And when I stopped the container, I received the following output:
2007-10-30 22:37:42,126 DEBUG authorization.ServiceAuthorizationChain [ServiceTh
read-1,init:325] Trying to load: org.globus.wsrf.impl.security.authorization.Sel
fAuthorization
2007-10-30 22:37:42,417 DEBUG authorization.AuthorizationHandler [ServiceThread-
1,invoke:50] Authorization
2007-10-30 22:37:42,417 DEBUG authorization.AuthorizationHandler [ServiceThread-
1,invoke:66] Service path ShutdownService
2007-10-30 22:37:42,417 DEBUG authorization.AuthorizationHandler [ServiceThread-
1,invoke:86] Error getting resource/may not exist
org.globus.wsrf.NoResourceHomeException
at org.globus.wsrf.impl.ResourceContextImpl.getResourceHome(ResourceCont
extImpl.java:126)
at org.globus.wsrf.impl.ResourceContextImpl.getResource(ResourceContextI
mpl.java:162)
at org.globus.wsrf.impl.security.authorization.AuthorizationHandler.invo
ke(AuthorizationHandler.java:82)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
y.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.server.AxisServer.invoke(AxisServer.java:248)
at org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664
)
at org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:38
2)
at org.globus.wsrf.container.GSIServiceThread.process(GSIServiceThread.j
ava:147)
at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)
2007-10-30 22:37:42,417 DEBUG authorization.AuthorizationHandler [ServiceThread-
1,invoke:92] Resource is null: true
2007-10-30 22:37:42,417 DEBUG authorization.AuthorizationHandler [ServiceThread-
1,invoke:113] Sec desc after resource is false
2007-10-30 22:37:42,417 DEBUG authorization.AuthorizationHandler [ServiceThread-
1,invoke:127] Sec desc after service is true
2007-10-30 22:37:42,417 DEBUG authorization.AuthorizationHandler [ServiceThread-
1,invoke:149] Sec desc after container is true
2007-10-30 22:37:42,417 DEBUG authorization.AuthorizationHandler [ServiceThread-
1,invoke:172] Invoking authorize on authz chain
2007-10-30 22:37:42,417 DEBUG authorization.ServiceAuthorizationChain [ServiceTh
read-1,authorize:266] Target operation is "{http://wsrf.globus.org/core/shutdown
}shutdown". Called by subject "/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth
User/OU=https://idp.protectnetwork.org/protectnetwork-idp/[EMAIL PROTECTED]
network.org"
2007-10-30 22:37:42,427 DEBUG authorization.ServiceAuthorizationChain [ServiceTh
read-1,intercept:213] Interceptor org.globus.wsrf.impl.security.authorization.Se
lfAuthorization
2007-10-30 22:37:42,427 DEBUG authorization.SelfAuthorization [ServiceThread-1,i
sPermitted:113] Error retrieving resource
org.globus.wsrf.NoResourceHomeException
at org.globus.wsrf.impl.ResourceContextImpl.getResourceHome(ResourceCont
extImpl.java:126)
at org.globus.wsrf.impl.ResourceContextImpl.getResource(ResourceContextI
mpl.java:162)
at org.globus.wsrf.impl.security.authorization.SelfAuthorization.isPermi
tted(SelfAuthorization.java:109)
at org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain
.intercept(ServiceAuthorizationChain.java:217)
at org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain
.authorize(ServiceAuthorizationChain.java:282)
at org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain
.authorize(ServiceAuthorizationChain.java:272)
at org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain
.authorize(ServiceAuthorizationChain.java:235)
at org.globus.wsrf.impl.security.authorization.AuthorizationHandler.invo
ke(AuthorizationHandler.java:174)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
y.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.server.AxisServer.invoke(AxisServer.java:248)
at org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664
)
at org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:38
2)
at org.globus.wsrf.container.GSIServiceThread.process(GSIServiceThread.j
ava:147)
at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)
2007-10-30 22:37:42,427 DEBUG authorization.BasicSubjectAuthorization [ServiceTh
read-1,authorize:82] Peer "/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User
/OU=https://idp.protectnetwork.org/protectnetwork-idp/[EMAIL PROTECTED]
ork.org" authorized.
2007-10-30 22:37:42,427 INFO authorization.ServiceAuthorizationChain [ServiceTh
read-1,authorize:285] Authorized "/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibbole
th User/OU=https://idp.protectnetwork.org/protectnetwork-idp/[EMAIL PROTECTED]
ectnetwork.org" to invoke "{http://wsrf.globus.org/core/shutdown}shutdown";.
Stopped SOAP Axis server at: https://192.168.1.102:8443/wsrf/services/
On 10/30/07, Tom Scavo <[EMAIL PROTECTED]> wrote:
> Hi Rachana,
>
> The PIP is at location
>
> http://viewcvs.globus.org/viewcvs.cgi/gridshib/gt/interceptors/java/source/src-proxies/4.0/org/globus/gridshib/SAMLAssertionPushPIP.java?view=log&pathrev=gridshib_gt_0_6_0_branch
>
> It's implementation is at location
>
> http://viewcvs.globus.org/viewcvs.cgi/gridshib/gt/interceptors/java/source/src/org/globus/gridshib/gt/authorization/SAMLAssertionPushPIPImpl.java?view=log&pathrev=gridshib_gt_0_6_0_branch
>
> The security descriptors consist of the authz chains I posted earlier
> and nothing else (except for the service descriptor, which has an
> <auth-method> element).
>
> Finally, here's the log output you asked for:
>
> http://dev.globus.org/images/e/e3/Gt-container-log-output-20071030-more.txt
>
> Hope this helps,
> Tom
>
> On 10/30/07, Rachana Ananthakrishnan <[EMAIL PROTECTED]> wrote:
> > Tom,
> >
> > Can you send me pointers to the PIP source code, your service and container
> > security descriptor? Also, can you please set logging to DEBUG for the
> > following package and send me logs?
> >
> > org.globus.wsrf.impl.security.authorization
> >
> > Thanks,
> > Rachana
> >
> > > -----Original Message-----
> > > From: Tom Scavo [mailto:[EMAIL PROTECTED]
> > > Sent: Tuesday, October 30, 2007 5:26 PM
> > > To: Rachana Ananthakrishnan
> > > Cc: gt-user
> > > Subject: Re: [gt-user] authz chains at both the container and service
> > > levels
> > >
> > > On 10/29/07, Rachana Ananthakrishnan <[EMAIL PROTECTED]> wrote:
> > > > For 4.0.x, look at section 3.1 in
> > > > http://www.globus.org/toolkit/docs/4.0/security/authzframe/developer-
> > > index.h
> > > > tml#s-authzframe-developer-archdes. Pasting relevant piece here:
> > > >
> > > > "A chain of PDPs and PIPs, with relevant configuration information, can
> > > be
> > > > configured at resource, service or container level. If no chain is
> > > specified
> > > > at resource level, service level is used; if nothing is specified at
> > > service
> > > > level, the container level configuration is used. The engine evaluates
> > > each
> > > > PDP and PIP in the order specified and a deny-override mechanism is used
> > > to
> > > > render a decision. If one PDP returns a deny, the decision rendered is
> > > > deny."
> > >
> > > This doesn't seem to work as advertised. I have the following authz
> > > chains specified at both the container and service levels (resp.):
> > >
> > > <authz value="global:org.globus.gridshib.SAMLAssertionPushPIP"/>
> > > <authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP"/>
> > >
> > > The latter initializes first (Bug 5545) but the container PIP is
> > > invoked when I request the service. See this log output:
> > >
> > > http://dev.globus.org/images/c/c8/Gt-container-log-output-20071030.txt
> > >
> > > Look for the following debug output (in order):
> > >
> > > org.globus.gridshib.gt.authorization.SAMLAssertionPushPIPImpl
> > > (secctxecho) initializing...
> > > org.globus.gridshib.gt.authorization.SAMLAssertionPushPIPImpl (global)
> > > initializing...
> > > org.globus.gridshib.gt.authorization.SAMLAssertionPushPIPImpl (global)
> > > collecting attributes...
> > >
> > > Is this bug related to Bug 5545 or is this something new?
> > >
> > > Tom
> >
> >
>
