A first approach at delegation

As mentioned before, this first example is based on the first secure service we saw. This means we'll only see the differences between both examples. However, remember that the full code for this example can be found in $TUTORIAL_DIR/org/globus/progtutorial/services/security/delegation_first/.

Activating delegation on the client side

The first thing we have to do is modify the client to tell it to delegate its credentials to the service. This is done simply by setting the following stub property:

((Stub)math)._setProperty(GSIConstants.GSI_MODE,GSIConstants.GSI_MODE_FULL_DELEG);
[Note]

The client can be found in $TUTORIAL_DIR/org/globus/progtutorial/clients/MathService/ClientDelegation.java

Activating delegation on the server side

But for delegation to be complete, we need to do two things on the server side:

  • The particular method we want to invoke must be configured to run with the caller's identity. In other words, the invocation subject must be set to the caller's identity. We saw how to do this earlier, in the runtime identity part of the security configuration file chapter.

  • We have to tell the service to assume the identity of the caller. Remember from the runtime identity page that service subject was always NULL, unless we delegated credentials on the service. We will be able to do this by adding one simple line of code.

Setting the runtime identity

To set the runtime identity, we will be able to reuse the security configuration file we used in the runtime identity example. Remember that, in that example, the add method was configured to run under the caller's identity. The security configuration file for this example can be found in $TUTORIAL_DIR/org/globus/progtutorial/services/security/delegation_first/config/security-config-runas.xml

Setting the service owner

To make the service assume the invocation subject as its subject, we have to add the following line in each method where we want to perform delegation:

SecurityManager.getManager().setServiceOwnerFromContext(base);

For example, in the add method:

public void add(int a) throws RemoteException
, SecurityException
{
  
  SecurityManager.getManager().setServiceOwnerFromContext(base);
  logSecurityInfo("add");
  value = value + a;
}

Compile and deploy

Now, let's build the service:

./tutorial_build.sh \
org/globus/progtutorial/services/security/delegation_first \
schema/progtutorial/MathService/Math.gwsdl

And deploy it (from the globus account):

ant deploy \
-Dgar.name=$TUTORIAL_DIR/build/lib/org_globus_progtutorial_services_security_delegation_first.gar

Finally, before you restart the container, add the following line to the $GLOBUS_LOCATION/ogsilogging.properties file:

org.globus.progtutorial.services.security.delegation_first.impl.MathProvider=console,info

Compiling and running the client

Let's compile the client:

javac \
-classpath ./build/classes/:$CLASSPATH \
org/globus/progtutorial/clients/MathService/ClientDelegation.java

Finally, we run the client:

java \
-classpath ./build/classes/:$CLASSPATH \
org/globus/progtutorial/clients/MathService/ClientDelegation \
http://127.0.0.1:8080/ogsa/services/progtutorial/security/delegation/MathService \
5

The output on the client side should be pretty normal. We need to take a close look at the server side logs to verify that delegation is, in fact, working. Look at the add method (which runs under the caller's identity):

INFO: SECURITY INFO FOR METHOD 'add'
INFO: The caller is:/O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor

INFO: INVOCATION SUBJECT
INFO: Subject:
        Principal: /O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor
        Private credential: [email protected]

INFO: SERVICE SUBJECT
INFO: Subject:
        Principal: /O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor
        Private credential: [email protected]

INFO: SYSTEM SUBJECT
INFO: Subject:
        Principal: /O=Globus/OU=GT3 Tutorial/CN=Globus 3 Administrator
        Private credential: [email protected]

Notice how the service subject is not only no longer NULL...it's the caller's identity! Holy identity theft, Batman! :-)

As for the subtract and getValue methods, the service subject is also no longer NULL. However, since they're being run under the system and subject identity (respectively), we see the globus account subject in the service subject.

INFO: SECURITY INFO FOR METHOD 'subtract'
INFO: The caller is:/O=Globus/OU=GT3 Tutorial/CN=Borja Sotomayor
INFO: INVOCATION SUBJECT
INFO: Subject:
        Principal: /O=Globus/OU=GT3 Tutorial/CN=Globus 3 Administrator
        Private credential: [email protected]

INFO: SERVICE SUBJECT
INFO: Subject:
        Principal: /O=Globus/OU=GT3 Tutorial/CN=Globus 3 Administrator
        Private credential: [email protected]

INFO: SYSTEM SUBJECT
INFO: Subject:
        Principal: /O=Globus/OU=GT3 Tutorial/CN=Globus 3 Administrator
        Private credential: [email protected]

So, we've seen that delegation actually does work. However, this example isn't exactly what you could call 'exciting'. However, I promise the next example is guaranteed to positively thrill you!