Just like in the previous example, there is no need to compile and deploy, since this examples was also bundled with the first example we deployed.
We need to invoke all three methods and then look at the server-side logs to see what the system, service, and invocation subject are in each invocation. This is where the logSecurityInfo method we included in the service is going to come in handy. To invoke all three methods we can directly use the client from the previous section: $TUTORIAL_DIR/org/globus/progtutorial/clients/MathService/ClientGSIConvEncrypt.java
Let's run the client again
java \ -classpath ./build/classes/:$CLASSPATH \ org/globus/progtutorial/clients/MathService/ClientGSIConvEncrypt \ http://127.0.0.1:8080/ogsa/services/progtutorial/security/first/MathRunAsService \ 5
Let's take a close look at all the server-side logs.
You should see the following when the add method is invoked:
INFO: SECURITY INFO FOR METHOD 'add' INFO: The caller is:/O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor INFO: INVOCATION SUBJECT INFO: Subject: Principal: /O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor Private credential: org.globus.gsi.gssapi.GlobusGSSCredentialImpl@dea768 INFO: SERVICE SUBJECT INFO: NULL INFO: SYSTEM SUBJECT INFO: Subject: Principal: /O=Globus/OU=GT3 Tutorial/CN=Globus 3 Administrator Private credential: org.globus.gsi.gssapi.GlobusGSSCredentialImpl@2d0483
Notice how the invocation subject assumes the identity of the caller.
You should see the following when the subtract method is invoked:
INFO: SECURITY INFO FOR METHOD 'subtract'
INFO: The caller is:/O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor
INFO: INVOCATION SUBJECT
INFO: Subject:
Principal: /O=Globus/OU=GT3 Tutorial/CN=Globus 3 Administrator
Private credential: org.globus.gsi.gssapi.GlobusGSSCredentialImpl@2d0483
INFO: SERVICE SUBJECT
INFO: NULL
INFO: SYSTEM SUBJECT
INFO: Subject:
Principal: /O=Globus/OU=GT3 Tutorial/CN=Globus 3 Administrator
Private credential: org.globus.gsi.gssapi.GlobusGSSCredentialImpl@2d0483
The invocation subject assumes the identity of the system. Since the container is being run by the globus account, the invocation subject is equal to the globus user's subject.
You should see the following when the getValue method is invoked:
INFO: SECURITY INFO FOR METHOD 'getValue'
INFO: The caller is:/O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor
INFO: INVOCATION SUBJECT
INFO: Subject:
Principal: /O=Globus/OU=GT3 Tutorial/CN=Globus 3 Administrator
Private credential: org.globus.gsi.gssapi.GlobusGSSCredentialImpl@2d0483
INFO: SERVICE SUBJECT
INFO: NULL
INFO: SYSTEM SUBJECT
INFO: Subject:
Principal: /O=Globus/OU=GT3 Tutorial/CN=Globus 3 Administrator
Private credential: org.globus.gsi.gssapi.GlobusGSSCredentialImpl@2d0483
The invocation subject should assume the identity of the service. However, since the service has no identity (NULL), it assumes the identity of the system (the globus account)