Re: [gt-user] How to get delegated credential with Transport level security

Thu, 29 Nov 2007 12:23:32 -0800

actually the delegation service can make things faster, as you delegate once, and can then invoke many operations on that service 

Zhaohui Ding wrote:

Thanks for the quick reply, Rachana,
We also planned to use DelegationService before, but we don't want to involve more overhead.
Since the problem is caused of protocol, it looks like a remote delegated credential storage mechanism is necessary. 

Regards,
--Zhaohui
2007/11/29, Rachana Ananthakrishnan <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>: 

    Hi,


    With transport security (https) you cannot delegate as part of the
    protocol. In the toolkit we use Delegation Service to delegate
    independent of the protocol. Details can be found here:
    http://www.globus.org/toolkit/docs/4.0/security/delegation/
    <http://www.globus.org/toolkit/docs/4.0/security/delegation/>


    In a nutshell, your client will contact the delegation service
    installed in the same container as your service to delegate its
    credential and will receive an EPR to the delegated credential.
    This EPR needs to be sent as a part of the method invocation to
    your service. The EPR can then be used to retrieve the client's
    delegated credential. Any mechanism can be used to secure your
    invocation, since the delegation credential EPR is an application
    level parameter.


    Rachana


    ------------------------------------------------------------------------

    *From:* [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
    [mailto: [EMAIL PROTECTED]
    <mailto:[EMAIL PROTECTED]>] *On Behalf Of *Zhaohui Ding
    *Sent:* Wednesday, November 28, 2007 6:25 PM
    *To:* [email protected] <mailto:[email protected]>
    *Subject:* [gt-user] How to get delegated credential with
    Transport level security


    Hi all,

        Here is what I want to implement,
        Client side delegate credential to Server side, and server
    side can retrieve the delegated credential. I used conversation
    security to implement this before, it works fine. Due to the
    performance issue, I hope to replace conversation security by
    transport security.
        I tried the functions provided by GlobusGSSContextImpl, but
    the delegated credential can't be retrieved. Can anyone give me
    some instructions? Thanks!

    Please see followed messages,
    *Client code:

    ((Stub) job)._setProperty(Constants.GSI_TRANSPORT,
    Constants.SIGNATURE);
    ((Stub) job)._setProperty(GSIConstants.GSI_MODE,
    GSIConstants.GSI_MODE_FULL_DELEG);
    ((Stub) job)._setProperty(Constants.AUTHORIZATION , new
    HostAuthorization());


    Server code:

    MessageContext mctx = MessageContext.getCurrentContext();
    GlobusGSSContextImpl transport_sec = (GlobusGSSContextImpl)
    mctx.getProperty(Constants.TRANSPORT_SECURITY_CONTEXT);
    GSSCredential credential = null;
    GSSCredential credential2 = null;
    try {
                            credential =
    transport_sec.getDelegatedCredential();
                            credential2 = transport_sec.getDelegCred();
                            logger.debug("1:" + credential);
                            logger.debug("2:" + credential2);
                            logger.debug("getIntegState():" +
    transport_sec.getIntegState());
                            logger.debug("getCredDelegState():" +
    transport_sec.getCredDelegState());
                            logger.debug("getlifetime():" +
    transport_sec.getLifetime());
                            logger.debug("isInitiator():" +
    transport_sec.isInitiator());
                            logger.debug("isProtReady():" +
    transport_sec.isProtReady());
                            logger.debug("isEstablished():" +
    transport_sec.isEstablished());
                            logger.debug("isDelegationFinished():" +
    transport_sec.isDelegationFinished());
                            logger.debug ("getConfState():" +
    transport_sec.getConfState());
    } catch (Exception e) {
                            logger.error(e.getMessage());* *
                            throw new RemoteException("Retrive user
    credential failed!");
    }

    The log on server side:

    2007-11-28 15:37:41,984 DEBUG impl.JobImpl
    [ServiceThread-9,createResource:346] 1:null
    2007-11-28 15:37:41,985 DEBUG impl.JobImpl
    [ServiceThread-9,createResource:348] 2:null* *
    2007-11-28 15:37:41,985 DEBUG impl.JobImpl
    [ServiceThread-9,createResource:349] getIntegState():true
    2007-11-28 15:37:41,986 DEBUG impl.JobImpl
    [ServiceThread-9,createResource:350] getCredDelegState():false
    2007-11-28 15:37:41,986 DEBUG impl.JobImpl
    [ServiceThread-9,createResource:351] getlifetime():353594
    2007-11-28 15:37:41,987 DEBUG impl.JobImpl
    [ServiceThread-9,createResource:352] isInitiator():false
    2007-11-28 15:37:41,987 DEBUG impl.JobImpl
    [ServiceThread-9,createResource:353] isProtReady():true
    2007-11-28 15:37:41,988 DEBUG impl.JobImpl
    [ServiceThread-9,createResource:354] isEstablished():true
    2007-11-28 15:37:41,988 DEBUG impl.JobImpl
    [ServiceThread-9,createResource:355] isDelegationFinished():false
    2007-11-28 15:37:41,989 DEBUG impl.JobImpl
    [ServiceThread-9,createResource:356] getConfState():true

    *Regards,
    --Zhaohui




--

  Ian Foster, Director, Computation Institute
Argonne National Laboratory & University of Chicago
Argonne: MCS/221, 9700 S. Cass Ave, Argonne, IL 60439
Chicago: Rm 405, 5640 S. Ellis Ave, Chicago, IL 60637
Tel: +1 630 252 4619.  Web: www.ci.uchicago.edu.
     Globus Alliance: www.globus.org.

Reply via email to