WSMetacatService a GT4 Web Service Wrapper for Metacat

Similar documents
GLOBUS TOOLKIT SECURITY

BEAAquaLogic. Service Bus. Interoperability With EJB Transport

How to Build a Service Using GT4

How to Build a Service Using GT4

Globus GTK and Grid Services

Java Development and Grid Computing with the Globus Toolkit Version 3

Connecting Enterprise Systems to WebSphere Application Server

Programming Web Services in Java

Design The way components fit together

Building Services in WSRF. Ben Clifford GGF Summer School July 2004

GT-OGSA Grid Service Infrastructure

Tutorial 1: Introduction to Globus Toolkit. John Watt, National e-science Centre

SSH with Globus Auth

Using the MyProxy Online Credential Repository

edocs Home > BEA AquaLogic Service Bus 3.0 Documentation > Accessing ALDSP Data Services Through ALSB

1Z Java EE 6 Web Services Developer Certified Expert Exam Summary Syllabus Questions

SOA Software Policy Manager Agent v6.1 for WebSphere Application Server Installation Guide

Oracle Service Bus. Interoperability with EJB Transport 10g Release 3 (10.3) October 2008

Advanced Service Design. vrealize Automation 6.2

web.xml Deployment Descriptor Elements

PROCE55 Mobile: Web API App. Web API.

Introduce Grid Service Authoring Toolkit

GAMA: Grid Account Management Architecture

XSEDE Canonical Use Case 4 Interactive Login

Developer Walkthrough

JBoss SOAP Web Services User Guide. Version: M5

Java EE 7: Back-End Server Application Development

Credentials Management for Authentication in a Grid-Based E-Learning Platform

Certificate Management

BEAAquaLogic. Service Bus. JPD Transport User Guide

Globus Toolkit Firewall Requirements. Abstract

CO Java EE 7: Back-End Server Application Development

API Security Management SENTINET

Voltage SecureData Enterprise SQL to XML Integration Guide

On the Creation of Distributed Simulation Web- Services in CD++

SOA Software Policy Manager Agent v6.1 for tc Server Application Server Installation Guide

UNIT IV PROGRAMMING MODEL. Open source grid middleware packages - Globus Toolkit (GT4) Architecture, Configuration - Usage of Globus

IBM Security Access Manager Version January Federation Administration topics IBM

CA IdentityMinder. Glossary

Identity Policies. Identity Policy Overview. Establishing User Identity through Active Authentication

Grid Computing. Resource Properties so far. Resource Property Document. Globus Toolkit Programming GT4 Tutorial Chapter 6 Resource Properties

Grid Computing Security

Grid Services and the Globus Toolkit

Chime for Lync High Availability Setup

Chapter 6 Enterprise Java Beans

How to Configure Authentication and Access Control (AAA)

Realms and Identity Policies

Qualys Cloud Platform (VM, PC) v8.x Release Notes

Oracle Service Bus. 10g Release 3 (10.3) October 2008

Bare Timestamp Signatures with WS-Security

WA2031 WebSphere Application Server 8.0 Administration on Windows. Student Labs. Web Age Solutions Inc. Copyright 2012 Web Age Solutions Inc.

GT 4.2.0: Community Scheduler Framework (CSF) System Administrator's Guide

Exercise SBPM Session-4 : Web Services

Java- EE Web Application Development with Enterprise JavaBeans and Web Services

EDT 0.8 Stakeholder Meeting SQL JNDI Data Sources

XML Web Services Basics

Opal: Wrapping Scientific Applications as Web Services

SDK Developer s Guide

Realms and Identity Policies

Globus Toolkit 4 Execution Management. Alexandra Jimborean International School of Informatics Hagenberg, 2009

Table of Contents. Installing the AD FS Running the PowerShell Script 16. Troubleshooting log in issues 19

FUSION REGISTRY COMMUNITY EDITION SETUP GUIDE VERSION 9. Setup Guide. This guide explains how to install and configure the Fusion Registry.

JAVA COURSES. Empowering Innovation. DN InfoTech Pvt. Ltd. H-151, Sector 63, Noida, UP

BI Office. Web Authentication Model Guide Version 6

Grids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan

API Security Management with Sentinet SENTINET

This presentation is a primer on WSDL Bindings. It s part of our series to help prepare you for creating BPEL projects. We recommend you review this

Classroom Exercises for Grid Services

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

MyLEAD Release V1.3 Installation Guide

Introduction to Web Application Development Using JEE, Frameworks, Web Services and AJAX

Guidelines on non-browser access

Design The way components fit together

Identity Provider for SAP Single Sign-On and SAP Identity Management

Configuration Manager Active Directory Schema Extensions Are Not Required For Site Server

ActiveBPEL Fundamentals

Leveraging the Globus Platform in your Web Applications. GlobusWorld April 26, 2018 Greg Nawrocki

For this week, I recommend studying Chapter 2 of "Beginning Java EE 7".

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

COPYRIGHTED MATERIAL

ENTRUST CONNECTOR Installation and Configuration Guide Version April 21, 2017

Research and Design Application Platform of Service Grid Based on WSRF

GSI Online Credential Retrieval Requirements. Jim Basney

CO Java EE 6: Develop Web Services with JAX-WS & JAX-RS

Open XML Gateway User Guide. CORISECIO GmbH - Uhlandstr Darmstadt - Germany -

Web Application Architecture (based J2EE 1.4 Tutorial)

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP Access Policy Manager with IBM, Oracle, and Microsoft

OPC UA Configuration Manager PTC Inc. All Rights Reserved.

BEAWebLogic Server and WebLogic Express. Programming WebLogic JNDI

Entrust Connector (econnector) Venafi Trust Protection Platform

Troubleshooting Single Sign-On

Troubleshooting Single Sign-On

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

PKI Cert Creation via Good Control: Reference Implementation

GIS Deployment Guide. Introducing GIS

Artix for J2EE. Version 4.2, March 2007

Microsoft ISA 2006 Integration. Microsoft Internet Security and Acceleration Server (ISA) Integration Notes Introduction

CA SiteMinder Federation

Writing Servlets and JSPs p. 1 Writing a Servlet p. 1 Writing a JSP p. 7 Compiling a Servlet p. 10 Packaging Servlets and JSPs p.

Live Data Connection to SAP Universes

Transcription:

WSMetacatService a GT4 Web Service Wrapper for Metacat Author: Terry Fleury (tfleury@ncsa.uiuc.edu) Date: October 3, 2005 Summary In addition to the GSI-enabling of the https connection to Metacat, work was done to allow the Metacat client API to be accessible via web services. To do this, a Globus Toolkit 4 Java WS Core wrapper was placed around the Metacat client jars. Additionally, two new login methods were coded to circumvent the need to pass the user s password to the Metacat server. On September 20, 2005, the LTERgrid Pilot application was demonstrated showing how the connection between a Metacat client and a Metacat server could be secured using a GSI-enabled https connection. Bill Baker (bbaker@ncsa.uiuc.edu) implemented many changes within the core Metacat client/server code to allow a new protocol httpg to be used. At the same time, I worked on making Metacat accessible via web service protocols. By using the Java WS Core portion of the Globus Toolkit 4.0.1, I created a web services front-end for Bill s modified Metacat client. This WSMetacatService was not deployed anywhere and was done solely as an exercise. Web Service Overview The WSMetacatService GT4 web service relies on the connection between client and server to be performed over a GT4 gsi-secure https connection. This is done using an X.509 credential when connecting from a web service client to the WSMetacatService. When deployed, the web service is wrapped as in the following diagram. Tomcat 5.0.x container GT4.x container WSMetacatService query(xmlquery) Metacat Client jars login(username,passwd) login(gsscredential) login(dn) query(xmlquery) logout() First, the Metacat client jars (utilities.jar, metacat.jar, and metacat-client.jar) are compiled incorporating the changes made by Bill Baker to allow login with either a gsscredential or a distinguished name (DN). Then the WSMetacatService is compiled with these jars. This generates a.gar file which can be deployed to a GT4 container. Finally, this Globus container can be deployed to a modified (to allow gsi-https connections) Tomcat 5.0.x installation, resulting in a web service implementation of Metacat. Information for configuring Tomcat 5.0.x to accept Globus gsi-https connections can be found in the GT4 Java WS Core System Administrator s Guide. 1

On the client side, a web service client first connects to a MyProxy server where it gets a user s proxy certificate using a username/password (presumably entered in by the user). The client then gets an endpoint reference and porttype for the WSMetacatService and sets the GSI_CREDENTIALS property on the client stub. Then, by connecting to the Tomcat server on the gsi-https port, this credential gets passed to the WSMetacatService. name/passwd WS client proxy cert MyProxy server set GSI_CREDENTIALS on client stub WSMetacatService How MUCH of the credential gets passed depends on the type of connection made. For example, the login(gsscredential) method requires a full credential, thus the proxy certificate needs to be delegated from the client to the server. To do this easily, GT4 has an authentication method called GSISecureConversation. This provides a mechanism for generating a security session, i.e. the negotiation of a shared secret which may be used to secure a set of subsequent messages. It is based on WS-Trust and WS-SecureConversation. It creates a delegation service collocated with the web service such that the gsscredentials specified on the client side can be accessed on the server side. Alternatively, the login(distinguishedname) method relies on the assumption that the WSMetacatService and the Metacat server are collocated, so that no authentication mechanism is needed. Here, all we need to do is set the transport mechanism to use encryption, still setting the GSI_CREDENTIALS on the client stub. Since we are not doing full delegation of credentials, only the distinguished name (DN) of the proxy certificate is available to the WSMetacatService. On the server side, only the query(xmlquery) method is exposed as a public method. This is because the query() method implicitly calls the Metacat login()/logout() methods. The login() method to be used must be decided on the server side at Tomcat startup because the security settings for a GT4 WS service are declared in a security descriptor and cannot be changed at runtime. This server-side setting then dictates which authentication method must be used by the WS client. Implementation Details As with any web services application, and in particular a GT4 WS application, there are many interrelated files that need to be created. I created a directory named ws at the same level as the metacat and utilities directories. Really, it can be placed just about anywhere since it doesn't reference any of the Metacat stuff directly. Here is a list of the server-side files, listed in a top-down directory format. ws/globus-build-service.py ws/globus-build-service.sh ws/build.xml These three files are part of the Globus Service Build Tools project (http://gsbt.sourceforge.net/) and are basically a front-end to ant to build Globus Web Services applications. I used the 0.2.5 version of the scripts, unmodified. 2

ws/build.mappings This file is used by the globus-build-service scripts so that all one needs to do to compile the service is type globus-build-service wsmetacat. ws/namespace2package.mappings Needed by GT4 WS projects, this file maps namespace URIs to client stub names. ws/schema/wsmetacat/wsmetacatservice/wsmetacat.wsdl This is a standard Web Services Description Language file which lists the types, messages, and porttypes provided by the wsmetacat web service. As there is only one method currently available (query), this file is very basic. The only special thing about it is the wsdlpp:extends attribute, which is a directive to the WSDL preprocessor provided by Globus so we don't have to copy/paste definitions from the WSRF specs. ws/edu/lternet/wsmetacat/deploy-jndi-config.xml This standard WS file specifies the resource home for the service. However, since no resource properties are currently used by the service, this is a very basic file. Note that the directory structure edu/lternet/wsmetacat was chosen arbitrarily. ws/edu/lternet/wsmetacat/deploy-server.wsdd This standard WS Deployment Descriptor file describes how the web services container should publish the wsmetacat service. There's not a lot special going on here. ws/edu/lternet/wsmetacat/etc/wsmetacat.properties Files in this etc directory will be available in the WS container's etc directory so that an administrator can easily change values in these properties files and change the behavior of the web service without having to recompile/redeploy. This properties file contains the URL of the GSI-enabled Metacat web service. ws/edu/lternet/wsmetacat/etc/wsmetacatsecurity.xml This file specifies the methods of authentication and authorization required by any client connecting to the wsmetacat service. If the authentication mechanism is GSISecureConversation, then the authorization mechanism cannot be none. GSISecureConversation is required if the login(gsscredential) method is used. Otherwise, no authentication is needed when using the login(distinguishedname) method. 3

ws/edu/lternet/wsmetacat/impl/wsmetacatqnames.java This file describes the Qualified Names for the wsmetacat service. Since we are not currently using any resource properties, this file is very basic and really didn't need to be coded as a separate interface. I put it in a separate.java file just in case future methods require resource properties. ws/edu/lternet/wsmetacat/impl/wsmetacatservice.java I saved the best for last. This is the main implementation of the wsmetacat web service. There is currently only one public method, query(), which is basically a wrapper around the normal Metacat API query() method. Functionally, it differs from the normal Metacat API method in the following ways: Both the input parameter and returned value are standard Java Strings, not Readers. This is to facilitate the passing of data to/from the web service. The method calls the login() and logout() methods automatically, which is why those two methods are not exposed to the client programmer. In order to do the automatic login(), the user's credential must have been set on the client side. This is done by setting the GSIConstants.GSI_CREDENTIALS value to the user's credential on the client stub. Bill Baker wrote two new login() methods, one taking a gsscredential as the parameter, and the other taking a DN (distinguished name) as the parameter. In order to use the login(gsscredential) method, a delegation service must be used. By using the GSISecureConversation authentication mechanism, a delegation server is automatically created in the GT4 container on the server side, and thus the client can pass the credential to the web service server. On the server side, the gsscredential can be retrieved as follows: import javax.security.auth.subject; import org.globus.gsi.jaas.jaasgssutil; import org.globus.wsrf.impl.security.authentication.constants; gsscredential = JassGssUtil.getCredential( (Subject)MessageContext.getCurrentContext().getProperty( Constants.PEER_SUBJECT)); If instead we use the login(dn) method, no authentication is required. The DN can then be retrieved as follows: import org.globus.wsrf.security.securitymanager; distinguishedname = SecurityManager.getManager().getCaller(); After we have logged in, we call the standard Metacat API query() method followed by the logout() method, and then return the result of the query to the client. 4

ws/edu/lternet/wsmetacat/client/client.java References This is a little test client application I wrote for testing out the wsmetacat service. It's not really meant for primetime. Basically, it gets a user's proxy certificate from the MyProxy server on roadrunner.lternet.edu, sets the GSI_CREDENTIALS on the client stub appropriately, and calls the query() method. Originally, only the login(gsscredential) method was available to me. So, the trickiest part was figuring out how to get a MyProxy gsscredential from the client side to the server side so I could call that method. In order to do that, I had to use GSISecureConversation which automatically sets up a delegation service colocated with the GT4 container (inside the web service container). But GSISecureConversation requires some sort of authorization as well, so that property had to be set appropriately. All of that goes away when using the login(dn) method. Globus Toolkit 4.0.1 Java WS Core: http://www.globus.org/toolkit/docs/4.0/common/javawscore/ http://www.globus.org/toolkit/downloads/4.0.1/#wscore_bin http://www-unix.mcs.anl.gov/~gawor/javawscore/head/doc/javadocs/ GT4 Tutorials: http://gdp.globus.org/gt4-tutorial/singlehtml/progtutorial_0.1.1.html http://www.gridnexus.org/web/external/gt4-security.html LTERgrid Project: http://grid.ncsa.uiuc.edu/lter/ Metacat: http://knb.ecoinformatics.org/software/metacat/ 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback