Your code looks correct to me. I don't see why a delegation service interaction is needed, you are using GSI Secure Conversation with delegation, and that should delegate the user's credential to Service A. The security configuration and the setServiceOwnerFromContext() looks correct. I would get more logging at service A to see what the issue is in the calls to Service B.
One potential issue could be that calls to Service B from Service A are from a separate thread such that the client's delegated credentials (available in the Invocation Subject) are not used. You can explicitly set the delegated credential on the stub to calls to Service B (like the code you pasted from your client). Rachana On Jan 19, 2011, at 9:47 PM, Alisson Wilker wrote: > My client app is a standalone application. It is not running inside the > globus container, but it is in the same machine. This is how I tried to > delegate credentials through the DelegationFactoryService: > > GlobusCredential credential = null; > credential = GlobusCredential.getDefaultCredential(); > > int lifetime = 12 * 60 * 60; > > ClientSecurityDescriptor secDesc = new > ClientSecurityDescriptor(); > secDesc.setGSISecureConv(Constants.ENCRYPTION); > secDesc.setAuthz(HostAuthorization.getInstance()); > > EndpointReferenceType delegationFactoryEndpoint = new > EndpointReferenceType(); > delegationFactoryEndpoint.setAddress(new Address( > credentialDelegationFactoryServiceURL)); > > // Get the public key to delegate on. > X509Certificate[] certsToDelegateOn = null; > certsToDelegateOn = DelegationUtil.getCertificateChainRP( > delegationFactoryEndpoint, secDesc); > X509Certificate certToSign = certsToDelegateOn[0]; > > // send to delegation service and get epr. > EndpointReferenceType credentialEndpoint = null; > credentialEndpoint = DelegationUtil.delegate( > credentialDelegationFactoryServiceURL, > credential, certToSign, > lifetime, false, secDesc); > > Before calling service A, I also set security properties on the stub: > > (port)._setProperty(Constants.GSI_SEC_CONV, > Constants.ENCRYPTION); > (port)._setProperty(GSIConstants.GSI_MODE, > GSIConstants.GSI_MODE_FULL_DELEG); > > Service A security configuration file looks like: > > <securityConfig xmlns="http://www.globus.org"; xmlns:tns="Service_instance"> > > <method name="tns:createAgreement"> > <run-as> > <caller-identity/> > </run-as> > <auth-method> > <GSISecureConversation/> > </auth-method> > </method> > > <auth-method> > <GSISecureConversation/> > </auth-method> > > <!--authz value="none"/--> > > </securityConfig> > > In ServiceA.createAgreement(), before calling Service B, I do: > > SecurityManager.getManager().setServiceOwnerFromContext(); > > and also try to retrieve the credential from the EPR returned to the client > by the DelegationFactoryService. However, the credential is not accepted by > the DelegationService, because it is still a host credential. > > I confirmed that the Invocation Subject is correctly set to my client user, > however System and Service subjects have host's distinguished name, not > user's. > > Thanks for your help. > > > On Thu, Jan 20, 2011 at 12:52 AM, Rachana Ananthakrishnan > <[email protected]> wrote: > If client app did delegate to Service A, you need to see where the delegated > credential is stored and use that for Service A call. > > Your question is how the client app can get the user credential: that depends > on where it is running and whether it has access to user's certificate or > proxy certificate. > > The code you provided is something that can only be used on a service that is > implemented on the Java WS core stack. If you are looking to find the > delegated credential on the Service A, then this code should help. But from > your error message it appears that the subject is not a delegated credential. > How did you delegate from client to Service A? > > Rachana > > On Jan 19, 2011, at 7:38 PM, Alisson Wilker wrote: > >> Hi, I have a simple problem that's driving me crazy. Maybe you could help me. >> >> a client application should contact service A that should then contact >> service B. However, when A calls service B it does it with host credentials, >> not with the user credentials A received from the client app. I've tried to >> delegate credentials, but how can I get user credentials on my client app? >> The client app is not a globus service, so I can't make: >> >> Subject subject = >> (Subject)MessageContext.getCurrentContext().getProperty(org.globus.wsrf.impl.security.authentication.Constants.PEER_SUBJECT); >> GlobusCredential credential = null; >> if( (GlobusGSSCredentialImpl)JaasGssUtil.getCredential(subject) >> == null ) >> throw new Exception("No Credentials associated with >> subject "+subject); >> credential = >> ((GlobusGSSCredentialImpl)JaasGssUtil.getCredential(subject)).getGlobusCredential(); >> >> If I do so, it will throw me the exception: "No Credentials associated with >> subject ". >> >> I think it has a simple solution, but it's driving me crazy. Need your help >> please. >> >> Thanks in advance. >> >> -- >> []s >> Alisson Wilker >> >> "The success depends on three elements: courage, knowledge and opportunity. >> Therefore, be bold and get ready. Because the opportunity... that will >> come!" (Alisson Wilker) >> >> "Success is being able to do and know things that just a few people around >> you did or knew by means of your responsible effort." (Alisson Wilker) >> >> >> > > Rachana Ananthakrishnan > Argonne National Lab | University of Chicago > > > > > -- > []s > Alisson Wilker > > "The success depends on three elements: courage, knowledge and opportunity. > Therefore, be bold and get ready. Because the opportunity... that will come!" > (Alisson Wilker) > > "Success is being able to do and know things that just a few people around > you did or knew by means of your responsible effort." (Alisson Wilker) > > > Rachana Ananthakrishnan Argonne National Lab | University of Chicago
