As mentioned before, this first example is based on the first secure service we saw. This means we'll only see the differences between both examples. However, remember that the full code for this example can be found in $TUTORIAL_DIR/org/globus/progtutorial/services/security/delegation_first/.
The first thing we have to do is modify the client to tell it to delegate its credentials to the service. This is done simply by setting the following stub property:
((Stub)math)._setProperty(GSIConstants.GSI_MODE,GSIConstants.GSI_MODE_FULL_DELEG);
The client can be found in $TUTORIAL_DIR/org/globus/progtutorial/clients/MathService/ClientDelegation.java |
But for delegation to be complete, we need to do two things on the server side:
The particular method we want to invoke must be configured to run with the caller's identity. In other words, the invocation subject must be set to the caller's identity. We saw how to do this earlier, in the runtime identity part of the security configuration file chapter.
We have to tell the service to assume the identity of the caller. Remember from the runtime identity page that service subject was always NULL, unless we delegated credentials on the service. We will be able to do this by adding one simple line of code.
To set the runtime identity, we will be able to reuse the security configuration file we used in the runtime identity example. Remember that, in that example, the add method was configured to run under the caller's identity. The security configuration file for this example can be found in $TUTORIAL_DIR/org/globus/progtutorial/services/security/delegation_first/config/security-config-runas.xml
To make the service assume the invocation subject as its subject, we have to add the following line in each method where we want to perform delegation:
SecurityManager.getManager().setServiceOwnerFromContext(base);
For example, in the add method:
public void add(int a) throws RemoteException , SecurityException { SecurityManager.getManager().setServiceOwnerFromContext(base); logSecurityInfo("add"); value = value + a; }
Now, let's build the service:
./tutorial_build.sh \ org/globus/progtutorial/services/security/delegation_first \ schema/progtutorial/MathService/Math.gwsdl
And deploy it (from the globus account):
ant deploy \ -Dgar.name=$TUTORIAL_DIR/build/lib/org_globus_progtutorial_services_security_delegation_first.gar
Finally, before you restart the container, add the following line to the $GLOBUS_LOCATION/ogsilogging.properties file:
org.globus.progtutorial.services.security.delegation_first.impl.MathProvider=console,info
Let's compile the client:
javac \ -classpath ./build/classes/:$CLASSPATH \ org/globus/progtutorial/clients/MathService/ClientDelegation.java
Finally, we run the client:
java \ -classpath ./build/classes/:$CLASSPATH \ org/globus/progtutorial/clients/MathService/ClientDelegation \ http://127.0.0.1:8080/ogsa/services/progtutorial/security/delegation/MathService \ 5
The output on the client side should be pretty normal. We need to take a close look at the server side logs to verify that delegation is, in fact, working. Look at the add method (which runs under the caller's identity):
INFO: SECURITY INFO FOR METHOD 'add' INFO: The caller is:/O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor INFO: INVOCATION SUBJECT INFO: Subject: Principal: /O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor Private credential: org.globus.gsi.gssapi.GlobusGSSCredentialImpl@f4ca49 INFO: SERVICE SUBJECT INFO: Subject: Principal: /O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor Private credential: org.globus.gsi.gssapi.GlobusGSSCredentialImpl@f4ca49 INFO: SYSTEM SUBJECT INFO: Subject: Principal: /O=Globus/OU=GT3 Tutorial/CN=Globus 3 Administrator Private credential: org.globus.gsi.gssapi.GlobusGSSCredentialImpl@1f88fbd
Notice how the service subject is not only no longer NULL...it's the caller's identity! Holy identity theft, Batman! :-)
As for the subtract and getValue methods, the service subject is also no longer NULL. However, since they're being run under the system and subject identity (respectively), we see the globus account subject in the service subject.
INFO: SECURITY INFO FOR METHOD 'subtract'
INFO: The caller is:/O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor
INFO: INVOCATION SUBJECT
INFO: Subject:
Principal: /O=Globus/OU=GT3 Tutorial/CN=Globus 3 Administrator
Private credential: org.globus.gsi.gssapi.GlobusGSSCredentialImpl@1f88fbd
INFO: SERVICE SUBJECT
INFO: Subject:
Principal: /O=Globus/OU=GT3 Tutorial/CN=Globus 3 Administrator
Private credential: org.globus.gsi.gssapi.GlobusGSSCredentialImpl@1f88fbd
INFO: SYSTEM SUBJECT
INFO: Subject:
Principal: /O=Globus/OU=GT3 Tutorial/CN=Globus 3 Administrator
Private credential: org.globus.gsi.gssapi.GlobusGSSCredentialImpl@1f88fbd
So, we've seen that delegation actually does work. However, this example isn't exactly what you could call 'exciting'. However, I promise the next example is guaranteed to positively thrill you!