Dear Zeeshan,
You probably neither want to change the ownership of the service
nor run the service as caller identity, as this leads to scenarios like
the one you described below.
Instead, delegate credentials to the service from the user. Next, let the
service (still running as user 'globus') fetch the delegated
credentials. These credentials can now be used for invoking other
services (set them on the stub), or be used e.g., to specify
ownership of a certain WS-Resource.
Best regards,
Johan
On Tue, 4 Dec 2007, Zeeshan Ali Shah wrote:
Hi,
I am using GT Dev 4.1.3 release now and used the delegation mechanisms
as stated in the Globus book and online tutorial with modification of
security-config.xml schema.
I edited two parts of service first its security descriptor which is now
<methodAuthentication>
<method name="CreateActivity">
<run-as value="caller"/>
</method>
</methodAuthentication>
<auth-method>
<GSISecureConversation/>
<GSISecureMessage/>
<GSISecureTransport/>
</auth-method>
<authzChain> <pdps> <interceptor name="none"/> </pdps> </authzChain>
and on server side under the method createActivity i wrote
try{
SecurityManager.getManager().setServiceOwnerFromContext();
..............
On client side i am using HostAuthorization, in initial invocation it
works fine as when the sever start the service is using the host cert
right ?
Now Suppose there are two user (A,B)
Question 1: In first invocation the service will run as the 'User A' ,
what happen when the 'User B' try to invokes the same service ? Client
will give an error since now the service is running as of 'User A' :
which means that HostAuthorization and SelfAuthorization will not work
for 'User B' . any suggestion please
Question 2: Is it possible to switch back to initial service context
(which was host based when server started) after invocation of the
delegated method ?
regards
Zeeshan
Zeeshan Ali Shah wrote:
Hi ,
HostOrSelfAuthorization does not have the .getInstance() so i used the
normal constructor as
HostOrSelfAuthorization hs = new HostOrSelfAuthorization();
((Stub) besFactory)._setProperty(Constants.GSI_SEC_CONV,
Constants.SIGNATURE);
((Stub) besFactory)._setProperty(GSIConstants.GSI_MODE,
GSIConstants.GSI_MODE_FULL_DELEG);
((Stub) besFactory)._setProperty(Constants.AUTHORIZATION,
hs); // see here
but i am getting this error
Failure unspecified at GSS-API level (Mechanism level: [JGLOBUS-59]
Cannot request delegation without authorization (target name null))
any suggestion ?
Zeeshan
Charles Bacon wrote:
Questions : So, either I should not have the service run as the
caller (If Yes than how Delegation will works ??) , or have the
client expect its own identity after it has delegated. (How to switch
back ?). regards Zeeshan
The client can call another setProperty call to switch over to Self
authorization, the exact same way your quoted code goes to host
authorization in the first place.
Or, as we also discussed, you can use the HostOrSelfAuthorization the
whole time.
Charles
---------------------------------
Johan Tordsson
Department of Computing Science
Umea University
SE-901 87 Umea
tordsson_at_cs.umu.se
