Remember that the service still isn't completely ready to perform delegation. We're going to use a client that doesn't perform delegation, to see how MathService denies access to PhysicsService because it isn't using the adequate credentials.
The client itself is pretty simple. We'll just invoke the getAnswerToLifeTheUniverseAndEverything in PhysicsService. The client's only parameter is the service's GSH.
package org.globus.progtutorial.clients.PhysicsService;
import org.globus.progtutorial.stubs.PhysicsService.service.PhysicsServiceGridLocator;
import org.globus.progtutorial.stubs.PhysicsService.PhysicsPortType;
import org.globus.ogsa.impl.security.Constants;
import org.globus.ogsa.impl.security.authorization.NoAuthorization;
import java.net.URL;
import javax.xml.rpc.Stub;
public class ClientNoDelegation
{
public static void main(String[] args)
{
try
{
// Get command-line arguments
URL GSH = new java.net.URL(args[0]);
// Get a reference to the MathService instance
PhysicsServiceGridLocator physicsLocator = new PhysicsServiceGridLocator();
PhysicsPortType physics = physicsLocator.getPhysicsServicePort(GSH);
// Setup security options
((Stub)physics)._setProperty(Constants.GSI_SEC_CONV,Constants.ENCRYPTION);
((Stub)physics)._setProperty(Constants.AUTHORIZATION,NoAuthorization.getInstance());
// Call remote method 'add'
int answer = physics.getAnswerToLifeTheUniverseAndEverything();
System.out.println("Answer: " + answer);
}catch(Exception e)
{
System.out.println("ERROR:" + e.getMessage());
}
}
}
![[Note]](images/note.png) | |
This file is $TUTORIAL_DIR/org/globus/progtutorial/clients/PhysicsService/ClientNoDelegation.java | |
Now, let's compile the client:
javac \ -classpath ./build/classes/:$CLASSPATH \ org/globus/progtutorial/clients/PhysicsService/ClientNoDelegation.java
And run the client:
java \ -classpath ./build/classes/:$CLASSPATH \ org/globus/progtutorial/clients/PhysicsService/ClientNoDelegation \ http://127.0.0.1:8080/ogsa/services/progtutorial/security/delegation/PhysicsServiceNoDelegation
You should get this nasty little error:
org.globus.ogsa.impl.security.authorization.AuthorizationException: Gridmap authorization failed: peer "/O=Globus/OU=GT3 Tutorial/CN=Globus 3 Administrator" not in gridmap file.
A closer look at the server logs reveals the following:
INFO: -------- BEGIN SECURITY INFO --------
INFO: Caller: /O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor
INFO: Invocation subject:/O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor
INFO: Service subject:
NULL
INFO: System subject:/O=Globus/OU=GT3 Tutorial/CN=Globus 3 Administrator
INFO: -------- END SECURITY INFO --------
Even though we're running under the caller's identity (the invocation subject is correctly set to the caller's subject), the service subject is still NULL. Since this is subject is NULL, the container will use the service subject (/O=Globus/OU=GT3 Tutorial/CN=Globus 3 Administrator) to invoke MathService. However, that subject isn't in MathService's gridmap, and that's why we get a "Gridmap authorization failed" error message.
So...let's add delegation to the PhysicsService and see how it all finally works out.