Writing a custom configuration file

Writing a custom configuration file
Prev	Chapter 14. The Security Configuration File	Next

Remember that, in the previous section, our example used a default security configuration file that simply said "everything has to be invoked securely". To do this, we included the following parameter in the deployment descriptor:

<service name="progtutorial/security/first/MathService" provider="Handler" style="wrapped">

  <-- ... -->

  <parameter name="securityConfig"
    value="org/globus/ogsa/impl/security/descriptor/gsi-security-config.xml"/>

  <-- ... -->

<service>

This file (gsi-security-config.xml) is included with the toolkit. However, to gain more control over the security aspects of our service (instead of making everything secure), we'll have to write our own custom configuration file. In this file we'll be able to control to aspects of security on a per-method basis:

Authentication method: We can specify what authentication method must be used by any client that wants to invoke the method. For example, we'll be able to specify that method FOO must be invoked with full encryption, while method BAR can be invoked simply with a digital signature (which guarantees integrity but not privacy). We can also specify that a method can be invoked with no security at all.
Runtime identity: A service always runs under a certain identity. We can actually specify what identity the service must run under, although the practical use of this particular feature won't be apparent until we see delegation.

In this section we are going to write two configuration files: one to tweak the authentication methods and one to tweak the runtime identity. We will test both of them with separate clients to see how they react. We won't have to write any new service or GWSDL file, since we can use the ones from the previous section. We only need to add two new services to the WSDD file, each with different configuration files. In fact, if you take a look at the WSDD file ($TUTORIAL_DIR/org/globus/progtutorial/services/security/first/server-deploy.wsdd) you'll notice that those two services are already there:

<service name="progtutorial/security/first/MathAuthService" provider="Handler" style="wrapped">

  <-- ... -->

  
  <parameter name="securityConfig"
    value="org/globus/progtutorial/services/security/first/config/security-config-runas.xml"/>

  <-- ... -->

<service>

<service name="progtutorial/security/first/MathRunAsService" provider="Handler" style="wrapped">

  <-- ... -->

  
  <parameter name="securityConfig"
    value="org/globus/progtutorial/services/security/first/config/security-config-auth.xml"/>

  <-- ... -->

<service>

In the next pages we'll learn how to write the security configuration files and give both services a try.