Hi Stefan,

The code you are working with is meant to secure any calls to services hosted on the GT Java WS Core. If I understand the question, you are looking to secure GridFTP server requests such that it is sent to the XACML Authorization service to determine access or not - is that correct? There was an effort, in partnership with OSG here, to secure GridFTP server with a C XACML callout that can talk to XACML Authorization service. I have contacted the person who worked on this, and he is going to respond to this thread.

Rachana

On Oct 18, 2010, at 11:44 AM, Stefan E. Funk wrote:

Hi again,

indeed after working with the XACML and Globus a few questions arouse, as I
assumed. I just explain what exactly I am planning to do:

The XACML service I want to access (via the Globus XACML callout) for every Globus resource that is requested takes three parameters as input and responds
with a simple "DENY" or "ALLOW":

It takes the subject DN, the grid resource and the action as parameters, and that are exactly the parameters the ServiceAccessPIP is supposed to gather,
isn't it? They would be (taken from
http://www.globus.org/toolkit/docs/4.2/4.2.1/security/wsaajava/pip/wsaajava-pip-serviceAccess.html) :

The Subject DN of the client
(org .globus .wsrf.impl.security.authorization.XACMLConstants.SUBJECT_X509_ID),
the Local part of the operation being invoked
(org .globus.wsrf.impl.security.authorization.XACMLConstants.ACTION_ID), and
the String representation of the EPR contacted by the client
(org .globus.wsrf.impl.security.authorization.XACMLConstants.RESOURCE_ID)

My questions now is: Where exactly would I have to configure this three parameters to send to our XACML service for every resource the Globus users are requesting via GridFTP? As I assume, that would be no custom logic then?

Thanks a lot for all your help!

All the best.
*fu*


Am 20.09.10 16:57, schrieb Rachana Ananthakrishnan:
- Is it possible to use the PIPs and PDPs just by configuring or do I
have to implement the functionality myself?

If the PIP or PDP is shipped out of the box, like the XACML one, or any of
the others listed here
http://www.globus.org/toolkit/docs/4.2/4.2.1/security/wsaajava/ pdp/, you should be able to just configure it and not implement anything. If you want custom logic in your PDPs and PIPs, you can implement the interface
and configure it in.


--
-----------------------------------------------------------------------
Stefan E. Funk
DAASI International GmbH Phone DAASI : +49 7071 407109-6 Europaplatz 3 Phone SUB : +49 551 39-7700 D-72072 Tübingen Email : [email protected] Germany Web : http:// www.daasi.de

Directory Applications for Advanced Security and Information Management
-----------------------------------------------------------------------

Rachana Ananthakrishnan
Argonne National Lab | University of Chicago

Reply via email to