Setting authentication methods

We'll start by writing a configuration file that tweaks the authentication methods. First things first: What exactly is the security configuration file? It is a very simple XML file with the following root element:

<securityConfig xmlns="http://www.globus.org"
  xmlns:math="http://www.globus.org/namespaces/2004/02/progtutorial/MathService">

  <-- ... -->

<securityConfig>

Notice how we have to declare our service's namespace (as math). This is necessary since we are going to refer to the methods of our service (so the security configuration file must be aware of its namespace).

The <securityConfig> element can contain several <method> elements. Each of these <method> elements will allow us to configure the security options of an individual method. Right now, we are going to modify the authentication methods of all three methods in our MathService: add, subtract, and getValue.

<securityConfig xmlns="http://www.globus.org"
  xmlns:math="http://www.globus.org/namespaces/2004/02/progtutorial/MathService">

  <method name="math:add">
    <-- ... -->
  </method>

  <method name="math:subtract">
    <-- ... -->
  </method>

  <method name="math:getValue">
    <-- ... -->
  </method>

</securityConfig>

Notice how the method's name (in the name attribute) has the namespace prefix.

Next, each <method> element will contain a set of tags that allow us to configure that method. To modify the authentication method we'll need to include a <auth-method> element inside the <method> element. This element, in turn, can contain any of the following XML elements:

All three can be used as empty elements (<none/>, <pkey/>, <gsi/>). However, as we'll see shortly, the <gsi> element can contain another element to further configure the GSI conversation.

In the following examples we will be using only <none> and <gsi> authentication. GSI Secure Message (<pkey>) also implies a secure communication, but is less feature-rich than <gsi> (GSI Secure Conversation). For example, it doesn't support encryption or delegation. However, it is faster and has less overhead, so the lack of features can be acceptable if performance is a big issue. The Stub security options appendix describes how to configure a client for GSI Secure Message.

No authentication

For now, let's start with the simplest case. The getValue method will have no security.

<method name="math:getValue">
  
  <auth-method>
    <none/>
  </auth-method>
</method>

GSI authentication

The <gsi> element can contain a <protection-level> element which can allow us to specify the protection level of the conversation: integrity and/or privacy. To specify which one we want, we have to include one (or both) of these empty elements inside the <protection-level> element:

  • <integrity/>: The secure conversation must ensure integrity by including a digital signature. The message itself, however, will not be encrypted (so privacy is not ensured). This means the client stub must set Constants.GSI_SEC_CONV to Constants.SIGNATURE.

  • <privacy/>: The secure conversation must ensure privacy by encrypting the message. This means that the client stub must set Constants.GSI_SEC_CONV to Constants.ENCRYPTION.

For example, let's suppose we want to make sure integrity is guaranteed in all invocations of the subtract method. The corresponding <method> element would look like this:

<method name="math:subtract">
  <auth-method>
    <gsi>
      <protection-level>
        <integrity/>
      </protection-level>
    </gsi>
  </auth-method>
</method>

However, this configuration forces subtract invocations to only use integrity protection. An invocation using encryption, for example, would fail. To allow both integrity and privacy, we can include both elements inside the <protection-level> element. For example, we will configure the add method that way:

<method name="math:add">
  <auth-method>
    <gsi>
      <protection-level>
        <integrity/>
        <privacy/>
      </protection-level>
    </gsi>
  </auth-method>
</method>

The whole file would look like this:

<securityConfig xmlns="http://www.globus.org"
  xmlns:math="http://www.globus.org/namespaces/2004/02/progtutorial/MathService">

<method name="math:add">
  <auth-method>
    <gsi>
      <protection-level>
        <integrity/>
        <privacy/>
      </protection-level>
    </gsi>
  </auth-method>
</method>

<method name="math:subtract">
  <auth-method>
    <gsi>
      <protection-level>
        <integrity/>
      </protection-level>
    </gsi>
  </auth-method>
</method>

<method name="math:getValue">
  <auth-method>
    <none/>
  </auth-method>
</method>

<!-- Default for other methods -->
<auth-method>
  <gsi/>
</auth-method>

</securityConfig>
[Note]

This file is $TUTORIAL_DIR/org/globus/progtutorial/services/security/first/config/security-config-auth.xml