Hi,
With transport security (https) you cannot delegate as part of the protocol. In the toolkit we use Delegation Service to delegate independent of the protocol. Details can be found here: http://www.globus.org/toolkit/docs/4.0/security/delegation/ In a nutshell, your client will contact the delegation service installed in the same container as your service to delegate its credential and will receive an EPR to the delegated credential. This EPR needs to be sent as a part of the method invocation to your service. The EPR can then be used to retrieve the client's delegated credential. Any mechanism can be used to secure your invocation, since the delegation credential EPR is an application level parameter. Rachana _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Zhaohui Ding Sent: Wednesday, November 28, 2007 6:25 PM To: [email protected] Subject: [gt-user] How to get delegated credential with Transport level security Hi all, Here is what I want to implement, Client side delegate credential to Server side, and server side can retrieve the delegated credential. I used conversation security to implement this before, it works fine. Due to the performance issue, I hope to replace conversation security by transport security. I tried the functions provided by GlobusGSSContextImpl, but the delegated credential can't be retrieved. Can anyone give me some instructions? Thanks! Please see followed messages, Client code: ((Stub) job)._setProperty(Constants.GSI_TRANSPORT, Constants.SIGNATURE); ((Stub) job)._setProperty(GSIConstants.GSI_MODE, GSIConstants.GSI_MODE_FULL_DELEG); ((Stub) job)._setProperty(Constants.AUTHORIZATION , new HostAuthorization()); Server code: MessageContext mctx = MessageContext.getCurrentContext(); GlobusGSSContextImpl transport_sec = (GlobusGSSContextImpl) mctx.getProperty(Constants.TRANSPORT_SECURITY_CONTEXT); GSSCredential credential = null; GSSCredential credential2 = null; try { credential = transport_sec.getDelegatedCredential(); credential2 = transport_sec.getDelegCred(); logger.debug("1:" + credential); logger.debug("2:" + credential2); logger.debug("getIntegState():" + transport_sec.getIntegState()); logger.debug("getCredDelegState():" + transport_sec.getCredDelegState()); logger.debug("getlifetime():" + transport_sec.getLifetime()); logger.debug("isInitiator():" + transport_sec.isInitiator()); logger.debug("isProtReady():" + transport_sec.isProtReady()); logger.debug("isEstablished():" + transport_sec.isEstablished()); logger.debug("isDelegationFinished():" + transport_sec.isDelegationFinished()); logger.debug ("getConfState():" + transport_sec.getConfState()); } catch (Exception e) { logger.error(e.getMessage()); throw new RemoteException("Retrive user credential failed!"); } The log on server side: 2007-11-28 15:37:41,984 DEBUG impl.JobImpl [ServiceThread-9,createResource:346] 1:null 2007-11-28 15:37:41,985 DEBUG impl.JobImpl [ServiceThread-9,createResource:348] 2:null 2007-11-28 15:37:41,985 DEBUG impl.JobImpl [ServiceThread-9,createResource:349] getIntegState():true 2007-11-28 15:37:41,986 DEBUG impl.JobImpl [ServiceThread-9,createResource:350] getCredDelegState():false 2007-11-28 15:37:41,986 DEBUG impl.JobImpl [ServiceThread-9,createResource:351] getlifetime():353594 2007-11-28 15:37:41,987 DEBUG impl.JobImpl [ServiceThread-9,createResource:352] isInitiator():false 2007-11-28 15:37:41,987 DEBUG impl.JobImpl [ServiceThread-9,createResource:353] isProtReady():true 2007-11-28 15:37:41,988 DEBUG impl.JobImpl [ServiceThread-9,createResource:354] isEstablished():true 2007-11-28 15:37:41,988 DEBUG impl.JobImpl [ServiceThread-9,createResource:355] isDelegationFinished():false 2007-11-28 15:37:41,989 DEBUG impl.JobImpl [ServiceThread-9,createResource:356] getConfState():true Regards, --Zhaohui
