse' type='wst:RequestSecurityTokenResponseType' />
<xs:complexType name='RequestSecurityTokenResponseType' >
<xs:sequence>
<xs:element ref='wst:TokenType'/>
<xs:element ref='wst:RequestType'/>
<xs:element ref='wst:BinaryExchange' minOccurs="0"/>
<xs:element ref='wsc:SecurityContextToken'/>
</xs:sequence>
<xs:attribute name='Context' type='xs:anyURI'/>
</xs:complexType>
In the above the second RequestSecurityTokenResponse element refers
to the final message in the exchange.
Resource properties
This service has no associated resource properties
Faults
Both RequestSecurityToken and RequestSecurityTokenResponse throw
the following faults:
ValueTypeNotSupportedFault: This fault indicates that the value type attribute on the binary exchange token element is not supported by the service.EncodingTypeNotSupportedFault: This fault indicates that the encoding type attribute on the binary exchange token element is not supported by the service.RequestTypeNotSupportedFault: This fault indicates that the request type specified in the request type element is not supported by the serviceTokenTypeNotSupportedFault: This fault indicates that the token type specified in the token type element is not supported by the service.MalformedMessageFault: This fault indicates that the message content received by the service does not conform to the expected content. This is necessary since the schema does not give a well defined content model.BinaryExchangeFault: This fault indicates that a failure occured during the in the underlying security code responsible for the session negotiation.InvalidContextIdFault: This fault indicates that the context id passed in the message is not valid within the context of this service or negotiation.
WSDL and Schema Definitions
- WS-Trust WSDL
- WS-Trust XSD
- WS-SecureConversation XSD
- Secure Conversation WSDL [link]
Framework-level Protocols
WS-Security
The framework implements the Web Services Security: SOAP Message Security, Web Services Security: Username Token Profile and Web Services Security: X.509 Token Profile specifications.Transport (HTTPS) Security
The transport security solution used by the framework consists of HTTP over SSL/TLS (HTTPS) using X.509 certificates. The path validation step has been augmented to support the Proxy Certificate Profile (RFC3820).Command-line tools
This component has no command-line tools.
Overview of Graphical User Interfaces
This component has no associated GUIs
Semantics and syntax of domain-specific interface
Interface introduction
Client side security is set up by either setting individual properties on the javax.xml.rpc.Stub object used for the web service method invocation or by setting properties on a client side security descriptor object, which in turn is propagated to client side security handlers by making it available as a stub object property. Here are examples for the two approaches:
- Setting property on the stub:
// Create endpoint reference
EndpointReferenceType endpoint = new EndpointReferenceType();
// Set address of service
String counterAddr =
"http://localhost:8080/wsrf/services/CounterService";
// Get handle to port
CounterPortType port = locator.getCounterPortTypePort(endpoint);
// set client authorization to self
((Stub)port)._setProperty(Constants.AUTHORIZATION,
SelfAuthorization.getInstance()); - Setting property client descriptor:
// Client security descriptor file
String CLIENT_DESC =
"org/globus/wsrf/samples/counter/client/client-security-config.xml";
// Create endpoint reference
EndpointReferenceType endpoint = new EndpointReferenceType();
// Set address of service
String counterAddr =
"http://localhost:8080/wsrf/services/CounterService";
// Get handle to port
CounterPortType port = locator.getCounterPortTypePort(endpoint);
//Set descriptor on Stub
((Stub)port)._setProperty(Constants.CLIENT_DESCRIPTOR_FILE, CLIENT_DESC);
The descriptor file is defined by the following Client Security Descriptor Schema.
Syntax of the interface
| Enable WS-Security username/password authentication. | ||||||||
| Stubs setting | Properties: org.globus.wsrf.impl.security.Constants.USERNAME Value equals the username. org.globus.wsrf.impl.security.Constants.PASSWORD Value equals the password. |
|||||||
| Descriptor setting | Descriptor settings are currently not available for username/password | |||||||
| Enable GSI Transport with specified message protection level. | ||||||||
| Stubs setting | Property: org.globus.gsi.GSIConstants.GSI_TRANSPORT Values equal one of the following:
|
|||||||
| Descriptor setting | Signature setting: <securityConfig xmlns="http://www.globus.org"> Encryption setting: <securityConfig xmlns="http://www.globus.org"> ... <GSITransport> <privacy/> </GSITransport/> ... </securityConfig> |
|||||||
| Enable GSI Secure Message with specified message protection level. | ||||||||
| Stubs setting | Property: org.globus.wsrf.impl.security.Constants.GSI_SEC_MSG Values equal one of the following:
You can set the SOAP Actor of the signed message using the |
|||||||
| Descriptor setting | Signature setting: <securityConfig xmlns="http://www.globus.org"> Encryption setting: <securityConfig xmlns="http://www.globus.org"> ... <GSISecureMessage> <privacy/> </GSISecureMessage/> ... </securityConfig> |
|||||||
| Enable GSI Secure Conversation with specified message protection level. | ||||||||
| Stubs setting | Property: org.globus.wsrf.impl.security.Constants.GSI_SEC_CONV Values equal one of the following:
Furthermore, you can set the SOAP Actor of the GSI signed/encrypted
SOAP message by using the |
|||||||
| Descriptor setting |
|
|||||||
| Allows for setting credentials for authentication. If not specified, the default user proxy is used. Please see the Security Library Compatibility Document for some hints on loading and managing different GSI credentials. | ||||||||
| Stubs setting: | Property: org.globus.axis.gsi.GSIConstants.GSI_CREDENTIALS Value equals the Instance of |
|||||||
| Descriptor setting | The credential can be specified either as a)
path to proxy file b) path to certificate and key file. Example for option (a): <securityConfig xmlns="http://www.globus.org"> Example for option (b): <securityConfig xmlns="http://www.globus.org"> |
|||||||
| Sets the GSI delegation mode. Used for GSI Secure Conversation only. If limited or full delegation is chosen, then some form of client side authorization needs to be done (i.e client side authorization cannot be set to none) | ||||||||
| Stubs setting | Property: org.globus.axis.gsi.GSIConstants.GSI_MODE Value equals one of following:
|
|||||||
| Descriptor setting | Delegation can be configured using the element <delegation value="value"/>. It needs to be a subelement of <GSISecureConveration>Currently the following values are supported:
Example: <?xml version="1.0" encoding="UTF-8"?> Note: By default, if nothing is specified, no delegation is performed. |
|||||||
| Enables anonymous authentication. This option only applied to GSI Secure Conversation and GSI Transport. | ||||||||
| Stubs setting | Property: org.globus.wsrf.impl.security.Constants.GSI_ANONYMOUS Value equals one of following:
|
|||||||
| Descriptor setting | Anonymous authentication can be configured as follows: <?xml version="1.0" encoding="UTF-8"?> |
|||||||
| Sets the credential that is used to encrypt the message (typically, the receipient's public key). Used for GSI Secure Message only. | ||||||||
| Stubs setting | Property: org.globus.wsrf.impl.security.Constants.PEER_SUBJECT Value equals the instance of The credential object needs to be wrapped in For example, if Subject subject = new Subject(); |
|||||||
| Descriptor setting | Peer credential file name can be configured as follows: <?xml version="1.0" encoding="UTF-8"?> The fileName should be the path to the credential file. |
|||||||
Configuration interface
Configuration overview
Configuration of service side security settings can be achieved in two ways. The preferred way is to provide these settings in a security descriptor, although it is also possible to manipulate security settings via CoG properties.Syntax of the interface
Information on the syntax of security descriptors can be found here.
Information on available CoG security properties can be found here.
Environment variable interface
- X509_USER_PROXY <path>, where <path> is the path of the proxy credential
- X509_CERT_DIR <path>, where <path> is the path to a directory containing trusted, that is CA, certificates
Note that the above environment variable does not supersede any settings provided in security descriptors.