A non-delegating client

Remember that the service still isn't completely ready to perform delegation. We're going to use a client that doesn't perform delegation, to see how MathService denies access to PhysicsService because it isn't using the adequate credentials.

The client itself is pretty simple. We'll just invoke the getAnswerToLifeTheUniverseAndEverything in PhysicsService. The client's only parameter is the service's GSH.

package org.globus.progtutorial.clients.PhysicsService;

import org.globus.progtutorial.stubs.PhysicsService.service.PhysicsServiceGridLocator;
import org.globus.progtutorial.stubs.PhysicsService.PhysicsPortType;

import org.globus.ogsa.impl.security.Constants;
import org.globus.ogsa.impl.security.authorization.NoAuthorization;

import java.net.URL;
import javax.xml.rpc.Stub;

public class ClientNoDelegation
{
  public static void main(String[] args)
  {
    try
    {
      // Get command-line arguments
      URL GSH = new java.net.URL(args[0]);

      // Get a reference to the MathService instance
      PhysicsServiceGridLocator physicsLocator =   new PhysicsServiceGridLocator();
      PhysicsPortType physics = physicsLocator.getPhysicsServicePort(GSH);

      // Setup security options
      ((Stub)physics)._setProperty(Constants.GSI_SEC_CONV,Constants.ENCRYPTION);
      ((Stub)physics)._setProperty(Constants.AUTHORIZATION,NoAuthorization.getInstance());

      // Call remote method 'add'
      int answer = physics.getAnswerToLifeTheUniverseAndEverything();

      System.out.println("Answer: " + answer);
    }catch(Exception e)
    {
      System.out.println("ERROR:" + e.getMessage());
    }
  }
}
[Note]

This file is $TUTORIAL_DIR/org/globus/progtutorial/clients/PhysicsService/ClientNoDelegation.java

Now, let's compile the client:

javac \
-classpath ./build/classes/:$CLASSPATH \
org/globus/progtutorial/clients/PhysicsService/ClientNoDelegation.java

And run the client:

java \
-classpath ./build/classes/:$CLASSPATH \
org/globus/progtutorial/clients/PhysicsService/ClientNoDelegation \
http://127.0.0.1:8080/ogsa/services/progtutorial/security/delegation/PhysicsServiceNoDelegation

You should get this nasty little error:

org.globus.ogsa.impl.security.authorization.AuthorizationException:
Gridmap authorization failed:
peer "/O=Globus/OU=GT3 Tutorial/CN=Globus 3 Administrator" not in gridmap file.

A closer look at the server logs reveals the following:

INFO: -------- BEGIN SECURITY INFO --------
INFO: Caller: /O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor
INFO: Invocation subject:/O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor
INFO: Service subject:
NULL
INFO: System subject:/O=Globus/OU=GT3 Tutorial/CN=Globus 3 Administrator
INFO: --------  END SECURITY INFO  --------

Even though we're running under the caller's identity (the invocation subject is correctly set to the caller's subject), the service subject is still NULL. Since this is subject is NULL, the container will use the service subject (/O=Globus/OU=GT3 Tutorial/CN=Globus 3 Administrator) to invoke MathService. However, that subject isn't in MathService's gridmap, and that's why we get a "Gridmap authorization failed" error message.

So...let's add delegation to the PhysicsService and see how it all finally works out.