mace-opensaml-users - Re: Using OpenSAML to implement the GUMS PDP: questions and comments
Subject: OpenSAML user discussion
List archive
- From: Jay Packard <>
- To: Gabriele Garzoglio <>
- Cc: , "'privilege project'" <>
- Subject: Re: Using OpenSAML to implement the GUMS PDP: questions and comments
- Date: Thu, 01 May 2008 11:56:50 -0400
I also added the Decision and Status code.
Gabriele Garzoglio wrote:
Hi,
I'm forwarding to this list a few questions/observations that emerged at our project meeting.
The original mail is from Jay Packard, who is developing the code. I have added a few notes from the discussion at our meeting.
Thanks for any insight
Gabriele
- In the code, I have to add an attribute to an obligation, an obligation to an obligations list, an obligations list to a result, a result to a response, a response to a statement, and a statement, issuer, and subject to an assertion. This is complex. It would be nice if there was a wrapper function to only have to add the obligations and attributes and let the rest be default.
- Have I missed setting a value somewhere (in the function below)? I used the statementXACMLAuthzDecision() function in SampleProgram.java as a guide.
Comment: This sort of problems can be exposed with testing
- If the user is not mapped, I set FulfillOn to 'Deny' and don't include an attribute assignment. Is this correct?
Comment: To deny authorization, we should use the Decision context.
Questions:
What is the status context?
How is the FulfillOn attribute used in an obligation?
Here is the function:
public Assertion mapCredentials(XACMLAuthzDecisionQueryType xacmlQuery) {
XMLObjectBuilderFactory builderFactory = org.opensaml.xml.Configuration.getBuilderFactory();
// Get information from request
RequestType request = xacmlQuery.getRequest();
String hostDn = getResourceAttributeValue(request, "resource-x509-id");
String userDn = getSubjectAttributeValue(request, "subject-x509-id");
String userFqan = getSubjectAttributeValue(request, "voms-fqan");
// Attribute Assignment
String account = gums.mapUser(hostDn, userDn, userFqan);
AttributeAssignmentType attributeAssignment = null;
if (account == null)
log.debug("Denied access on '" + hostDn + "' for '" + userDn + "' with fqan '" + userFqan + "'"); else {
SubjectBuilder attributeAssignmentBuilder = (SubjectBuilder)builderFactory.getBuilder(AttributeAssignmentType.DEFAULT_ELEMENT_NAME);
attributeAssignment = (AttributeAssignmentType)attributeAssignmentBuilder.buildObject();
attributeAssignment.setAttributeId("urn:authz-interop:gt-egee-osg:names:xacml:attribute:Username");
attributeAssignment.setDataType("http://www.w3.org/2001/XMLSchema#string");
attributeAssignment.setValue(account);
log.debug("Credentials mapped on '" + hostDn + "' for '" + userDn + "' with fqan '" + userFqan + "' to '" + account + "'");
}
// Obligation
SubjectBuilder obligationBuilder = (SubjectBuilder)builderFactory.getBuilder(ObligationType.DEFAULT_ELEMENT_QNAME);
ObligationType obligation = (ObligationType)obligationBuilder.buildObject();
obligation.setFulfillOn(account!=null ? EffectType.Permit : EffectType.Deny);
obligation.setObligationId("urn:authz-interop:gt-egee-osg:names:xacml:attribute:Username");
if (attributeAssignment != null)
obligation.getAttributeAssignments().add(attributeAssignment);
// Obligations
SubjectBuilder obligationsBuilder = (SubjectBuilder)builderFactory.getBuilder(ObligationsType.DEFAULT_ELEMENT_QNAME);
ObligationsType obligations = (ObligationsType)obligationsBuilder.buildObject();
obligations.getObligations().add(obligation);
// Result
SubjectBuilder resultBuilder = (SubjectBuilder)builderFactory.getBuilder(ResultType.DEFAULT_ELEMENT_NAME);
ResultType result = (ResultType)resultBuilder.buildObject();
result.setObligations(obligations);
// Response SubjectBuilder responseBuilder = (SubjectBuilder)builderFactory.getBuilder(ResponseType.DEFAULT_ELEMENT_NAME);
ResponseType response = (ResponseType)responseBuilder.buildObject();
response.setResult(result);
// Statement
XACMLAuthzDecisionStatementTypeImplBuilder xacmlauthzBuilder = (XACMLAuthzDecisionStatementTypeImplBuilder)builderFactory.getBuilder(XACMLAuthzDecisionStatementType.TYPE_NAME_XACML20);
XACMLAuthzDecisionStatementType xacmlAuthzStatement =
xacmlauthzBuilder.buildObject( Statement.DEFAULT_ELEMENT_NAME, XACMLAuthzDecisionStatementType.TYPE_NAME_XACML20); xacmlAuthzStatement.setRequest(request);
xacmlAuthzStatement.setResponse(response);
// Issuer
IssuerBuilder issuerBuilder = (IssuerBuilder)builderFactory.getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
Issuer issuer = issuerBuilder.buildObject();
try {
issuer.setValue(InetAddress.getLocalHost().getCanonicalHostName());
} catch (UnknownHostException e) {
log.error("Could not get host name");
}
// Subject
SubjectBuilder subjectBuilder = (SubjectBuilder)builderFactory.getBuilder(Subject.DEFAULT_ELEMENT_NAME);
Subject subject = subjectBuilder.buildObject();
// Sets AssertionImpl object with attributes, Issuer, Subject ...
AssertionBuilder assertionBuilder = (AssertionBuilder) builderFactory.getBuilder(Assertion.DEFAULT_ELEMENT_NAME);
AssertionImpl assertion = (AssertionImpl) assertionBuilder.buildObject();
assertion.setVersion(org.opensaml.common.SAMLVersion.VERSION_20);
try {
assertion.setID(new SecureRandomIdentifierGenerator().generateIdentifier());
} catch (NoSuchAlgorithmException e) {
log.error(e.getMessage());
}
assertion.setIssueInstant(new DateTime());
assertion.setSubject(subject);
assertion.setIssuer(issuer);
assertion.getStatements().add(xacmlAuthzStatement); return assertion;
}
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- Using OpenSAML to implement the GUMS PDP: questions and comments, Gabriele Garzoglio, 05/01/2008
- Re: Using OpenSAML to implement the GUMS PDP: questions and comments, Jay Packard, 05/01/2008
- Re: [OpenSAML] Using OpenSAML to implement the GUMS PDP: questions and comments, Chad La Joie, 05/01/2008
- Re: [OpenSAML] Using OpenSAML to implement the GUMS PDP: questions and comments, Jay Packard, 05/01/2008
Archive powered by MHonArc 2.6.16.