Hi Alex,
As you know we have been working on supporting secure workflows in the
Taverna Workflow Service, I have a question regarding "Loading the
Truststore" in credential manager. Currently, it pops up a Dialog
asking for MasterPassword (Line 467 in CredentialManager.java in
version 1.0 ) when it is executed for the first time. Is it possible
to provide the Master password programatically instead of popping-up a
UI. Something similar to how we provided a masterpassword to the CM
using SPI?
Currently this is the only GUI dialog prompt that is left to be
overridden in order to run it in a headless mode. Any suggestions
please?
I am using 1.0 version of the CM.
Thanks, -Dina
On Nov 24, 2009, at 3:27 AM, Alexandra Nenadic wrote:
Dinanath Sulakhe wrote:
Hi Alex,
Can I implement the MasterPasswordProviderSPI interface within my
own package, or say in cagrid-activity plugin
(net.sf.taverna.cagrid.activity.MyPasswordProvider) or does it have
to be inside Credential-Manager package
(net.sf.taverna.t2.security.credentialmanager.MyPasswordProvider)?
Yes - you can put it anywhere as it is an SPI (you also need to put
a file named
net
.sf.taverna.t2.security.credentialmanager.MasterPasswordProviderSPI
that contains the full class name of your implementation in the /
resources/META-INF/services of your package).
public class MyPasswordProvider implements
MasterPasswordProviderSPI {
public int canProvidePassword() {
return 1;
}
public String getPassword(){
return "somePassword";
}
}
Also, how can I set a higher priority on my implementation? Can you
send me some pointer on how to do that?
Method canProvidePassword() provides a hint - the higher number you
provide the sooner it would be checked if it can provide a password.
Alex
Thanks,
-Dina
On Nov 23, 2009, at 4:09 AM, Alexandra Nenadic wrote:
Hi Dina,
The master provider SPI is in
net
.sf.taverna.t2.security.credentialmanager.MasterPasswordProviderSPI.
Alex
Dinanath Sulakhe wrote:
Hi Alex,
I just noticed that in the CredentialManager class
CredentialManager.getInstance("password") can only be used from
the UI. (the comment on top of the method says that). Is it
possible to use it programmatically, for example from the
CaGridActivity class (in order to skip UI prompts for master
password when used in the workflow service).
-Dina
PS: forgot to CC Stian in my previous mail below :) Copying him
now.
On Nov 20, 2009, at 6:50 AM, Dinanath Sulakhe wrote:
Hi Alex,
Thanks for the info. I realized it after a little more of
debugging. Initially we thought we could completely skip the CM
parts, but I think we can't (rather shouldn't) , unless we want
to write a new one (which we don't ).
- Can we somehow overide the GUI prompts asking for (1) Master
password for CA (2) asking for User's username/password for
Dorian. Looking at the code, I think (2) could be done easily,
but I am not sure about (1)
Do you think the following logic would work:
- I can check if Taverna is executing within Service or
workbench by setting some Env. variable.
- When running within Workflow Service, we want to avoid GUI
Prompts.
- Get/initialize CM instance without a UI prompt.
- I thought I can, but
CredentialManager.getInstance("password") isn't working in
CaGridActivity.java. I can see that there is a getInstance
method that takes master password as argument, but when I add
it, I get an error saying the method doesn't take string
argument !!
- when it comes to getting the user's proxy from the CM or by
prompting username/password (within getGSSCredential() on
CaGridWSDLSOAPInvoker), I can get it from CDS or from a custom
location on the filesystem.
Do you seen any problems in this approach?
Thanks for you help Alex,
Cheers, -Dina
On Nov 20, 2009, at 5:00 AM, Alexandra Nenadic wrote:
Hi Dina,
The error that you get is probably because you are trying to
access a caGrid service that is behind HTTPS and Taverna cannot
establish a connection to it as the service 'is not trusted' in
the sense that the certificate of the service cannot be
verified. That's what the loadCaGridCAsCertificates() method
is for - if will load all caGrid CA's certificates (6 or 7 of
them) into Cred. Manager's truststore and then will set this
truststore to be used by Java to verify if a service is trusted
when establishing HTTPS connections. There is a trusted-
certificate folder under resources in cagrid-activity module
where these certs are read from and loaded into Cred. Manager's
truststore. The bad thing is that we do not update these
certificates nor check for their expiration or revocation. By
setting them - all caGrid services should be 'trusted' as their
certificates will be signed by one of the CAs whose certs we
have loaded into the truststore. We also had to do some tweaks
with certificate's hostname verification as some caGrid
services had their common name as "HOST/bla.bla.com" instead on
"bla.bla.com" but you should not have any problems as long as
common name of your service matches the server's name.
Hope this helps.
Alex
Dinanath Sulakhe wrote:
On Nov 19, 2009, at 4:43 AM, Dinanath Sulakhe wrote:
Hi Alex,
Thanks for the details you sent earlier. Now that I am
debugging them, it makes sense to me. I kind of understand it
but I still have a few questions:
On Oct 30, 2009, at 1:18 PM, Alexandra Nenadic wrote:
Hi Dina,
Here are some details on how we implemented security in
cagrid plugin. You can download the source code from:
https://gforge.nci.nih.gov/svnroot/taverna-cagrid/trunk/
You'd need cagrid-activity, cagrid-activity-ui and cagrid-
wsdl-generic modules.
CaGridActivity.executeAsynch() method is where the execution
of the client that tries to connect to the service takes
place. The first thing this method will do is try to
configure security by invoking the configureSecurity()
method on the activity. This method will check if security
settings have already been obtained for this endpoint,
otherwise will invoke the getServiceSecurityMetadata()
method to fetch security properties. At this point, we have
obtained anough information to know what kind of security
the service expects but we have not actually fetched the
user's proxy.
The above part makes sense to me. We don't need to make any
changes here i guess. But before reaching the executeAsynch()
method, initializeSecurity() method is invoked. One of the
method in there is loadCaGridCAsCertificates() that involves
initializing the CredentialManager(CM) with GUI (asking CM
Master password). We somehow need to skip this part as we
don't want to use CM when inside Workflow Service (right?).
We will be storing user's credential in some custom path and
the Workflow Service can later override the
CaGridWSDLSOAPInvoker .getGSSCredential() method and get the
credentials on its own (and not from CM).
Does this make sense? Basically, I want to put a flag such
that if it is inside workflow service, I want to completely
avoid CM. I can probably do it easily in the
CaGridWSDLSOAPInvoker .getGSSCredential() while fetching the
credential, but I need to skip the CM initialization process
also so as to skip the GUI asking for master password.
If I comment the loadCaGridCAsCertificates() method
completely or if I just comment the CM parts in that method,
I get the following error:
After debugging a little more, the error is coming from the
configure() method in the CaGridActivity.java, specifically it
fails in the parseWSDL() method. It happens when I take out
the CM parts from the loadCaGridCAsCertificates() method.
-Dina
sun.security.validator.ValidatorException: PKIX path building
failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target.
** This error pops up in GUI (Something like
JOptionPane.showMessageDialog(...))
I am running this from eclipse and i have attached the cagrid-
activity source code to the debugger. I will continue to
debug this..
Thanks, -Dina
This happens in the invoke() method on the
CaGridWSDLSOAPInvoker, where we fill the Axis call with the
security settings and fetch the user's proxy either from
Credential Manager (if it has it or from Dorian by asking
user to provide username and password). Fetching of the
credential happens in the method called getGSSCredential()
on the CaGridWSDLSOAPInvoker, and I suppose you can override
this method to get user's proxy in some other way. There was
a reason why we separated fetching the security properties
and the proxy itself, but I won't bother you with the
details :-).
Hope it makes sense (or it will when you have a look at the
source code).
Regards,
Alex
--------------------------
Dinanath Sulakhe
The Globus Alliance
Computation Institute, University of Chicago &
Math and Computer Science Division, Argonne National Laboratory.
Ph: (630) 252-7856
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
taverna-hackers mailing list
[email protected]
Web site: http://www.taverna.org.uk
Mailing lists: http://www.taverna.org.uk/taverna-mailing-lists/
Developers Guide: http://www.mygrid.org.uk/tools/developer-information
