Dear Rachana, dear all, thank you very much for your answer. I just checked it, and I have the JARs you mentioned already installed (I configured the build with xacml support), I just installed the XACML tests lateron, and also the test JARs are installed... so I am still puzzled, but working on it :) If you have any further clues or ideas to this, please send them to me.
And it would be very kind, if you could have a look to my questions at the end of my mail, because I didn't find answers to them in the documentation. Thanks a lot and besst wishes. *fu* Rachana Ananthakrishnan schrieb am 17.09.2010 16:56: > Hi, > > It looks like > org.globus.wsrf.impl.security.authorization.XACMLAuthorizationCallout has not > been installed. If you installed from source, you need to build the package in > authorization/java/xacml/. One quick way to check this is to see if your > installation has globus_xacml_authz*.jar. If not, set GLOBUS_LOCATION to your > install root, and run ant deploy in that directory, and that should deploy the > classes needed to use the XACML callout. In the same directory, there is a > test and sample directory, that shows how this can be used. > > Hope this helps. > > Rachana > > On Sep 15, 2010, at 5:09 AM, Stefan E. Funk wrote: > >> Dear GT users, >> >> in the frame of the TextGrid project (http://www.textgrid.de) we developed a >> centrally managed PDP for authorization decisions (http://www.openrbac.de). >> The SOAP based interface now also includes an XACML Service that supports >> SAML >> 2.0 Profile of XACML 2.0 (XACMLAuthzDecionQuery). >> >> I now want to use this PDP as an external PDP for authorizing grid resources >> managed by our Globus Toolkit (version 4.2.1). My goal is to use the Globus >> 4.2.1 XACML callout in the following way: >> >> >> For every GSIFTP call to the Globus Toolkit... >> >> ...get the incoming certificate's SubjectDN and the requested resource >> (using the org.globus.wsrf.impl.security.authorization.AuthzProfilePIP) >> >> ...use the >> org.globus.wsrf.impl.security.authorization.XACMLAuthorizationCallout to ask >> our external PDP using the DN and the resource name (and the operation) >> >> ...and then grant or deny access to that resource >> >> >> According to documentation I should be able to reach that goal by only >> configuring the existing PIPs and PEPs, right? What I have done so far is: >> >> - installed and tested the >> org.globus.wsrf.impl.security.authorization.XACMLAuthorizationCallout, and I >> am stuck now at "5. configuration" >> >> - created a new_security_descriptor.xml copying >> /usr/local/globus/etc/globus/globus_wsrf_core/global_security_descriptor.xml >> >> - added (not exchanged with the old global_security_descriptor.xml, that uses >> gridmap-authorization) the new_security_descriptor.xml to the >> server-config.wsdd: >> >> <parameter name="containerSecDesc" >> value="etc/globus_wsrf_core/new_security_descriptor.xml"/> >> >> - added configuration to the new_security_descriptor.xml (see attached file) >> >> - GLOBUS_LOCATION is set correctly and I start the container using the >> globus-start-container script as root, and I get the following exception (I >> just think, the foo must be replaced??): >> >> 2010-09-10T13:02:00.196+02:00 DEBUG axis.MessageContext [main,setService:942] >> MessageContext: >> setServiceHandler(org.apache.axis.handlers.soap.soapserv...@476dc5c9) >> [JWSCORE-114] Failed to start container: [JWSCORE-200] Container failed to >> initialize [Caused by: [Caused by: [JWSSEC-165] Error loading interceptor: >> "Interceptor: >> xacmlAuthZ:org.globus.wsrf.impl.security.authorization.XACMLAuthorizationCallout"]] >> >> >> >> So I am stuck at this point, and I would be grateful for any help. I >> additionally have got some general questions, which I want to post here: >> >> - Is it possible to use the PIPs and PDPs just by configuring or do I have to >> implement the functionality myself? >> >> - Are there any examples of XACML PDP and PIP usage with just configuration >> (IF it is intended to work that way)? >> Or do I have to implement the PDP callout myself as done in the XACML test >> cases delivered with the XACML callout code? >> >> I hope the information I provided is complete enough to make sense, if not >> please feel free to ask :) >> >> >> Thanks for any hint you can provide. >> Have a nice weekend. >> *fu* -- ----------------------------------------------------------------------- Stefan E. Funk DAASI International GmbH Phone DAASI : +49 7071 407109-6 Europaplatz 3 Phone SUB : +49 551 39-7700 D-72072 Tübingen Email : [email protected] Germany Web : http://www.daasi.de Directory Applications for Advanced Security and Information Management -----------------------------------------------------------------------
