We need to make the client delegate its credentials. As we saw in the first delegation example, we can accomplish this by setting a stub security option:
((Stub)math)._setProperty(GSIConstants.GSI_MODE,GSIConstants.GSI_MODE_FULL_DELEG);
To make the service use the delegated credential as its own, we'll need to add the following line in the getAnswerToLifeTheUniverseAndEverything method, right before calling logSecurityInfo:
SecurityManager.getManager().setServiceOwnerFromContext(base);
The modified version of PhysicsService (with delegation activated) can be found in $TUTORIAL_DIR/org/globus/progtutorial/services/security/delegation/impl/PhysicsProvider.java. As noted in the previous page, this new service was deployed along with the previous example (the non-delegating PhysicsService)
Compiling, deploying, and running the client can be done following the instructions in the previous page. Just make sure you work with the $TUTORIAL_DIR/org/globus/progtutorial/services/security/delegation directory, not in the $TUTORIAL_DIR/org/globus/progtutorial/services/security/delegation_notdelegating directory.
javac \ -classpath ./build/classes/:$CLASSPATH \ org/globus/progtutorial/clients/PhysicsService/ClientDelegation.java
java \ -classpath ./build/classes/:$CLASSPATH \ org/globus/progtutorial/clients/PhysicsService/ClientDelegation \ http://127.0.0.1:8080/ogsa/services/progtutorial/security/delegation/PhysicsService
Once you run the client, you should see the following output:
Answer: 42
![[Note]](images/note.png) | |
Yes, this is the Answer to Life, the Universe, and Everything. Further details in The Hitchhiker's Guide to the Galaxy :-) | |
If we take a look at the server logs, we'll see how delegation is really taking place. First, let's look at the security info written by the PhysicsService:
INFO: -------- BEGIN SECURITY INFO -------- INFO: Caller: /O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor INFO: Invocation subject: /O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor INFO: Service subject: /O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor INFO: System subject:/O=Globus/OU=GT3 Tutorial/CN=Globus 3 Administrator INFO: -------- END SECURITY INFO --------
Notice how, this time, both the invocation subject and the service subject are the same as the caller's subject.
Now let's take a look at the messages output by MathService:
INFO: Creating MathService instance... INFO: Created MathService instance INFO: Obtaining reference to MathService instance... INFO: Obtained reference to MathService instance INFO: Invoking 'add' method... INFO: 'add' invoked by: /O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor INFO: Invoked 'add' method INFO: Invoking 'add' method... INFO: 'add' invoked by: /O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor INFO: Invoked 'add' method INFO: Invoking 'add' method... INFO: 'add' invoked by: /O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor INFO: Invoked 'add' method INFO: Invoking 'add' method... INFO: 'add' invoked by: /O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor INFO: Invoked 'add' method INFO: Invoking 'add' method... INFO: 'add' invoked by: /O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor INFO: Invoked 'add' method INFO: Invoking 'add' method... INFO: 'add' invoked by: /O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor INFO: Invoked 'add' method INFO: Invoking 'add' method... INFO: 'add' invoked by: /O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor INFO: Invoked 'add' method INFO: Invoking 'getValue' method... INFO: 'getValue' invoked by: /O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor INFO: Invoked 'getValue' method INFO: Destroying MathService instance... INFO: Destroyed MathService instance
Even though the MathService is being invoked by PhysicsService (which is being run by the globus account), it is using the caller's delegated credentials when making the call to the add method.
Pretty nifty, huh?