Creating GSI-enabled Web Services
Download
Report
Transcript Creating GSI-enabled Web Services
GSI and Web Services
Neil P Chue Hong
[email protected]
Workshop on Web Services 1
Summary
Background
Tools and Applications
Implementing a GSIHTTP enabled server
A simple GSI Web Service and Client
Over to you…
2
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]
Motivation
Why should we develop GSI-enabled web
services?
– We can use our existing GSI proxy certificates to provide a
security mechanism and the same single sign-on
mechanism for our web services.
– We can use this as a starting point for developing
OGSA Grid Services
– We can (in theory) develop clients and services in different
languages and they should just work…
Caveat: I am not a security expert!
3
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]
Security and Web Services
The base SOAP specification does not define
any authentication / authorisation mechanisms
Questions to ask:
– How can I prove who I am? (authentication)
– How can I tell if you’re allowed to access the services that I
offer? (authorisation)
– How do we negotiate my ability to access the services you
offer? (administration)
– How can we protect the integrity of our transactions? (secure
communications)
– How do we know whether or not we can trust each other?
(trust relationships)
4
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]
GSI
Grid Security Infrastructure (GSI)
– Based on Generic Security Services API (GSS-API)
– Uses an extension to X509 certificates
Provides a mechanism to:
– Authenticate a subject
– Authorise a resource
– Implement a single sign-on mechnism
Current implementation does this using:
– Proxy certificates and Certification Authorities (this really is
me!)
– Gridmap file (let me use the resources available to a local
user/account!)
5
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]
GSI and Web Services
We can use GSI to provide security for web
services we deploy
Use the header to send delegated credentials
from the client to the service
The service can use the credentials to
authenticate the user and authorise access to
the service.
ANL have released some sample code to do
this using Tomcat and Axis.
6
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]
Tomcat
Tomcat is a stable, mature reference
implementation of a servlet container for Java
Servlets and Java Server Pages.
It allows you to run web applications.
Source code is available and open source.
It can be used as a platform to deploy the Axis
toolkit.
See: http://jakarta.apache.org/tomcat/
7
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]
Axis
Axis is an implementation of the SOAP 1.1
(and SOAP with Attachments) protocol in Java
Written for performance and extensibility
It has a flexible architecture:
– Easier to use other transports (e.g. https, smtp, ftp)
• core engine is transport independent
– Easier to add other code in message handling such as
• encryption
• logging
• authentication
– Also easy to deploy and administer Web Services using Axis
See: http://xml.apache.org/axis/
8
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]
Axis Architecture
Axis has two handler “chains”
– Global
– Transport specific
– Fairly stable APIs
Requestor
Transport
Request Handlers
Axis
engine
– We will create a new
request handler for GSI HTTP
Web
Service
Response Handlers
Web Service specific chain
Taken from Building Web Services with Java, by Steve Graham et al.
9
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]
Altering Tomcat to support GSI (1)
A few “hacks” have been made to Tomcat:
– CertificatesValve.java
• Patch made which alters expose() method
• Instead of exposing SSL session it exposes the GSI credentials
– GSISocket.java
• Extends SSLSocket.java to provide Globus proxy / delegated
credentials support
– GSIServerSocketFactory.java
• Implements ServerSocketFactory to allow creation of GSISockets
• This file contains hardcoded locations of the hostcert.pem,
hostkey.pem, certificates and grid-mapfile files.
– Currently dependent on IAIK Java cryptography libraries
10
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]
Altering Tomcat to support GSI (2)
Some changes are needed to the Tomcat
configuration (conf/server.xml)
Add a new Connector to the <service> section
– Define a GSI HTTP/1.1 Connector on port 8443
– Define which Factory object should be used
(GSIServerSocketFactory)
• This also contains hardcoded locations of proxy, usercert,
userkey and certificates directory (which are different…)
Add a new Valve to the <engine> section
– This tells Tomcat to use the modified CertificatesValve object
Tomcat should now accept httpg: requests on
port 8443
11
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]
Adding a GSI Handler using Axis
Handling GSI in Axis
– GSIHTTPTransport.java
• Sets up a new transport, httpg, within Axis
– GSIHTTPSender.java
• New handler for GSI HTTP (uses MessageContext.getProperty())
– GSIAdminClient.java
• Registers the new handler with the transport in Axis
– Util.java
• getCredentials(msgContext) return the proxy credentials
associated with the message context
• registerTransport() registers the GSIHTTPTransport class for the
httpg protocol
• Also used by client programs (see later)
12
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]
Installing the modified code
ANL provide precompiled jars to replace
catalina.jar and axis.jar
Or you can “roll your own” and compile from
source
Replace jars, restart Tomcat and you’re ready
to write GSI web services
Also required are Java CoG kit (cog.jar), and
IAIK cryptographic libraries (iaik_ssl.jar,
iaik_jce_full.jar, iaik_javax_crypto.jar,
cryptix.jar)
13
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]
Writing a GSI Web Service (1)
Let’s write a service, MyService, with a
method, serviceMethod, which takes one
argument.
The Axis RPC dispatcher will look for the same
method with an extra parameter (the message
context) when it receives a GSI enabled client
invocation
So we add this extra parameter to the method
Util.getCredentials() allows us to access the
GSI proxy from the message context
14
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]
Writing a GSI Web Service (2)
Here’s the code:
import org.apache.axis.MessageContext;
import org.globus.axis.util.Util;
public classMyService {
// Add a MessageContext argument to the normal method
public String serviceMethod(MessageContext ctx, String arg) {
System.out.println(“MyService: you sent “ + arg);
System.out.println(“GOT PROXY: “ + Util.getCredentials(ctx));
return arg;
}
}
This just prints the credentials and string sent
15
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]
Writing a GSI Web Client (1)
Similar to writing a normal web services client:
– Deploy a httpg transport chain
– Use the Java CoG kit to load a Globus proxy
– Use setProperty() to set GSI specific SOAP headers
• globus credentials (the proxy certificate)
• authorisation type
• GSI mode (SSL, no delegation, full delegation, limited delegation)
– Then do rest of normal SOAP routine
•
•
•
•
•
16
setTargetEndpointAddress()
setOperationName()
addParameter()
setReturnType()
Invoke()
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]
Writing a GSI Web Client (2)
Here’s (most of) the code:
SimpleProvider provider = new SimpleProvider();
SimpleTargetedChain chain = new SimpleTargetedChain(new GSIHTTPSender());
provider.deployTransport(“httpg”, chain);
GlobusProxy proxy = GlobusProxy.getDefaultUserProxy();
Service service = new Service(provider);
Call call = (Call) service.createCall();
call.setProperty(GSIHTTPTransport.GSI_CREDENTIALS, proxy);
call.setProperty(GSIHTTPTransport.GSI_AUTHORIZATION, new SelfAuthorisation(proxy));
call.setProperty(GSIHTTPTransport.GSI_MODE, GSIHTTPTransport.GSI_MODE_LIMITED_DELEG);
call.setTargetEndpointAddress(new java.net.URL(“httpg://localhost:8443/axis/servlet/AxisServlet”));
call.setOperationName(new QName.(“MyService”, “serviceMethod”));
call.addParameter(“arg1”, XMLType.XSD_STRING, ParameterMode.PARAM_MODE_IN);
call.setReturnType(XMLType.XSD_STRING);
String ret = (String) call.invoke(new Object[] { “Hello World” });
System.out.println(“MyService returned: “ + ret);
17
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]
Running a GSI Web Client/Service
It should just work…
18
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]
Experiences of GSI and Web Services
… but it didn’t
Two main difficulties:
– Authentication or authorisation is failing
– Can’t probe SOAP message (it’s encrypted)
So can’t tell why it’s failing
Documentation of GSI Web Services and Axis
is sparse
However…
– I understand the code a lot better after having to write this talk!
19
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]
What happens next?
Document code and provide proper
instructions
Recompile additions against latest releases of
Tomcat and Axis
Distribute source, binaries and documentation
to UK eScience community (by end of March?)
Ideally, provide another example client e.g.
using Python
20
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]
The benefit of open standards
There are a number of other attempts to
produce secure XML and SOAP messaging
standards
–
–
–
–
XML Digital Signatures
SAML – security-based assertions
XKMS – providing and managing PKI-based web services
XACML – access control framework for XML
See: http://www.w3c.org, http://www.oasis-open.org
And an odd one out:
– Microsoft Passport
Which one will be adopted in the end?
21
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]
Summary
Web services are good
Secure web services are better
We can write secure web services using GSI
We can communicate securely with web
services using GSIHTTP
It should just work
I will be providing code examples
22
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]
The End
Over to you…
23
GSI and Web Services - WoWS1 20/3/2002 - Neil Chue Hong - [email protected]