Hi,
- Is it possible to use the PIPs and PDPs just by configuring or do
I have to
implement the functionality myself?
If the PIP or PDP is shipped out of the box, like the XACML one, or
any of the others listed here http://www.globus.org/toolkit/docs/4.2/4.2.1/security/wsaajava/pdp/
, you should be able to just configure it and not implement anything.
If you want custom logic in your PDPs and PIPs, you can implement the
interface and configure it in.
- Are there any examples of XACML PDP and PIP usage with just
configuration
(IF it is intended to work that way)?
Or do I have to implement the PDP callout myself as done in the
XACML test
cases delivered with the XACML callout code?
I am not following this. The test does not re-implement the callout.
It configures a test service to be protected with the XACML Callout,
and configures it to talk to a test authorization service. The
TestXACMLAuthzCallout.java is the JUnit test class that drives the
whole test.
Were there any other stack traces with this error? I see the root
error is from AbstractEngine.java and that does log the whole
exception to error stream. Can you look to see if there are other log
statements or error logs that provide information on why the load is
failing?
The descriptor you sent has "foo" as the prefix for the callout, which
is fine, but the error itself uses "xacmlAuthz" as the prefix. I
wonder if there is some gap in the configuration file used here.
Lastly, the XACML Callout documentation talks about exercising the
tests. Did the test security configuration load correctly? http://www.globus.org/toolkit/docs/4.2/4.2.1/security/wsaajava/pdp/wsaajava-pdp-XACMLAuthzCallout.html#id2522484
.
Rachana
On Sep 20, 2010, at 4:24 AM, Stefan E. Funk wrote:
Dear Rachana, dear all,
thank you very much for your answer. I just checked it, and I have
the JARs
you mentioned already installed (I configured the build with xacml
support), I
just installed the XACML tests lateron, and also the test JARs are
installed... so I am still puzzled, but working on it :) If you have
any
further clues or ideas to this, please send them to me.
And it would be very kind, if you could have a look to my questions
at the end
of my mail, because I didn't find answers to them in the
documentation.
Thanks a lot and besst wishes.
*fu*
Rachana Ananthakrishnan schrieb am 17.09.2010 16:56:
Hi,
It looks like
org
.globus.wsrf.impl.security.authorization.XACMLAuthorizationCallout
has not
been installed. If you installed from source, you need to build the
package in
authorization/java/xacml/. One quick way to check this is to see
if your
installation has globus_xacml_authz*.jar. If not, set
GLOBUS_LOCATION to your
install root, and run ant deploy in that directory, and that should
deploy the
classes needed to use the XACML callout. In the same directory,
there is a
test and sample directory, that shows how this can be used.
Hope this helps.
Rachana
On Sep 15, 2010, at 5:09 AM, Stefan E. Funk wrote:
Dear GT users,
in the frame of the TextGrid project (http://www.textgrid.de) we
developed a
centrally managed PDP for authorization decisions (http://www.openrbac.de
).
The SOAP based interface now also includes an XACML Service that
supports SAML
2.0 Profile of XACML 2.0 (XACMLAuthzDecionQuery).
I now want to use this PDP as an external PDP for authorizing grid
resources
managed by our Globus Toolkit (version 4.2.1). My goal is to use
the Globus
4.2.1 XACML callout in the following way:
For every GSIFTP call to the Globus Toolkit...
...get the incoming certificate's SubjectDN and the requested
resource
(using the
org.globus.wsrf.impl.security.authorization.AuthzProfilePIP)
...use the
org
.globus.wsrf.impl.security.authorization.XACMLAuthorizationCallout
to ask
our external PDP using the DN and the resource name (and the
operation)
...and then grant or deny access to that resource
According to documentation I should be able to reach that goal by
only
configuring the existing PIPs and PEPs, right? What I have done so
far is:
- installed and tested the
org
.globus
.wsrf.impl.security.authorization.XACMLAuthorizationCallout, and I
am stuck now at "5. configuration"
- created a new_security_descriptor.xml copying
/usr/local/globus/etc/globus/globus_wsrf_core/
global_security_descriptor.xml
- added (not exchanged with the old
global_security_descriptor.xml, that uses
gridmap-authorization) the new_security_descriptor.xml to the
server-config.wsdd:
<parameter name="containerSecDesc"
value="etc/globus_wsrf_core/new_security_descriptor.xml"/>
- added configuration to the new_security_descriptor.xml (see
attached file)
- GLOBUS_LOCATION is set correctly and I start the container using
the
globus-start-container script as root, and I get the following
exception (I
just think, the foo must be replaced??):
2010-09-10T13:02:00.196+02:00 DEBUG axis.MessageContext
[main,setService:942]
MessageContext:
setServiceHandler
(org.apache.axis.handlers.soap.soapserv...@476dc5c9)
[JWSCORE-114] Failed to start container: [JWSCORE-200] Container
failed to
initialize [Caused by: [Caused by: [JWSSEC-165] Error loading
interceptor:
"Interceptor:
xacmlAuthZ:org
.globus
.wsrf.impl.security.authorization.XACMLAuthorizationCallout"]]
So I am stuck at this point, and I would be grateful for any help. I
additionally have got some general questions, which I want to post
here:
- Is it possible to use the PIPs and PDPs just by configuring or
do I have to
implement the functionality myself?
- Are there any examples of XACML PDP and PIP usage with just
configuration
(IF it is intended to work that way)?
Or do I have to implement the PDP callout myself as done in the
XACML test
cases delivered with the XACML callout code?
I hope the information I provided is complete enough to make
sense, if not
please feel free to ask :)
Thanks for any hint you can provide.
Have a nice weekend.
*fu*
--
-----------------------------------------------------------------------
Stefan E. Funk
DAASI International GmbH Phone DAASI : +49 7071
407109-6
Europaplatz 3 Phone SUB : +49 551
39-7700
D-72072 Tübingen Email :
[email protected]
Germany Web : http://
www.daasi.de
Directory Applications for Advanced Security and Information
Management
-----------------------------------------------------------------------
Rachana Ananthakrishnan
Argonne National Lab | University of Chicago
