GSI and Web Services Neil P Chue Hong

advertisement
GSI and Web Services
Neil P Chue Hong
N.ChueHong@epcc.ed.ac.uk
Workshop on Web Services 1
Summary
Background
Tools and Applications
Implementing a GSIHTTP enabled server
A simple GSI Web Service and Client
Over to you…
2
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Motivation
Why should we develop GSI-enabled web
services?
– We can use our existing GSI proxy certificates to provide a
security mechanism and the same single sign-on
mechanism for our web services.
– We can use this as a starting point for developing
OGSA Grid Services
– We can (in theory) develop clients and services in different
languages and they should just work…
Caveat: I am not a security expert!
3
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Security and Web Services
The base SOAP specification does not define
any authentication / authorisation mechanisms
Questions to ask:
– How can I prove who I am? (authentication)
– How can I tell if you’re allowed to access the services that I
offer? (authorisation)
– How do we negotiate my ability to access the services you
offer? (administration)
– How can we protect the integrity of our transactions? (secure
communications)
– How do we know whether or not we can trust each other?
(trust relationships)
4
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
GSI
Grid Security Infrastructure (GSI)
– Based on Generic Security Services API (GSS-API)
– Uses an extension to X509 certificates
Provides a mechanism to:
– Authenticate a subject
– Authorise a resource
– Implement a single sign-on mechnism
Current implementation does this using:
– Proxy certificates and Certification Authorities (this really is
me!)
– Gridmap file (let me use the resources available to a local
user/account!)
5
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
GSI and Web Services
We can use GSI to provide security for web
services we deploy
Use the header to send delegated credentials
from the client to the service
The service can use the credentials to
authenticate the user and authorise access to
the service.
ANL have released some sample code to do
this using Tomcat and Axis.
6
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Tomcat
Tomcat is a stable, mature reference
implementation of a servlet container for Java
Servlets and Java Server Pages.
It allows you to run web applications.
Source code is available and open source.
It can be used as a platform to deploy the Axis
toolkit.
See: http://jakarta.apache.org/tomcat/
7
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Axis
Axis is an implementation of the SOAP 1.1
(and SOAP with Attachments) protocol in Java
Written for performance and extensibility
It has a flexible architecture:
– Easier to use other transports (e.g. https, smtp, ftp)
• core engine is transport independent
– Easier to add other code in message handling such as
• encryption
• logging
• authentication
– Also easy to deploy and administer Web Services using Axis
See: http://xml.apache.org/axis/
8
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Axis Architecture
Axis has two handler “chains”
– Global
– Transport specific
– Fairly stable APIs
Requestor
Transport
Request Handlers
Axis
engine
– We will create a new
request handler for GSI HTTP
Web
Service
Response Handlers
Web Service specific chain
Taken from Building Web Services with Java, by Steve Graham et al.
9
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Altering Tomcat to support GSI (1)
A few “hacks” have been made to Tomcat:
– CertificatesValve.java
• Patch made which alters expose() method
• Instead of exposing SSL session it exposes the GSI credentials
– GSISocket.java
• Extends SSLSocket.java to provide Globus proxy / delegated
credentials support
– GSIServerSocketFactory.java
• Implements ServerSocketFactory to allow creation of GSISockets
• This file contains hardcoded locations of the hostcert.pem,
hostkey.pem, certificates and grid-mapfile files.
– Currently dependent on IAIK Java cryptography libraries
10
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Altering Tomcat to support GSI (2)
Some changes are needed to the Tomcat
configuration (conf/server.xml)
Add a new Connector to the <service> section
– Define a GSI HTTP/1.1 Connector on port 8443
– Define which Factory object should be used
(GSIServerSocketFactory)
• This also contains hardcoded locations of proxy, usercert,
userkey and certificates directory (which are different…)
Add a new Valve to the <engine> section
– This tells Tomcat to use the modified CertificatesValve object
Tomcat should now accept httpg: requests on
port 8443
11
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Adding a GSI Handler using Axis
Handling GSI in Axis
– GSIHTTPTransport.java
• Sets up a new transport, httpg, within Axis
– GSIHTTPSender.java
• New handler for GSI HTTP (uses MessageContext.getProperty())
– GSIAdminClient.java
• Registers the new handler with the transport in Axis
– Util.java
• getCredentials(msgContext) return the proxy credentials
associated with the message context
• registerTransport() registers the GSIHTTPTransport class for the
httpg protocol
• Also used by client programs (see later)
12
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Installing the modified code
ANL provide precompiled jars to replace
catalina.jar and axis.jar
Or you can “roll your own” and compile from
source
Replace jars, restart Tomcat and you’re ready
to write GSI web services
Also required are Java CoG kit (cog.jar), and
IAIK cryptographic libraries (iaik_ssl.jar,
iaik_jce_full.jar, iaik_javax_crypto.jar,
cryptix.jar)
13
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Writing a GSI Web Service (1)
Let’s write a service, MyService, with a
method, serviceMethod, which takes one
argument.
The Axis RPC dispatcher will look for the same
method with an extra parameter (the message
context) when it receives a GSI enabled client
invocation
So we add this extra parameter to the method
Util.getCredentials() allows us to access the
GSI proxy from the message context
14
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Writing a GSI Web Service (2)
Here’s the code:
import org.apache.axis.MessageContext;
import org.globus.axis.util.Util;
public classMyService {
// Add a MessageContext argument to the normal method
public String serviceMethod(MessageContext ctx, String arg) {
System.out.println(“MyService: you sent “ + arg);
System.out.println(“GOT PROXY: “ + Util.getCredentials(ctx));
return arg;
}
}
This just prints the credentials and string sent
15
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Writing a GSI Web Client (1)
Similar to writing a normal web services client:
– Deploy a httpg transport chain
– Use the Java CoG kit to load a Globus proxy
– Use setProperty() to set GSI specific SOAP headers
• globus credentials (the proxy certificate)
• authorisation type
• GSI mode (SSL, no delegation, full delegation, limited delegation)
– Then do rest of normal SOAP routine
•
•
•
•
•
16
setTargetEndpointAddress()
setOperationName()
addParameter()
setReturnType()
Invoke()
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Writing a GSI Web Client (2)
Here’s (most of) the code:
SimpleProvider provider = new SimpleProvider();
SimpleTargetedChain chain = new SimpleTargetedChain(new GSIHTTPSender());
provider.deployTransport(“httpg”, chain);
GlobusProxy proxy = GlobusProxy.getDefaultUserProxy();
Service service = new Service(provider);
Call call = (Call) service.createCall();
call.setProperty(GSIHTTPTransport.GSI_CREDENTIALS, proxy);
call.setProperty(GSIHTTPTransport.GSI_AUTHORIZATION, new SelfAuthorisation(proxy));
call.setProperty(GSIHTTPTransport.GSI_MODE, GSIHTTPTransport.GSI_MODE_LIMITED_DELEG);
call.setTargetEndpointAddress(new java.net.URL(“httpg://localhost:8443/axis/servlet/AxisServlet”));
call.setOperationName(new QName.(“MyService”, “serviceMethod”));
call.addParameter(“arg1”, XMLType.XSD_STRING, ParameterMode.PARAM_MODE_IN);
call.setReturnType(XMLType.XSD_STRING);
String ret = (String) call.invoke(new Object[] { “Hello World” });
System.out.println(“MyService returned: “ + ret);
17
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Running a GSI Web Client/Service
It should just work… 
18
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Experiences of GSI and Web Services
… but it didn’t 
Two main difficulties:
– Authentication or authorisation is failing
– Can’t probe SOAP message (it’s encrypted)
So can’t tell why it’s failing
Documentation of GSI Web Services and Axis
is sparse
However…
– I understand the code a lot better after having to write this talk!
19
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
What happens next?
Document code and provide proper
instructions
Recompile additions against latest releases of
Tomcat and Axis
Distribute source, binaries and documentation
to UK eScience community (by end of March?)
Ideally, provide another example client e.g.
using Python
20
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
The benefit of open standards
There are a number of other attempts to
produce secure XML and SOAP messaging
standards
–
–
–
–
XML Digital Signatures
SAML – security-based assertions
XKMS – providing and managing PKI-based web services
XACML – access control framework for XML
See: http://www.w3c.org, http://www.oasis-open.org
And an odd one out:
– Microsoft Passport
Which one will be adopted in the end?
21
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Summary
Web services are good
Secure web services are better
We can write secure web services using GSI
We can communicate securely with web
services using GSIHTTP
It should just work
I will be providing code examples
22
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
The End
Over to you…
23
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Download