Hi Rachana, dear List, I just discovered a missing "2.0" in the security-config file. The value of the <param:ObligationId> must be:
http://authz-interop.org/xacml/2.0/obligation/username instead of: http://authz-interop.org/xacml/obligation/username The container can be started then. Is maybe the <ObligationId> of the example config http://viewcvs.globus.org/viewcvs.cgi/authorization/java/xacml/samples/etc/xacml-security-config.xml?view=markup and the documentation (see Obligation Handlers) http://viewcvs.globus.org/viewcvs.cgi/authorization/java/xacml/samples/etc/xacml-security-config.xml?view=markup not correct? It may be, that more question arise, thanks a lot so far. *fu* Rachana Ananthakrishnan schrieb am 20.09.2010 16:57: > Hi, > >>> - Is it possible to use the PIPs and PDPs just by configuring or do I have >>> to >>> implement the functionality myself? > > If the PIP or PDP is shipped out of the box, like the XACML one, or any of the > others listed here > http://www.globus.org/toolkit/docs/4.2/4.2.1/security/wsaajava/pdp/, you > should be able to just configure it and not implement anything. If you want > custom logic in your PDPs and PIPs, you can implement the interface and > configure it in. >>> >>> - Are there any examples of XACML PDP and PIP usage with just configuration >>> (IF it is intended to work that way)? >>> Or do I have to implement the PDP callout myself as done in the XACML test >>> cases delivered with the XACML callout code? > > I am not following this. The test does not re-implement the callout. It > configures a test service to be protected with the XACML Callout, and > configures it to talk to a test authorization service. The > TestXACMLAuthzCallout.java is the JUnit test class that drives the whole test. > > Were there any other stack traces with this error? I see the root error is > from AbstractEngine.java and that does log the whole exception to error > stream. Can you look to see if there are other log statements or error logs > that provide information on why the load is failing? > > The descriptor you sent has "foo" as the prefix for the callout, which is > fine, but the error itself uses "xacmlAuthz" as the prefix. I wonder if there > is some gap in the configuration file used here. > > Lastly, the XACML Callout documentation talks about exercising the tests. Did > the test security configuration load correctly? > http://www.globus.org/toolkit/docs/4.2/4.2.1/security/wsaajava/pdp/wsaajava-pdp-XACMLAuthzCallout.html#id2522484. > > > Rachana > > On Sep 20, 2010, at 4:24 AM, Stefan E. Funk wrote: > >> Dear Rachana, dear all, >> >> thank you very much for your answer. I just checked it, and I have the JARs >> you mentioned already installed (I configured the build with xacml support), >> I >> just installed the XACML tests lateron, and also the test JARs are >> installed... so I am still puzzled, but working on it :) If you have any >> further clues or ideas to this, please send them to me. >> >> And it would be very kind, if you could have a look to my questions at the >> end >> of my mail, because I didn't find answers to them in the documentation. >> >> Thanks a lot and besst wishes. >> *fu* >> >> >> Rachana Ananthakrishnan schrieb am 17.09.2010 16:56: >>> Hi, >>> >>> It looks like >>> org.globus.wsrf.impl.security.authorization.XACMLAuthorizationCallout has >>> not >>> been installed. If you installed from source, you need to build the package >>> in >>> authorization/java/xacml/. One quick way to check this is to see if your >>> installation has globus_xacml_authz*.jar. If not, set GLOBUS_LOCATION to >>> your >>> install root, and run ant deploy in that directory, and that should deploy >>> the >>> classes needed to use the XACML callout. In the same directory, there is a >>> test and sample directory, that shows how this can be used. >>> >>> Hope this helps. >>> >>> Rachana >>> >>> On Sep 15, 2010, at 5:09 AM, Stefan E. Funk wrote: >>> >>>> Dear GT users, >>>> >>>> in the frame of the TextGrid project (http://www.textgrid.de) we developed >>>> a >>>> centrally managed PDP for authorization decisions (http://www.openrbac.de). >>>> The SOAP based interface now also includes an XACML Service that supports >>>> SAML >>>> 2.0 Profile of XACML 2.0 (XACMLAuthzDecionQuery). >>>> >>>> I now want to use this PDP as an external PDP for authorizing grid >>>> resources >>>> managed by our Globus Toolkit (version 4.2.1). My goal is to use the Globus >>>> 4.2.1 XACML callout in the following way: >>>> >>>> >>>> For every GSIFTP call to the Globus Toolkit... >>>> >>>> ...get the incoming certificate's SubjectDN and the requested resource >>>> (using the org.globus.wsrf.impl.security.authorization.AuthzProfilePIP) >>>> >>>> ...use the >>>> org.globus.wsrf.impl.security.authorization.XACMLAuthorizationCallout to >>>> ask >>>> our external PDP using the DN and the resource name (and the operation) >>>> >>>> ...and then grant or deny access to that resource >>>> >>>> >>>> According to documentation I should be able to reach that goal by only >>>> configuring the existing PIPs and PEPs, right? What I have done so far is: >>>> >>>> - installed and tested the >>>> org.globus.wsrf.impl.security.authorization.XACMLAuthorizationCallout, and >>>> I >>>> am stuck now at "5. configuration" >>>> >>>> - created a new_security_descriptor.xml copying >>>> /usr/local/globus/etc/globus/globus_wsrf_core/global_security_descriptor.xml >>>> >>>> - added (not exchanged with the old global_security_descriptor.xml, that >>>> uses >>>> gridmap-authorization) the new_security_descriptor.xml to the >>>> server-config.wsdd: >>>> >>>> <parameter name="containerSecDesc" >>>> value="etc/globus_wsrf_core/new_security_descriptor.xml"/> >>>> >>>> - added configuration to the new_security_descriptor.xml (see attached >>>> file) >>>> >>>> - GLOBUS_LOCATION is set correctly and I start the container using the >>>> globus-start-container script as root, and I get the following exception (I >>>> just think, the foo must be replaced??): >>>> >>>> 2010-09-10T13:02:00.196+02:00 DEBUG axis.MessageContext >>>> [main,setService:942] >>>> MessageContext: >>>> setServiceHandler(org.apache.axis.handlers.soap.soapserv...@476dc5c9) >>>> [JWSCORE-114] Failed to start container: [JWSCORE-200] Container failed to >>>> initialize [Caused by: [Caused by: [JWSSEC-165] Error loading interceptor: >>>> "Interceptor: >>>> xacmlAuthZ:org.globus.wsrf.impl.security.authorization.XACMLAuthorizationCallout"]] >>>> >>>> >>>> >>>> >>>> So I am stuck at this point, and I would be grateful for any help. I >>>> additionally have got some general questions, which I want to post here: >>>> >>>> - Is it possible to use the PIPs and PDPs just by configuring or do I have >>>> to >>>> implement the functionality myself? >>>> >>>> - Are there any examples of XACML PDP and PIP usage with just configuration >>>> (IF it is intended to work that way)? >>>> Or do I have to implement the PDP callout myself as done in the XACML test >>>> cases delivered with the XACML callout code? >>>> >>>> I hope the information I provided is complete enough to make sense, if not >>>> please feel free to ask :) >>>> >>>> >>>> Thanks for any hint you can provide. >>>> Have a nice weekend. >>>> *fu* -- ----------------------------------------------------------------------- Stefan E. Funk DAASI International GmbH Phone DAASI : +49 7071 407109-6 Europaplatz 3 Phone SUB : +49 551 39-7700 D-72072 Tübingen Email : [email protected] Germany Web : http://www.daasi.de Directory Applications for Advanced Security and Information Management -----------------------------------------------------------------------
