Hi,
It looks like
org.globus.wsrf.impl.security.authorization.XACMLAuthorizationCallout
has not been installed. If you installed from source, you need to
build the package in authorization/java/xacml/. One quick way to
check this is to see if your installation has globus_xacml_authz*.jar.
If not, set GLOBUS_LOCATION to your install root, and run ant deploy
in that directory, and that should deploy the classes needed to use
the XACML callout. In the same directory, there is a test and sample
directory, that shows how this can be used.
Hope this helps.
Rachana
On Sep 15, 2010, at 5:09 AM, Stefan E. Funk wrote:
Dear GT users,
in the frame of the TextGrid project (http://www.textgrid.de) we
developed a
centrally managed PDP for authorization decisions (http://www.openrbac.de
).
The SOAP based interface now also includes an XACML Service that
supports SAML
2.0 Profile of XACML 2.0 (XACMLAuthzDecionQuery).
I now want to use this PDP as an external PDP for authorizing grid
resources
managed by our Globus Toolkit (version 4.2.1). My goal is to use the
Globus
4.2.1 XACML callout in the following way:
For every GSIFTP call to the Globus Toolkit...
...get the incoming certificate's SubjectDN and the requested resource
(using the
org.globus.wsrf.impl.security.authorization.AuthzProfilePIP)
...use the
org
.globus.wsrf.impl.security.authorization.XACMLAuthorizationCallout
to ask
our external PDP using the DN and the resource name (and the
operation)
...and then grant or deny access to that resource
According to documentation I should be able to reach that goal by only
configuring the existing PIPs and PEPs, right? What I have done so
far is:
- installed and tested the
org
.globus.wsrf.impl.security.authorization.XACMLAuthorizationCallout,
and I
am stuck now at "5. configuration"
- created a new_security_descriptor.xml copying
/usr/local/globus/etc/globus/globus_wsrf_core/
global_security_descriptor.xml
- added (not exchanged with the old global_security_descriptor.xml,
that uses
gridmap-authorization) the new_security_descriptor.xml to the server-
config.wsdd:
<parameter name="containerSecDesc"
value="etc/globus_wsrf_core/new_security_descriptor.xml"/>
- added configuration to the new_security_descriptor.xml (see
attached file)
- GLOBUS_LOCATION is set correctly and I start the container using the
globus-start-container script as root, and I get the following
exception (I
just think, the foo must be replaced??):
2010-09-10T13:02:00.196+02:00 DEBUG axis.MessageContext
[main,setService:942]
MessageContext:
setServiceHandler(org.apache.axis.handlers.soap.soapserv...@476dc5c9)
[JWSCORE-114] Failed to start container: [JWSCORE-200] Container
failed to
initialize [Caused by: [Caused by: [JWSSEC-165] Error loading
interceptor:
"Interceptor:
xacmlAuthZ:org
.globus.wsrf.impl.security.authorization.XACMLAuthorizationCallout"]]
So I am stuck at this point, and I would be grateful for any help. I
additionally have got some general questions, which I want to post
here:
- Is it possible to use the PIPs and PDPs just by configuring or do
I have to
implement the functionality myself?
- Are there any examples of XACML PDP and PIP usage with just
configuration
(IF it is intended to work that way)?
Or do I have to implement the PDP callout myself as done in the
XACML test
cases delivered with the XACML callout code?
I hope the information I provided is complete enough to make sense,
if not
please feel free to ask :)
Thanks for any hint you can provide.
Have a nice weekend.
*fu*
--
-----------------------------------------------------------------------
Stefan E. Funk
DAASI International GmbH Phone DAASI : +49 7071
407109-6
Europaplatz 3 Phone SUB : +49 551
39-7700
D-72072 Tübingen Email :
[email protected]
Germany Web : http://
www.daasi.de
Directory Applications for Advanced Security and Information
Management
-----------------------------------------------------------------------
<new_security_descriptor.xml>
Rachana Ananthakrishnan
Argonne National Lab | University of Chicago
