perfsonar-dev - Re: [pS-dev] Help needed for the design of the authorization request
Subject: perfsonar development work
List archive
- From: Jason Zurawski <>
- To: "Jeff W. Boote" <>
- Cc: Cándido Rodríguez Montes <>, " List" <>
- Subject: Re: [pS-dev] Help needed for the design of the authorization request
- Date: Tue, 03 Jun 2008 09:06:47 -0400
- Openpgp: id=B94D59A6; url=http://people.internet2.edu/~zurawski/key.txt
- Organization: Internet2
Jeff W. Boote wrote:
Why do you escape the elements in the request?
Because Cándido did :p
I am guessing this is similar to the issues with the LS returning XML data inside of an XML element?
-jason
On Jun 3, 2008, at 5:07 AM, Jason Zurawski wrote:
Cándido;
Specifically... Will this need to 'ride' along within the context of other messages? Or is this only within the context of a service communicating with the AS? (If it needs to 'ride along' it would argue for perhaps actually using the SOAP headers, or perhaps message parameters.)
It's only within the context of a service communicating with the AS. I though that I can include it inside the SOAP headers but I don't think it's the right place because it's not information about the message but it's the query that the service want to send to the AS.
The request that I'm trying to define is the authorization request from a perfSONAR service to an AS. And I want to send a message like the following:
<nmwg:message id="authRMessage1" type="AuthNEERequest" xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/";>
<nmwg:metadata id="authRMetadata">
<nmwg:parameters id="keys">
<nmwg:parameter name="SecurityToken">XXXXXXX</nmwg:parameter>
</nmwg:parameters>
</nmwg:metadata>
<nmwg:data id="authN1" metadataIdRef="authRMetadata">
<Request>
.
.
.
</Request>
</nmwg:data>
</nmwg:message>
Is there anything else that would go inside of the metadata element other than the security token parameter?
Not so far
The only reason I ask is that I want to make sure the interaction is modeled correctly (e.g. is the request element that you currently have in the data itself more of the 'subject', or is it tied [perhaps indirectly] to the token). If the request itself is the 'subject' or 'source', I would argue that it makes more sense to live in the metadata, perhaps inside of a subject element (aa:subject or something).
I think the request itself is more of the 'subject' but it is the message that I want to send to the subject. If a subject identifies an end point I think the request shouldn't be included inside a subject element (but, of course, I may be wrong :-D)
So, does it make sense to include it inside a aa:authrrequest? But this 'aa:authrrequest', where do you think it should be included?
I've been doing some examples and the request looks like:
<nmwg:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/"; id="localhost.1269d12a:11a2f25d39e:-7fff" type="AuthNEERequest">
<nmwg:metadata id="authNmetadata">
<nmwg:parameters id="keys">
<nmwg:parameter name="SecurityToken" value="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</nmwg:parameters>
</nmwg:metadata>
<nmwg:data id="authN1" metadataIdRef="authNmetadata">
<aa:authrrequest xmlns:psservice="http://ggf.org/ns/nmwg/tools/org/perfsonar/service/as/authrrequest/1.0/";>
<Request>
<Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>kan</AttributeValue></Attribute>
</Subject>
<Resource>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"><AttributeValue>http://perfsonar.net/MA</AttributeValue></Attribute> <http://perfsonar.net/MA</AttributeValue></Attribute>>;
</Resource>
<Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>read</AttributeValue></Attribute>
</Action>
</Request>
</aa:authrrequest>
</nmwg:data>
</nmwg:message>
Does it make sense for you?
If the request itself is the subject, I would actually argue for something like this:
<nmwg:message id="authRMessage1" type="AuthNEERequest"
xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/";
xmlns:aa="http://ggf.org/ns/nmwg/tools/org/perfsonar/service/as/1.0/";>
<nmwg:metadata id="authRMetadata">
<aa:subject id="authRSubject"
xmlns:aa="http://ggf.org/ns/nmwg/tools/org/perfsonar/service/as/1.0/";>
<Request>
<Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>kan</AttributeValue></Attribute>
</Subject>
<Resource>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"><AttributeValue>http://perfsonar.net/MA</AttributeValue></Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>read</AttributeValue></Attribute>
</Action>
</Request>
</aa:subject>
<nmwg:eventType>http://ggf.org/ns/nmwg/tools/org/perfsonar/service/as/request/1.0</nmwg:eventType>
<aa:parameters id="keys" xmlns:aa="http://ggf.org/ns/nmwg/tools/org/perfsonar/service/as/1.0/";>
<nmwg:parameter name="SecurityToken">XXXXXXX</nmwg:parameter>
</aa:parameters>
</nmwg:metadata>
<nmwg:data id="authN1" metadataIdRef="authRMetadata" />
</nmwg:message>
This keeps the request in the metadat/subject portion and uses an empty data trigger.
-jason
- Re: [pS-dev] Help needed for the design of the authorization request, Jason Zurawski, 06/03/2008
- Re: [pS-dev] Help needed for the design of the authorization request, Jeff W. Boote, 06/03/2008
- Re: [pS-dev] Help needed for the design of the authorization request, Jason Zurawski, 06/03/2008
- Re: [pS-dev] Help needed for the design of the authorization request, Jeff W. Boote, 06/03/2008
- Re: [pS-dev] Help needed for the design of the authorization request, Cándido Rodríguez Montes, 06/03/2008
- Re: [pS-dev] Help needed for the design of the authorization request, Jason Zurawski, 06/03/2008
- Re: [pS-dev] Help needed for the design of the authorization request, Jeff W. Boote, 06/03/2008
- Re: [pS-dev] Help needed for the design of the authorization request, Cándido Rodríguez Montes, 06/04/2008
- Re: [pS-dev] Help needed for the design of the authorization request, Jeff W. Boote, 06/04/2008
- Re: [pS-dev] Help needed for the design of the authorization request, Cándido Rodríguez Montes, 06/07/2008
- Re: [pS-dev] Help needed for the design of the authorization request, Jeff W. Boote, 06/03/2008
- Re: [pS-dev] Help needed for the design of the authorization request, Maciej Glowiak, 06/16/2008
- Re: [pS-dev] Help needed for the design of the authorization request, Jeff W. Boote, 06/16/2008
- Re: [pS-dev] Help needed for the design of the authorization request, Maciej Glowiak, 06/16/2008
- Re: [pS-dev] Help needed for the design of the authorization request, Jason Zurawski, 06/03/2008
- Re: [pS-dev] Help needed for the design of the authorization request, Cándido Rodríguez Montes, 06/03/2008
- Re: [pS-dev] Help needed for the design of the authorization request, Jeff W. Boote, 06/03/2008
- Re: [pS-dev] Help needed for the design of the authorization request, Jason Zurawski, 06/03/2008
- Re: [pS-dev] Help needed for the design of the authorization request, Jeff W. Boote, 06/03/2008
Archive powered by MHonArc 2.6.16.