Skip to Content.
Sympa Menu

perfsonar-dev - Re: [pS-dev] Some critical modifications to perfSONAR

Subject: perfsonar development work

List archive

Re: [pS-dev] Some critical modifications to perfSONAR


Chronological Thread 
  • From: Roman Lapacz <>
  • To: Cándido Rodríguez Montes <>
  • Cc: Perfsonar Development List <>
  • Subject: Re: [pS-dev] Some critical modifications to perfSONAR
  • Date: Wed, 21 Mar 2007 14:22:52 +0100

Cándido Rodríguez Montes wrote:
Hi,

Hi
as most of you know, I've started to implement the authorization service (AS) in perfSONAR and it's not only to develop that service but it provides to perfSONAR services some classes for sending AS authorization requests.
Well, the AA team have decided some weeks ago to use Web Service Security (WS-SEC) standards for authorization purposes. At this time, the communication between perfSONAR clients and resources is through XML messages which are encapsulated by SOAP. But SOAP is composed by two main elements: SOAP headers and SOAP bodies. And those XML messages are included in a SOAP body.
But using WS-SEC, clients send to resources (and the same when resources send an authN request to the AS) include the security token, which is the information needed by the receiver to check the identity of the sender, in a SOAP header. And this implies some modifications in the perfSONAR architecture:
- In the svn branch 'branches/as', I've modified the class 'org.perfsonar.service.web.RequestHandler <http://web.RequestHandler>' so it can access all SOAP message. So in this way, we can check if clients have sent security token or not.
- But resources need to get the security token in case it has been sent. In the perfSONAR architecture, XML messages sent by clients are mapped to the class 'org.ggf.ns.nmwg.base.v2_0.Message' and then it passed to a message handler. Finally, the service receives the message when it's called the function 'takeAction(String actionType, Message request)'. In this scenary, it's not possible that services get the security token or check the SOAP header which contains the security token. So, I think that there are two possible solutions:
+ We can change the 'Message' class so it includes the security token if it's sent in the request.
+ We can change this presented workflow and change the function 'takeAction' to 'takeAction(String actionType, Message request, SecurityToken token)'.
+ Any other ideas?

What's your feeling about this?


How this token will look like?

I remember that Martin proposed to have authentication token as a parameter authToken in the message (we had that time vague picture of authentication stuff but it may still fit).
This is an example:


<nmwg:message id="msg"
type="SetupDataRequest"
xmlns:netutil="http://ggf.org/ns/nmwg/characteristic/utilization/2.0/";
xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/";
xmlns:nmwgt="http://ggf.org/ns/nmwg/topology/2.0/";
xmlns:select="http://ggf.org/ns/nmwg/ops/select/2.0/";>

<!-- Optional message level parameters -->
<nmwg:parameters id="msgparam1">
<nmwg:parameter name="authToken">Internet2</nmwg:parameter>
<nmwg:parameter name="timeValue">1127250480</nmwg:parameter>
<nmwg:parameter name="timeType">unix</nmwg:parameter>
</nmwg:parameters>

<nmwg:metadata id="meta1">
<netutil:subject id="iusub1">
<nmwgt:interface>
....
</nmwgt:interface>
</netutil:subject>
<nmwg:eventType>http://ggf.org/ns/nmwg/characteristic/utilization/2.0</nmwg:eventType>
</nmwg:metadata>

<nmwg:data id="data1" metadataIdRef="meta1"/>

</nmwg:message>



Roman





--
Cándido Rodríguez Montes E-mail: <mailto:>
Red.ES/RedIRIS Tel:+34 955 05 66 13
Edificio CICA
Avenida Reina Mercedes, s/n
41012 Sevilla
SPAIN







Archive powered by MHonArc 2.6.16.

Top of Page