OK, Rachana. I didn't find the problem, but I followed Borja Sotomayor's delegation example from the book GlobusĀ® Toolkit 4 : Programming Java Services and now it seems to work correctly.
Thank you very much for your help. On Thu, Jan 20, 2011 at 1:20 PM, Rachana Ananthakrishnan < [email protected]> wrote: > Your code looks correct to me. I don't see why a delegation service > interaction is needed, you are using GSI Secure Conversation with > delegation, and that should delegate the user's credential to Service A. The > security configuration and the setServiceOwnerFromContext() looks correct. I > would get more logging at service A to see what the issue is in the calls to > Service B. > > One potential issue could be that calls to Service B from Service A are > from a separate thread such that the client's delegated credentials > (available in the Invocation Subject) are not used. You can explicitly set > the delegated credential on the stub to calls to Service B (like the code > you pasted from your client). > > Rachana > > On Jan 19, 2011, at 9:47 PM, Alisson Wilker wrote: > > My client app is a standalone application. It is not running inside the > globus container, but it is in the same machine. This is how I tried to > delegate credentials through the DelegationFactoryService: > > GlobusCredential credential = null; > credential = GlobusCredential.getDefaultCredential(); > > int lifetime = 12 * 60 * 60; > > ClientSecurityDescriptor secDesc = new ClientSecurityDescriptor(); > secDesc.setGSISecureConv(Constants.ENCRYPTION); > secDesc.setAuthz(HostAuthorization.getInstance()); > > EndpointReferenceType delegationFactoryEndpoint = new > EndpointReferenceType(); > delegationFactoryEndpoint.setAddress(new Address( > credentialDelegationFactoryServiceURL)); > > // Get the public key to delegate on. > X509Certificate[] certsToDelegateOn = null; > certsToDelegateOn = DelegationUtil.getCertificateChainRP( > delegationFactoryEndpoint, secDesc); > X509Certificate certToSign = certsToDelegateOn[0]; > > // send to delegation service and get epr. > EndpointReferenceType credentialEndpoint = null; > credentialEndpoint = DelegationUtil.delegate( > credentialDelegationFactoryServiceURL, credential, certToSign, > lifetime, false, secDesc); > > Before calling service A, I also set security properties on the stub: > > (port)._setProperty(Constants.GSI_SEC_CONV, Constants.ENCRYPTION); > (port)._setProperty(GSIConstants.GSI_MODE, > GSIConstants.GSI_MODE_FULL_DELEG); > > Service A security configuration file looks like: > > <securityConfig xmlns="http://www.globus.org"; > xmlns:tns="Service_instance"> > > <method name="tns:createAgreement"> > <run-as> > <caller-identity/> > </run-as> > <auth-method> > <GSISecureConversation/> > </auth-method> > </method> > > <auth-method> > <GSISecureConversation/> > </auth-method> > > <!--authz value="none"/--> > > </securityConfig> > > In ServiceA.createAgreement(), before calling Service B, I do: > > SecurityManager.getManager().setServiceOwnerFromContext(); > > and also try to retrieve the credential from the EPR returned to the client > by the DelegationFactoryService. However, the credential is not accepted by > the DelegationService, because it is still a host credential. > > I confirmed that the Invocation Subject is correctly set to my client user, > however System and Service subjects have host's distinguished name, not > user's. > > Thanks for your help. > > > On Thu, Jan 20, 2011 at 12:52 AM, Rachana Ananthakrishnan < > [email protected]> wrote: > >> If client app did delegate to Service A, you need to see where the >> delegated credential is stored and use that for Service A call. >> >> Your question is how the client app can get the user credential: that >> depends on where it is running and whether it has access to user's >> certificate or proxy certificate. >> >> The code you provided is something that can only be used on a service that >> is implemented on the Java WS core stack. If you are looking to find the >> delegated credential on the Service A, then this code should help. But from >> your error message it appears that the subject is not a delegated >> credential. How did you delegate from client to Service A? >> >> Rachana >> >> On Jan 19, 2011, at 7:38 PM, Alisson Wilker wrote: >> >> Hi, I have a simple problem that's driving me crazy. Maybe you could help >> me. >> >> a client application should contact service A that should then contact >> service B. However, when A calls service B it does it with host credentials, >> not with the user credentials A received from the client app. I've tried to >> delegate credentials, but how can I get user credentials on my client app? >> The client app is not a globus service, so I can't make: >> >> Subject subject = >> (Subject)MessageContext.getCurrentContext().getProperty(org.globus.wsrf.impl.security.authentication.Constants.PEER_SUBJECT); >> GlobusCredential credential = null; >> if( (GlobusGSSCredentialImpl)JaasGssUtil.getCredential(subject) == null ) >> throw new Exception("No Credentials associated with subject "+subject); >> credential = >> ((GlobusGSSCredentialImpl)JaasGssUtil.getCredential(subject)).getGlobusCredential(); >> >> If I do so, it will throw me the exception: "No Credentials associated >> with subject ". >> >> I think it has a simple solution, but it's driving me crazy. Need your >> help please. >> >> Thanks in advance. >> >> -- >> []s >> Alisson Wilker >> >> "The success depends on three elements: courage, knowledge and >> opportunity. Therefore, be bold and get ready. Because the opportunity... >> that will come!" (Alisson Wilker) >> >> "Success is being able to do and know things that just a few people around >> you did or knew by means of your responsible effort." (Alisson Wilker) >> >> <http://www.twitter.com/alissonwilker> >> <http://picasaweb.google.com/alissonwilker> >> <http://www.youtube.com/alissonwilker> >> >> >> Rachana Ananthakrishnan >> Argonne National Lab | University of Chicago >> >> > > > -- > []s > Alisson Wilker > > "The success depends on three elements: courage, knowledge and opportunity. > Therefore, be bold and get ready. Because the opportunity... that will > come!" (Alisson Wilker) > > "Success is being able to do and know things that just a few people around > you did or knew by means of your responsible effort." (Alisson Wilker) > > <http://www.twitter.com/alissonwilker> > <http://picasaweb.google.com/alissonwilker> > <http://www.youtube.com/alissonwilker> > > > Rachana Ananthakrishnan > Argonne National Lab | University of Chicago > > -- []s Alisson Wilker "The success depends on three elements: courage, knowledge and opportunity. Therefore, be bold and get ready. Because the opportunity... that will come!" (Alisson Wilker) "Success is being able to do and know things that just a few people around you did or knew by means of your responsible effort." (Alisson Wilker) <http://www.twitter.com/alissonwilker> <http://picasaweb.google.com/alissonwilker> <http://www.youtube.com/alissonwilker>
