Hi Stefan,
The code you are working with is meant to secure any calls to services
hosted on the GT Java WS Core. If I understand the question, you are
looking to secure GridFTP server requests such that it is sent to the
XACML Authorization service to determine access or not - is that
correct? There was an effort, in partnership with OSG here, to secure
GridFTP server with a C XACML callout that can talk to XACML
Authorization service. I have contacted the person who worked on this,
and he is going to respond to this thread.
Rachana
On Oct 18, 2010, at 11:44 AM, Stefan E. Funk wrote:
Hi again,
indeed after working with the XACML and Globus a few questions
arouse, as I
assumed. I just explain what exactly I am planning to do:
The XACML service I want to access (via the Globus XACML callout)
for every
Globus resource that is requested takes three parameters as input
and responds
with a simple "DENY" or "ALLOW":
It takes the subject DN, the grid resource and the action as
parameters, and
that are exactly the parameters the ServiceAccessPIP is supposed to
gather,
isn't it? They would be (taken from
http://www.globus.org/toolkit/docs/4.2/4.2.1/security/wsaajava/pip/wsaajava-pip-serviceAccess.html)
:
The Subject DN of the client
(org
.globus
.wsrf.impl.security.authorization.XACMLConstants.SUBJECT_X509_ID),
the Local part of the operation being invoked
(org
.globus.wsrf.impl.security.authorization.XACMLConstants.ACTION_ID),
and
the String representation of the EPR contacted by the client
(org
.globus.wsrf.impl.security.authorization.XACMLConstants.RESOURCE_ID)
My questions now is: Where exactly would I have to configure this
three
parameters to send to our XACML service for every resource the
Globus users
are requesting via GridFTP? As I assume, that would be no custom
logic then?
Thanks a lot for all your help!
All the best.
*fu*
Am 20.09.10 16:57, schrieb Rachana Ananthakrishnan:
- Is it possible to use the PIPs and PDPs just by configuring or
do I
have to implement the functionality myself?
If the PIP or PDP is shipped out of the box, like the XACML one, or
any of
the others listed here
http://www.globus.org/toolkit/docs/4.2/4.2.1/security/wsaajava/
pdp/, you
should be able to just configure it and not implement anything. If
you
want custom logic in your PDPs and PIPs, you can implement the
interface
and configure it in.
--
-----------------------------------------------------------------------
Stefan E. Funk
DAASI International GmbH Phone DAASI : +49 7071
407109-6
Europaplatz 3 Phone SUB : +49 551
39-7700
D-72072 Tübingen Email :
[email protected]
Germany Web : http://
www.daasi.de
Directory Applications for Advanced Security and Information
Management
-----------------------------------------------------------------------
Rachana Ananthakrishnan
Argonne National Lab | University of Chicago
