perfsonar-dev - Re: FYI: important change in the authN implementation
Subject: perfsonar development work
List archive
- From: Nicolas Simar <>
- To: Cándido Rodríguez Montes <>
- Cc: , Danijel Matek <>, David Schmitz <>
- Subject: Re: FYI: important change in the authN implementation
- Date: Tue, 05 Feb 2008 16:45:10 +0000
Hi,
have Nina and David confirmed that the issue is solved?
Cheers,
Nicolas
Cándido Rodríguez Montes wrote:
Hi devs,
I wrote an email the 26th November about an unsolved problem between axis1, opensaml and xml signatures. When a perfSONAR resource sends a SAML assertion or the AS receives one, Axis1 modifies the content of the XML and its signature cannot be validated. Due to this problem the client in a Web containEr (WE) profile cannot be implemented in perfSONAR. I've made a workaround to solve this situation so we can integrate the authN process into web-based visualization tools for the next upcoming release of perfSONAR. You can find *more information about this at [1] section 'Client in a Web containEr'*.
Also, another important feature is that timestamp information has to be sent in the WS-SEC header, ensuring the security of the model. Now, a ws-sec header (<wsse:Security> element) cannot be reused because it would be a potential security hole in our model. The main goal is to avoid someone copying the SOAP header and using it by getting valid credentials in the perfSONAR environment. If you're wondering why I've done it right now, the thing is I've been thinking about security considerations during this Christmas holidays for the upcoming release (the first one having the authN process). I've *updated the specification of the 3 profiles and how the timestamp SHOULD be sent at [1]*. * Information for Java Developers:
** Visualization Tools: you have to use the perfsonar-base-1.0.20080114.jar file. You don't have to modify your code!
** perfSONAR services: you have to use the perfsonar-base-1.0.20080114.jar file. You don't have to modify your code!
* Information for non-Java Developers:
** Visualization Tools: you have to modify your code (or the library you're using, as perlSONAR for example). If you've implemented the AC or the UbC profiles you only have to add the timestamp information (and its digest value). You can find the specification at [2]. If you have to implement the WE profile, read the specification at [1] section 'Client in a Web containEr' below the WARNING title. Of course, if you have problems or any question send my an email or contact me by Jabber :-) ** perfSONAR services: read [1] although if you were copying the SOAP header, you don't have to do any update of your code.
I know it makes a little bit more complex the test process for the AS, since the SOAP header cannot be copied into the soapUI. For this situation, I've created a web-based test tool which generates valid SOAP messages for the three profiles. I'm going to upload it tomorrow and contact David Schmitz about this.
Regards
[1]
http://wiki.perfsonar.net/jra1-wiki/index.php/Authentication_Service_resources
[2] http://wiki.perfsonar.net/jra1-wiki/index.php/Using_X.509_token_profile
--
Cándido Rodríguez Montes E-mail: <mailto:>
Middleware warrior Tel:+34 955 05 66 13
Red.ES/RedIRIS
Edificio CICA
Avenida Reina Mercedes, s/n
41012 Sevilla
SPAIN
--
Nicolas
______________________________________________________________________
Nicolas Simar
Network Engineer
DANTE - www.dante.net
Tel - BE: +32 (0) 4 366 93 49
Tel - UK: +44 (0)1223 371 300
Mobile: +44 (0) 7740 176 883
City House, 126-130 Hills Road
Cambridge CB2 1PQ
UK
_____________________________________________________________________
- Re: FYI: important change in the authN implementation, Nicolas Simar, 02/05/2008
- Re: [pS-dev] Re: FYI: important change in the authN implementation, Nina Jeliazkova, 02/06/2008
- Re: [pS-dev] Re: FYI: important change in the authN implementation, Cándido Rodríguez Montes, 02/06/2008
- Re: [pS-dev] Re: FYI: important change in the authN implementation, Nina Jeliazkova, 02/06/2008
Archive powered by MHonArc 2.6.16.