Maybe I need to make a little bit clarification. Actually, "a remote delegated credential storage mechanism" I mentioned in my reply is exactly "DelegationService". I do plan to use Delegations Service to implement my service. Like your said, except for the first time vocation, Using DelegationService + transport security will be faster than using conversation security. Thanks again for your information.
--Zhaohui 2007/11/29, Zhaohui Ding <[EMAIL PROTECTED]>: > > Yes, that make sense. Thank you. > > --Zhaohui > > 2007/11/29, Rachana Ananthakrishnan <[EMAIL PROTECTED]>: > > > > Yes and also across services in the same container. The same delegated > > EPR can be shared across any service in the container > > > > > > > > Rachana > > > > > > ------------------------------ > > > > *From:* Ian Foster [mailto:[EMAIL PROTECTED] > > *Sent:* Thursday, November 29, 2007 2:23 PM > > *To:* Zhaohui Ding > > *Cc:* Rachana Ananthakrishnan; [email protected] > > *Subject:* Re: [gt-user] How to get delegated credential with Transport > > level security > > > > > > > > actually the delegation service can make things faster, as you delegate > > once, and can then invoke many operations on that service > > > > Zhaohui Ding wrote: > > > > Thanks for the quick reply, Rachana, > > > > We also planned to use DelegationService before, but we don't want to > > involve more overhead. > > > > Since the problem is caused of protocol, it looks like a remote > > delegated credential storage mechanism is necessary. > > > > Regards, > > --Zhaohui > > > > 2007/11/29, Rachana Ananthakrishnan <[EMAIL PROTECTED]>: > > > > Hi, > > > > > > > > With transport security (https) you cannot delegate as part of the > > protocol. In the toolkit we use Delegation Service to delegate independent > > of the protocol. Details can be found here: > > http://www.globus.org/toolkit/docs/4.0/security/delegation/ > > > > > > > > > > In a nutshell, your client will contact the delegation service installed > > in the same container as your service to delegate its credential and will > > receive an EPR to the delegated credential. This EPR needs to be sent as a > > part of the method invocation to your service. The EPR can then be used to > > retrieve the client's delegated credential. Any mechanism can be used to > > secure your invocation, since the delegation credential EPR is an > > application level parameter. > > > > > > > > Rachana > > > > > > ------------------------------ > > > > *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On > > Behalf Of *Zhaohui Ding > > *Sent:* Wednesday, November 28, 2007 6:25 PM > > *To:* [email protected] > > *Subject:* [gt-user] How to get delegated credential with Transport > > level security > > > > > > > > Hi all, > > > > Here is what I want to implement, > > Client side delegate credential to Server side, and server side can > > retrieve the delegated credential. I used conversation security to implement > > this before, it works fine. Due to the performance issue, I hope to replace > > conversation security by transport security. > > I tried the functions provided by GlobusGSSContextImpl, but the > > delegated credential can't be retrieved. Can anyone give me some > > instructions? Thanks! > > > > Please see followed messages, > > *Client code: > > > > ((Stub) job)._setProperty(Constants.GSI_TRANSPORT, Constants.SIGNATURE); > > ((Stub) job)._setProperty(GSIConstants.GSI_MODE, > > GSIConstants.GSI_MODE_FULL_DELEG); > > ((Stub) job)._setProperty(Constants.AUTHORIZATION , new > > HostAuthorization()); > > > > > > Server code: > > > > MessageContext mctx = MessageContext.getCurrentContext(); > > GlobusGSSContextImpl transport_sec = (GlobusGSSContextImpl) > > mctx.getProperty(Constants.TRANSPORT_SECURITY_CONTEXT); > > GSSCredential credential = null; > > GSSCredential credential2 = null; > > try { > > credential = > > transport_sec.getDelegatedCredential(); > > credential2 = transport_sec.getDelegCred(); > > logger.debug("1:" + credential); > > logger.debug("2:" + credential2); > > logger.debug("getIntegState():" + > > transport_sec.getIntegState()); > > logger.debug("getCredDelegState():" + > > transport_sec.getCredDelegState()); > > logger.debug("getlifetime():" + > > transport_sec.getLifetime()); > > logger.debug("isInitiator():" + > > transport_sec.isInitiator()); > > logger.debug("isProtReady():" + > > transport_sec.isProtReady()); > > logger.debug("isEstablished():" + > > transport_sec.isEstablished()); > > logger.debug("isDelegationFinished():" + > > transport_sec.isDelegationFinished()); > > logger.debug ("getConfState():" + > > transport_sec.getConfState()); > > } catch (Exception e) { > > logger.error(e.getMessage());* * > > throw new RemoteException("Retrive user > > credential failed!"); > > } > > > > The log on server side: > > > > 2007-11-28 15:37:41,984 DEBUG > > impl.JobImpl[ServiceThread-9,createResource:346] 1:null > > 2007-11-28 15:37:41,985 DEBUG > > impl.JobImpl[ServiceThread-9,createResource:348] 2:null > > * * > > 2007-11-28 15:37:41,985 DEBUG > > impl.JobImpl[ServiceThread-9,createResource:349] getIntegState():true > > 2007-11-28 15:37:41,986 DEBUG > > impl.JobImpl[ServiceThread-9,createResource:350] getCredDelegState():false > > 2007-11-28 15:37:41,986 DEBUG > > impl.JobImpl[ServiceThread-9,createResource:351] getlifetime():353594 > > 2007-11-28 15:37:41,987 DEBUG > > impl.JobImpl[ServiceThread-9,createResource:352] isInitiator():false > > 2007-11-28 15:37:41,987 DEBUG > > impl.JobImpl[ServiceThread-9,createResource:353] isProtReady():true > > 2007-11-28 15:37:41,988 DEBUG > > impl.JobImpl[ServiceThread-9,createResource:354] isEstablished():true > > 2007-11-28 15:37:41,988 DEBUG > > impl.JobImpl[ServiceThread-9,createResource:355] > > isDelegationFinished():false > > 2007-11-28 15:37:41,989 DEBUG > > impl.JobImpl[ServiceThread-9,createResource:356] getConfState():true > > > > *Regards, > > --Zhaohui > > > > > > > > > > > > -- > > > > > > > > Ian Foster, Director, Computation Institute > > > > Argonne National Laboratory & University of Chicago > > > > Argonne: MCS/221, 9700 S. Cass Ave, Argonne, IL 60439 > > > > Chicago: Rm 405, 5640 S. Ellis Ave, Chicago, IL 60637 > > > > Tel: +1 630 252 4619. Web: > > www.ci.uchicago.edu. > > > > Globus Alliance: > > www.globus.org. > > > > >
