XACML Authorization Service
===========================
Schema: wsrf/schema/core/security/authorization/xacml
Stubs: Generated as part of the GT target. Java namespace set to
org.oasis.names.*
Port type class:
org.globus.wsrf.security.authorization.xacml.XACMLAuthorizationPortType
Sample:
- wsrf/java/core/samples/authzService
- deploy-server.wsdd, "SampleXACMLAuthzService"
- Returns a permit for any non-anonymous access for operations
that are not in a configured denied list.
- Denied list configured in deploy-jndi-config.xml
XACML Callout PDP
=================
Class: org.globus.wsrf.impl.security.authorization.XACMLAuthorizationCallout
Configuration:
- xacmlAuthzService, Endpoint of authorization service to
access. Required.
- inputContextOnly, true/false. If true, then external
attributes can be used in decisions. Defaults to false. Optional.
- returnContext, true/false. If true, then request context
is part of the response. Defaults to false. Optional.
XACML Processing LIbrary
========================
Utilities to construct and process data types from the XACML/SAML
profile. Helper classes provide the basic constructs required for
query and decision processing. No obligation support is provided as
yet. Notes about the assumptions the library makes is provided at the
end of this document.
wsrf/java/core/source/src/org/globus/wsrf/impl/security/authorization/xacmlUtil
Sample Walkthrough
==================
In this sample, the secure counter sample distributed as part of core
is modified to use the XACML Authorization Callout for authorization.
1. cvs co -r bug_5102_branch_1 wsrf/java wsrf/build.xml wsrf/schema wsrf/compact
2. export GLOBUS_LOCATION=/sandbox/globus/gtInstall
3. cd wsrf
4. ant all
5. Edit "SecureCounterService" deployment in file $GLOBUS_LOCATION/etc/globus_wsrf_core_samples_counter/service-config.wsdd. Replace the following
with
7. Copy xacml-security-config.xml to
$GLOBUS_LOCAITON/etc/globus_wsrf_core_samples_counter. This file
configures XACMLCallout PDP to be used with the authorization service
URL set to http://localhost:9090/wsrf/services/SampleXACMLAuthzService
8. Edit
$GLOBUS_LOCATION/etc/globus_wsrf_core_samples_authzService/jndi-config.xml
to provide a list of methods to deny. By default it denies "add"
method.
9. Shell 1: To contact secure counter service
export GLOBUS_LOCATION=/sandbox/globus/gtInstall
cd $GLOBUS_LOCATION
bin/grid-proxy-init
bin/globus-start-container
10. Shell 2: Authorization service container
export GLOBUS_LOCATION=/sandbox/globus/gtInstall
cd $GLOBUS_LOCATION
bin/globus-start-container -nosec -p 9090
11. Shell 3: Client shell
export GLOBUS_LOCATION=/sandbox/globus/gtInstall
cd $GLOBUS_LOCATION
bin/counter-create -s https://localhost:8443/wsrf/services/SecureCounterService -m msg -z none > counterEpr
bin/counter-add -e counterEpr -m msg -z none 10
Notes
=====
- Only first attribute values are found
- All attribute values are treated as string
- Resource value retrieval assumes the first attributes in ResourceType
- Subject Helper, attributes constructed assume issuer is null
- Sample service does not look at request context with response property
- Assertions Structure
- Array of Statement
- Response:
- Array of Status
- Each Status has resource id, status, decision
- Decision Algorithm:
for each statement {
get response
if response is not indeterminate
for each status in response
- if resource id matches
- and status is ok
- and action name and namspace matches
- AND
- if decision is permit, return permit
- if decision is deny, return deny