Yes, that make sense. Thank you. --Zhaohui
2007/11/29, Rachana Ananthakrishnan <[EMAIL PROTECTED]>: > > Yes and also across services in the same container. The same delegated > EPR can be shared across any service in the container > > > > Rachana > > > ------------------------------ > > *From:* Ian Foster [mailto:[EMAIL PROTECTED] > *Sent:* Thursday, November 29, 2007 2:23 PM > *To:* Zhaohui Ding > *Cc:* Rachana Ananthakrishnan; [email protected] > *Subject:* Re: [gt-user] How to get delegated credential with Transport > level security > > > > actually the delegation service can make things faster, as you delegate > once, and can then invoke many operations on that service > > Zhaohui Ding wrote: > > Thanks for the quick reply, Rachana, > > We also planned to use DelegationService before, but we don't want to > involve more overhead. > > Since the problem is caused of protocol, it looks like a remote delegated > credential storage mechanism is necessary. > > Regards, > --Zhaohui > > 2007/11/29, Rachana Ananthakrishnan <[EMAIL PROTECTED]>: > > Hi, > > > > With transport security (https) you cannot delegate as part of the > protocol. In the toolkit we use Delegation Service to delegate independent > of the protocol. Details can be found here: > http://www.globus.org/toolkit/docs/4.0/security/delegation/ > > > > > In a nutshell, your client will contact the delegation service installed > in the same container as your service to delegate its credential and will > receive an EPR to the delegated credential. This EPR needs to be sent as a > part of the method invocation to your service. The EPR can then be used to > retrieve the client's delegated credential. Any mechanism can be used to > secure your invocation, since the delegation credential EPR is an > application level parameter. > > > > Rachana > > > ------------------------------ > > *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On > Behalf Of *Zhaohui Ding > *Sent:* Wednesday, November 28, 2007 6:25 PM > *To:* [email protected] > *Subject:* [gt-user] How to get delegated credential with Transport level > security > > > > Hi all, > > Here is what I want to implement, > Client side delegate credential to Server side, and server side can > retrieve the delegated credential. I used conversation security to implement > this before, it works fine. Due to the performance issue, I hope to replace > conversation security by transport security. > I tried the functions provided by GlobusGSSContextImpl, but the > delegated credential can't be retrieved. Can anyone give me some > instructions? Thanks! > > Please see followed messages, > *Client code: > > ((Stub) job)._setProperty(Constants.GSI_TRANSPORT, Constants.SIGNATURE); > ((Stub) job)._setProperty(GSIConstants.GSI_MODE, > GSIConstants.GSI_MODE_FULL_DELEG); > ((Stub) job)._setProperty(Constants.AUTHORIZATION , new > HostAuthorization()); > > > Server code: > > MessageContext mctx = MessageContext.getCurrentContext(); > GlobusGSSContextImpl transport_sec = (GlobusGSSContextImpl) > mctx.getProperty(Constants.TRANSPORT_SECURITY_CONTEXT); > GSSCredential credential = null; > GSSCredential credential2 = null; > try { > credential = > transport_sec.getDelegatedCredential(); > credential2 = transport_sec.getDelegCred(); > logger.debug("1:" + credential); > logger.debug("2:" + credential2); > logger.debug("getIntegState():" + > transport_sec.getIntegState()); > logger.debug("getCredDelegState():" + > transport_sec.getCredDelegState()); > logger.debug("getlifetime():" + > transport_sec.getLifetime()); > logger.debug("isInitiator():" + > transport_sec.isInitiator()); > logger.debug("isProtReady():" + > transport_sec.isProtReady()); > logger.debug("isEstablished():" + > transport_sec.isEstablished()); > logger.debug("isDelegationFinished():" + > transport_sec.isDelegationFinished()); > logger.debug ("getConfState():" + > transport_sec.getConfState()); > } catch (Exception e) { > logger.error(e.getMessage());* * > throw new RemoteException("Retrive user credential > failed!"); > } > > The log on server side: > > 2007-11-28 15:37:41,984 DEBUG > impl.JobImpl[ServiceThread-9,createResource:346] 1:null > 2007-11-28 15:37:41,985 DEBUG > impl.JobImpl[ServiceThread-9,createResource:348] 2:null > * * > 2007-11-28 15:37:41,985 DEBUG > impl.JobImpl[ServiceThread-9,createResource:349] getIntegState():true > 2007-11-28 15:37:41,986 DEBUG > impl.JobImpl[ServiceThread-9,createResource:350] getCredDelegState():false > 2007-11-28 15:37:41,986 DEBUG > impl.JobImpl[ServiceThread-9,createResource:351] getlifetime():353594 > 2007-11-28 15:37:41,987 DEBUG > impl.JobImpl[ServiceThread-9,createResource:352] isInitiator():false > 2007-11-28 15:37:41,987 DEBUG > impl.JobImpl[ServiceThread-9,createResource:353] isProtReady():true > 2007-11-28 15:37:41,988 DEBUG > impl.JobImpl[ServiceThread-9,createResource:354] isEstablished():true > 2007-11-28 15:37:41,988 DEBUG > impl.JobImpl[ServiceThread-9,createResource:355] isDelegationFinished():false > 2007-11-28 15:37:41,989 DEBUG > impl.JobImpl[ServiceThread-9,createResource:356] getConfState():true > > *Regards, > --Zhaohui > > > > > > -- > > > > Ian Foster, Director, Computation Institute > > Argonne National Laboratory & University of Chicago > > Argonne: MCS/221, 9700 S. Cass Ave, Argonne, IL 60439 > > Chicago: Rm 405, 5640 S. Ellis Ave, Chicago, IL 60637 > > Tel: +1 630 252 4619. Web: www.ci.uchicago.edu. > > Globus Alliance: www.globus.org. > >
