Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Java Programming

GSI and Web Services Neil P Chue Hong

advertisement 
GSI and Web Services
Neil P Chue Hong
N.ChueHong@epcc.ed.ac.uk
Workshop on Web Services 1
Summary
4Background
4Tools and Applications
4Implementing a GSIHTTP enabled server
4A simple GSI Web Service and Client
4Over to you…
2
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Motivation
4Why should we develop GSI-enabled web
services?
– We can use our existing GSI proxy certificates to provide a
security mechanism and the same single sign-on
mechanism for our web services.
– We can use this as a starting point for developing
OGSA Grid Services
– We can (in theory) develop clients and services in different
languages and they should just work…
4Caveat: I am not a security expert!
3
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Security and Web Services
4The base SOAP specification does not define
any authentication / authorisation mechanisms
4Questions to ask:
– How can I prove who I am? (authentication)
– How can I tell if you’re allowed to access the services that I
offer? (authorisation)
– How do we negotiate my ability to access the services you
offer? (administration)
– How can we protect the integrity of our transactions? (secure
communications)
– How do we know whether or not we can trust each other?
(trust relationships)
4
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
GSI
4Grid Security Infrastructure (GSI)
– Based on Generic Security Services API (GSS-API)
– Uses an extension to X509 certificates
4Provides a mechanism to:
– Authenticate a subject
– Authorise a resource
– Implement a single sign-on mechnism
4Current implementation does this using:
– Proxy certificates and Certification Authorities (this really is
me!)
– Gridmap file (let me use the resources available to a local
user/account!)
5
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
GSI and Web Services
4We can use GSI to provide security for web
services we deploy
4Use the header to send delegated credentials
from the client to the service
4The service can use the credentials to
authenticate the user and authorise access to
the service.
4ANL have released some sample code to do
this using Tomcat and Axis.
6
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Tomcat
4Tomcat is a stable, mature reference
implementation of a servlet container for Java
Servlets and Java Server Pages.
4It allows you to run web applications.
4Source code is available and open source.
4It can be used as a platform to deploy the Axis
toolkit.
4See: http://jakarta.apache.org/tomcat/
7
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Axis
4Axis is an implementation of the SOAP 1.1
(and SOAP with Attachments) protocol in Java
4Written for performance and extensibility
4It has a flexible architecture:
– Easier to use other transports (e.g. https, smtp, ftp)
• core engine is transport independent
– Easier to add other code in message handling such as
• encryption
• logging
• authentication
– Also easy to deploy and administer Web Services using Axis
4See: http://xml.apache.org/axis/
8
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Axis Architecture
4Axis has two handler “chains”
– Global
– Transport specific
– Fairly stable APIs
Requestor
Transport
Request Handlers
Axis
engine
– We will create a new
request handler for GSI HTTP
Web
Service
Response Handlers
Web Service specific chain
Taken from Building Web Services with Java, by Steve Graham et al.
9
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Altering Tomcat to support GSI (1)
4A few “hacks” have been made to Tomcat:
– CertificatesValve.java
• Patch made which alters expose() method
• Instead of exposing SSL session it exposes the GSI credentials
– GSISocket.java
• Extends SSLSocket.java to provide Globus proxy / delegated
credentials support
– GSIServerSocketFactory.java
• Implements ServerSocketFactory to allow creation of GSISockets
• This file contains hardcoded locations of the hostcert.pem,
hostkey.pem, certificates and grid-mapfile files.
– Currently dependent on IAIK Java cryptography libraries
10
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Altering Tomcat to support GSI (2)
4Some changes are needed to the Tomcat
configuration (conf/server.xml)
4Add a new Connector to the <service> section
– Define a GSI HTTP/1.1 Connector on port 8443
– Define which Factory object should be used
(GSIServerSocketFactory)
• This also contains hardcoded locations of proxy, usercert,
userkey and certificates directory (which are different…)
4Add a new Valve to the <engine> section
– This tells Tomcat to use the modified CertificatesValve object
4Tomcat should now accept httpg: requests on
port 8443
11
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Adding a GSI Handler using Axis
4Handling GSI in Axis
– GSIHTTPTransport.java
• Sets up a new transport, httpg, within Axis
– GSIHTTPSender.java
• New handler for GSI HTTP (uses MessageContext.getProperty())
– GSIAdminClient.java
• Registers the new handler with the transport in Axis
– Util.java
• getCredentials(msgContext) return the proxy credentials
associated with the message context
• registerTransport() registers the GSIHTTPTransport class for the
httpg protocol
• Also used by client programs (see later)
12
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Installing the modified code
4ANL provide precompiled jars to replace
catalina.jar and axis.jar
4Or you can “roll your own” and compile from
source
4Replace jars, restart Tomcat and you’re ready
to write GSI web services
4Also required are Java CoG kit (cog.jar), and
IAIK cryptographic libraries (iaik_ssl.jar,
iaik_jce_full.jar, iaik_javax_crypto.jar,
cryptix.jar)
13
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Writing a GSI Web Service (1)
4Let’s write a service, MyService, with a
method, serviceMethod, which takes one
argument.
4The Axis RPC dispatcher will look for the same
method with an extra parameter (the message
context) when it receives a GSI enabled client
invocation
4So we add this extra parameter to the method
4Util.getCredentials() allows us to access the
GSI proxy from the message context
14
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Writing a GSI Web Service (2)
4Here’s the code:
import org.apache.axis.MessageContext;
import org.globus.axis.util.Util;
public classMyService {
// Add a MessageContext argument to the normal method
public String serviceMethod(MessageContext ctx, String arg) {
System.out.println(“MyService: you sent “ + arg);
System.out.println(“GOT PROXY: “ + Util.getCredentials(ctx));
return arg;
}
}
4This just prints the credentials and string sent
15
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Writing a GSI Web Client (1)
4Similar to writing a normal web services client:
– Deploy a httpg transport chain
– Use the Java CoG kit to load a Globus proxy
– Use setProperty() to set GSI specific SOAP headers
• globus credentials (the proxy certificate)
• authorisation type
• GSI mode (SSL, no delegation, full delegation, limited delegation)
– Then do rest of normal SOAP routine
•
•
•
•
•
16
setTargetEndpointAddress()
setOperationName()
addParameter()
setReturnType()
Invoke()
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Writing a GSI Web Client (2)
4Here’s (most of) the code:
SimpleProvider provider = new SimpleProvider();
SimpleTargetedChain chain = new SimpleTargetedChain(new GSIHTTPSender());
provider.deployTransport(“httpg”, chain);
GlobusProxy proxy = GlobusProxy.getDefaultUserProxy();
Service service = new Service(provider);
Call call = (Call) service.createCall();
call.setProperty(GSIHTTPTransport.GSI_CREDENTIALS, proxy);
call.setProperty(GSIHTTPTransport.GSI_AUTHORIZATION, new SelfAuthorisation(proxy));
call.setProperty(GSIHTTPTransport.GSI_MODE, GSIHTTPTransport.GSI_MODE_LIMITED_DELEG);
call.setTargetEndpointAddress(new java.net.URL(“httpg://localhost:8443/axis/servlet/AxisServlet”));
call.setOperationName(new QName.(“MyService”, “serviceMethod”));
call.addParameter(“arg1”, XMLType.XSD_STRING, ParameterMode.PARAM_MODE_IN);
call.setReturnType(XMLType.XSD_STRING);
String ret = (String) call.invoke(new Object[] { “Hello World” });
System.out.println(“MyService returned: “ + ret);
17
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Running a GSI Web Client/Service
4It should just work… ☺
18
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Experiences of GSI and Web Services
4… but it didn’t
4Two main difficulties:
– Authentication or authorisation is failing
– Can’t probe SOAP message (it’s encrypted)
4So can’t tell why it’s failing
4Documentation of GSI Web Services and Axis
is sparse
4However…
– I understand the code a lot better after having to write this talk!
19
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
What happens next?
4Document code and provide proper
instructions
4Recompile additions against latest releases of
Tomcat and Axis
4Distribute source, binaries and documentation
to UK eScience community (by end of March?)
4Ideally, provide another example client e.g.
using Python
20
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
The benefit of open standards
4There are a number of other attempts to
produce secure XML and SOAP messaging
standards
–
–
–
–
XML Digital Signatures
SAML – security-based assertions
XKMS – providing and managing PKI-based web services
XACML – access control framework for XML
4See: http://www.w3c.org, http://www.oasis-open.org
4And an odd one out:
– Microsoft Passport
4Which one will be adopted in the end?
21
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Summary
4Web services are good
4Secure web services are better
4We can write secure web services using GSI
4We can communicate securely with web
services using GSIHTTP
4It should just work
4I will be providing code examples
22
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
The End
4Over to you…
23
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - N.ChueHong@epcc.ed.ac.uk
Related documents
GRADUATE STUDENT INSTRUCTOR - GSI Teaching & Resource
GRADUATE STUDENT INSTRUCTOR - GSI Teaching & Resource
Document11094681 11094681
Document11094681 11094681
Strategic Flood Relief Management
Strategic Flood Relief Management
Heading to go here, Arial Regular, el lorum ipsum vestibul dis
Heading to go here, Arial Regular, el lorum ipsum vestibul dis
GSI and Web Services Neil P Chue Hong
GSI and Web Services Neil P Chue Hong
Nine European Territorial Cooperation Funding Programmes
Nine European Territorial Cooperation Funding Programmes
GSI Minutes – May 7 2013 - Greater Seattle Intergroup
GSI Minutes – May 7 2013 - Greater Seattle Intergroup
Download
advertisement