Skip to Content.
Sympa Menu

perfsonar-dev - Re: [pS-dev] Help needed for the design of the authorization request

Subject: perfsonar development work

List archive

Re: [pS-dev] Help needed for the design of the authorization request


Chronological Thread 
  • From: "Jeff W. Boote" <>
  • To: Cándido Rodríguez Montes <>
  • Cc: " List" <>, Zurawski Jason <>
  • Subject: Re: [pS-dev] Help needed for the design of the authorization request
  • Date: Tue, 3 Jun 2008 10:35:31 -0600

On Jun 3, 2008, at 9:23 AM, Jason Zurawski wrote:

Cándido;


I think the request should be XML and not 'string' data. This would allow services/clients to use the full set of XML api's to look at requests/responses. (Otherwise, why are we messing with this bloated XML stuff anyway?)

Yes, I agree with you but I don't know how to do it. I can have the Document or the String of the <Request> element but how I integrate it in a nmwg message? I guess I should use the org.ggf.ns.nmwg.base.v2_0.Element class but it wasn't work.
So, any help for adding the <Request> element inside an <aa:subject> element? :-)

To do this you would need to add the necessary objects and handlers to the nmwg object structure.


Or stop using the object marshaling model and just use dom directly or perhaps a push-pull model... Not sure where that is on the Java developers plans, but the marshaling model has obviously shown itself to be a pain in more ways than one and I don't think we should be crafting message formats due to this implementation limitation. (Especially given the fact that the main Java developers have already expressed the wish to remove it.)

Probably the short-term solution in the Java implementation is as Jason says: Add the needed objects into the nmwg library.

jeff



-jason


jeff

On Jun 3, 2008, at 7:06 AM, Jason Zurawski wrote:

Jeff W. Boote wrote:
Why do you escape the elements in the request?

Because Cándido did :p

I am guessing this is similar to the issues with the LS returning XML data inside of an XML element?
-jason



On Jun 3, 2008, at 5:07 AM, Jason Zurawski wrote:

Cándido;

Specifically... Will this need to 'ride' along within the context of other messages? Or is this only within the context of a service communicating with the AS? (If it needs to 'ride along' it would argue for perhaps actually using the SOAP headers, or perhaps message parameters.)

It's only within the context of a service communicating with the AS. I though that I can include it inside the SOAP headers but I don't think it's the right place because it's not information about the message but it's the query that the service want to send to the AS.
The request that I'm trying to define is the authorization request from a perfSONAR service to an AS. And I want to send a message like the following:
<nmwg:message id="authRMessage1" type="AuthNEERequest" xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/";>
<nmwg:metadata id="authRMetadata">
<nmwg:parameters id="keys">
<nmwg:parameter name="SecurityToken">XXXXXXX</nmwg:parameter>
</nmwg:parameters>
</nmwg:metadata>
<nmwg:data id="authN1" metadataIdRef="authRMetadata">
<Request>
.
.
.
</Request>
</nmwg:data>
</nmwg:message>


Is there anything else that would go inside of the metadata element other than the security token parameter?

Not so far

The only reason I ask is that I want to make sure the interaction is modeled correctly (e.g. is the request element that you currently have in the data itself more of the 'subject', or is it tied [perhaps indirectly] to the token). If the request itself is the 'subject' or 'source', I would argue that it makes more sense to live in the metadata, perhaps inside of a subject element (aa:subject or something).

I think the request itself is more of the 'subject' but it is the message that I want to send to the subject. If a subject identifies an end point I think the request shouldn't be included inside a subject element (but, of course, I may be wrong :-D)
So, does it make sense to include it inside a aa:authrrequest? But this 'aa:authrrequest', where do you think it should be included?


I've been doing some examples and the request looks like:
<nmwg:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/"; id="localhost.1269d12a:11a2f25d39e:-7fff" type="AuthNEERequest">
<nmwg:metadata id="authNmetadata">
<nmwg:parameters id="keys">
<nmwg:parameter name="SecurityToken" value="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 "/>
</nmwg:parameters>
</nmwg:metadata>
<nmwg:data id="authN1" metadataIdRef="authNmetadata">
<aa:authrrequest xmlns:psservice="http://ggf.org/ns/nmwg/tools/org/perfsonar/service/as/authrrequest/1.0/ ">
&lt;Request&gt;
&lt;Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject "&gt;
&lt;Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id " DataType="http://www.w3.org/2001/ XMLSchema#string"&gt;&lt;AttributeValue&gt;kan&lt;/ AttributeValue&gt;&lt;/Attribute&gt;
&lt;/Subject&gt;
&lt;Resource&gt;
&lt;Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id " DataType="http://www.w3.org/2001/ XMLSchema#anyURI"&gt;&lt;AttributeValue&gt;http://perfsonar.net/MA&lt;/AttributeValue&gt;&lt;/Attribute&gt <http://perfsonar.net/MA&lt;/AttributeValue&gt;&lt;/Attribute&gt <http://perfsonar.net/MA&lt;/AttributeValue&gt;&lt;/Attribute&gt >>;
&lt;/Resource&gt;
&lt;Action&gt;
&lt;Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id " DataType="http://www.w3.org/2001/ XMLSchema#string"&gt;&lt;AttributeValue&gt;read&lt;/ AttributeValue&gt;&lt;/Attribute&gt;
&lt;/Action&gt;
&lt;/Request&gt;
</aa:authrrequest>
</nmwg:data>
</nmwg:message>

Does it make sense for you?


If the request itself is the subject, I would actually argue for something like this:


<nmwg:message id="authRMessage1" type="AuthNEERequest"
xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/";
xmlns:aa="http://ggf.org/ns/nmwg/tools/org/perfsonar/service/as/1.0/ ">

<nmwg:metadata id="authRMetadata">
<aa:subject id="authRSubject"
xmlns:aa="http://ggf.org/ns/nmwg/tools/org/perfsonar/service/as/1.0/ ">
&lt;Request&gt;
&lt;Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject "&gt;
&lt;Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id " DataType="http://www.w3.org/2001/ XMLSchema#string"&gt;&lt;AttributeValue&gt;kan&lt;/ AttributeValue&gt;&lt;/Attribute&gt;
&lt;/Subject&gt;
&lt;Resource&gt;
&lt;Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id " DataType="http://www.w3.org/2001/ XMLSchema#anyURI"&gt;&lt;AttributeValue&gt;http://perfsonar.net/MA&lt;/AttributeValue&gt;&lt;/Attribute&gt <http://perfsonar.net/MA&lt;/AttributeValue&gt;&lt;/ Attribute&gt>;
&lt;/Resource&gt;
&lt;Action&gt;
&lt;Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id " DataType="http://www.w3.org/2001/ XMLSchema#string"&gt;&lt;AttributeValue&gt;read&lt;/ AttributeValue&gt;&lt;/Attribute&gt;
&lt;/Action&gt;
&lt;/Request&gt;
</aa:subject>
<nmwg:eventType>http://ggf.org/ns/nmwg/tools/org/perfsonar/service/as/request/1.0 </nmwg:eventType>
<aa:parameters id="keys" xmlns:aa="http://ggf.org/ns/nmwg/tools/org/perfsonar/service/as/1.0/ ">
<nmwg:parameter name="SecurityToken">XXXXXXX</nmwg:parameter>
</aa:parameters>
</nmwg:metadata>

<nmwg:data id="authN1" metadataIdRef="authRMetadata" />

</nmwg:message>

This keeps the request in the metadat/subject portion and uses an empty data trigger.

-jason



Archive powered by MHonArc 2.6.16.

Top of Page