The second thing we can tweak in the security configuration file is the runtime identity of the service (in each method). This allows us to control the identity the service assumes during that invocation. Although the practical use of what we're about to see this might not be immediately apparent, it is specially relevant for credential delegation (which we will see soon).
First thing you should now is that, in a service invocation, there are three relevant subjects. Remember that a subject contains a distinguished name of the form CN=Borja Sotomayor, OU=GT3 Tutorial, O=Globus.
System subject: This is the system's (the container's) subject. Unless we explicitly configure the container to use a different set of credentials, this subject will take its value from the subject of the user that's running the container. For example, if we use the globus account to run the container, the system subject will be O=Globus, OU=GT3 Tutorial, CN=Globus 3 Administrator
Service subject: This is the subject of a particular service. A container can have services with different subjects. This subject is usually null, unless we specify credentials for the service or perform credential delegation (which we will see later on)
Invocation subject: This subject depends on the runtime identity set in the security configuration file. If there is no security configuration file, this subject will be null.
Modifying the runtime identity through the security configuration file modifies the value of the invocation subject. We'll be able to give the invocation subject any of three possible identities:
The caller's identity: This sets the invocation subject with the same value as the caller's subject (the client making the invocation)
The system's identity: Sets the invocation subject with the system subject.
The service's identity: Sets the invocation subject with the service subject (if the service doesn't have an identity, the system's identity will be used)
Setting this up is pretty straightforward. The <method> element can contain, besides an <auth-method> element, a <run-as> element. This element, in turn, can contain an empty <caller-identity/>, <system-identity/>, or <service-identity/>, which will determine the runtime identity of the method.
We are going to configure each of our three methods with a different runtime identity. The security configuration would look like this:
<securityConfig xmlns="http://www.globus.org" xmlns:math="http://www.globus.org/namespaces/2004/02/progtutorial/MathService"> <method name="math:add"> <run-as> <caller-identity/> </run-as> </method> <method name="math:subtract"> <run-as> <system-identity/> </run-as> </method> <method name="math:getValue"> <run-as> <service-identity/> </run-as> </method> </securityConfig>
![[Note]](images/note.png) | |
This file is $TUTORIAL_DIR/org/globus/progtutorial/services/security/first/config/security-config-runas.xml | |