	Note
	The above files are in DocBook XML format. Simply save the link to your hard drive, edit the file in a text or xml editor and email to ?. Don't worry about getting the tags exactly right, it's enough to enter the information where it makes sense and we'll clean up the tags where necessary.

2. Container PIP

2.1. Class name

org.globus.wsrf.impl.security.authorization.ContainerPIP

2.2. Overview

This implements the BootstrapPIP interface [PIP-glossary] and is used with in the toolkit to initialize the request entities. It collects information about the service and operation invoked. It is always invoked prior to any authorization processing.

2.3. Configuration

No configuration is required.

2.4. Attributes Collected

This PIP collects three attributes described in the following tables:

Table B.1. Attribute I

Description of attribute	Message Context associated with the thread
Identity attribute	Identity attribute
Attribute ID	Constants.MSG_CTX_ATTRIBUTE_URI
Datatype	Constants.MSG_CTX_DATATYPE_URI
Issuer	null. The issuer is null since the message context is required to construct the container entity, which is the default issuer for attributes collected in the container.
Validity from	Current time
Validity to	Infinity

Table B.2. Attribute II

Description of attribute	URL of the service invoked.
Identity attribute	Identity attribute
Attribute ID	Constants.SERVICE_ATTRIBUTE_ID_URI
Datatype	Constants.STRING_DATATYPE_URI
Issuer	Container
Validity from	Current time
Validity to	Infinity

Table B.3. Attribute III

Description of attribute	Name of the operation invoked.
Identity attribute	Identity attribute
Attribute ID	Constants.OPERATION_ATTRIBUTE_ID_URI
Datatype	Constants.STRING_DATATYPE_URI
Issuer	Container
Validity from	Current time
Validity to	Infinity

This PIP also sets up the container issuer entity, which is used as the default issuer for attributes collected in the container. The entity has the following attributes:

Table B.4. Attribute I

Description of attribute	Container id
Identity attribute	Identity attribute
Attribute ID	Constants.CONTAINER_ATTRIBUTE_URI
Datatype	Constants.STRING_DATATYPE_URI
Issuer	null
Validity from	Current time
Validity to	Infinity

Table B.5. Attribute II

Description of attribute	Java Principals from container credential, only if credentials are configured.
Identity attribute	Identity attribute
Attribute ID	Constants.PRINCIPAL_ATTRIBUTE_ID
Datatype	Constants.PRINCIPAL_DATATYPE_URI
Issuer	null
Validity from	Current time
Validity to	Infinity

Table B.6. Attribute III

Description of attribute	Java Subject from container credential, only if credentials are configured.
Identity attribute	Identity attribute
Attribute ID	Constants.SUBJECT_ATTRIBUTE_ID
Datatype	Constants.SUBJECT_DATATYPE_URI
Issuer	null
Validity from	Current time
Validity to	Infinity

The container entity is created with the same attributes as above with the above entity as the issuer.

2.5. Related interceptors

None.

3. X509Bootstrap

3.1. Class name

org.globus.wsrf.impl.security.authorization.X509BootstrapPIP

3.2. Overview

This implements the BootstrapPIP interface [PIP-glossary] which is used when X509 Certificates are used during authentication scheme. It collects peer entities' attributes obtained from the certificates presented by the peer.

3.3. Configuration

No configuration is required.

3.4. Attributes Collected

This PIP collects two attributes described in the following tables:

Table B.7. Attribute I

Description of attribute	Peer's Subject object
Identity attribute	Identity attribute
Attribute ID	Constants.SUBJECT_ATTRIBUTE_ID
Datatype	Constants.SUBJECT_DATATYPE_URI
Issuer	Container Issuer Entity
Validity from	Current time
Validity to	Infinity

Table B.8. Attribute II

Description of attribute	Peer's principals
Identity attribute	Identity attribute
Attribute ID	Constants.PRINCIPAL_ATTRIBUTE_ID
Datatype	Constants.PRINCIPAL_DATATYPE_URI
Issuer	Container Issuer Entity
Validity from	Current time
Validity to	Infinity

3.5. Related interceptors

If X509 Certificates are used for authentication, this bootstrap is used by the Authorization Framework by default.

4. SAML Authorization Assertion PIP

4.1. Class name

org.globus.wsrf.impl.security.authorization.SAMLAuthzAssertionPIP

4.2. Overview

The PIP extracts SAML Authorization Assertion from the request and adds it to the bag of attributes. The message context and the proxy certificate are checked to see if SAML Authorization Assertions are presents.

If the subject DN in the decision statement matches with the requestor's then the attribute is merged with the requestor's bag of attributes.

4.3. Configuration

No configuration information is required.

4.4. Attributes Collected

This PIP collects attributes described in the following tables:

Table B.9. Attribute I

Description of attribute	Subject DN from the subject in SAML Authorization Decision Statement (one attribute per statement in assertion)
Identity attribute	Identity attribute
Attribute ID	Constants.PRINCIPAL_ATTRIBUTE_ID
Datatype	Constants.PRINCIPAL_DATATYPE_URI
Issuer	Container Issuer Entity
Validity from	Extracted from assertion
Validity to	Extracted from assertion

Table B.10. Attribute II

Description of attribute	SAML Authoirzation Decision Statement (one attribute per statement in assertion)
Identity attribute	Non-Identity attribute
Attribute ID	Constants.SAML_AUTHZ_DECISION_ATTRIBUTE_ID
Datatype	Constants.SAML_AUTHZ_DECISION_DATA_TYPE
Issuer	Container Issuer Entity
Validity from	Extracted from assertion
Validity to	Extracted from assertion

4.5. Related interceptors

This PIP can be used in tandem with SAMLAuthzAssertionPDP.

5. Parameter PIP

5.1. Class name

org.globus.wsrf.impl.security.authorization.ParameterPIP

5.2. Overview

This PIP extracts configured parameter element from the SOAPMessage. The parameter is added as an action attributes in the associated RequestAttribute.

5.3. Configuration

parameterConfig

Property pointing to configuration file with information about the service, method and parameter to extract as attributes. If configured file name is not absolute, an attempt is made to find the file as provided, if not an attempt is made to locate it relative to GLOBUS_LOCATION and if that fails, an attempt it made to locate it relative to current directory.

The configuration file is read and stored as SOAPParameter. This class is used to store a specific parameter element path for a given operation for a said service. servicePath operationName ParameterPath

The parameter path is a list of QNames, where each QName is QName of a child element of previous QName element. The parameterPath is a string with string representation of each QName, in the order it needs to be looked into with semicolon (;) as delimiter. For example, {http://temp.ns}element1;{http://temp.ns}nextElem2;{http://temp.ns}nextElem3 would represent the parameter {http://temp.ns}nextElem3. The SOAPBody element here is {http://temp.ns}element1, with nextElem2 as its child and nextElem3 as its child.

5.4. Attributes Collected

This PIP collects two attributes described in the following tables:

Table B.11. Attribute I

Description of attribute	Configured parameter if it occurs in that operation. The value is an object of type org.w3c.dom.Node and represents the parameter of the operation.
Identity attribute	Identity attribute
Attribute ID	Parameter path as described in previous section.
Datatype	Constants.PARAMETER_PATH_DATA_TYPE
Issuer	Container Issuer Entity
Validity from	Current time
Validity to	Infinity

5.5. Related interceptors

This PIP can be used in tandem with ResourcePropertiesPDP to parameter-based authorization for resource property access.

Prev	Up	Next
Appendix A. PDP Reference	Home	Part . GT 4.1.1: Community Authorization Service (CAS)