Transcript PPT - Edina

Web Services Tiered Internet
Authorization (WSTIERIA)
21 June 2011
Fiona Culloch
[email protected]
Output 1: Digimap changes
• Modified production Digimap service
– To give non-browser GIS clients (ArcView
etc.)
• Access to Digimap data via web services
• Using OGC standards (Web Map Service etc.)
• UK federation authentication of registered
users, with SSO
• As alternative to large downloads of raw data
Output 2: DIY instructions
• Short document (7 pages) on “how-to”
– Control access to existing web services
– From non-browser clients
– Without modifying the web service
– Implementable by average sysadmin
– Using only off-the-shelf software
• Apache web server (with mod_rewrite)
• A little scripting (perl, or anything else)
Output 3: Try Shibboleth delegation
• Set up dev & test environment
– PM1: Eclipse + Maven2
– VM1: IdP + delegation plugin
– VM2: example client (JSP) + Shib SP1 + JASIG
delegation library
– PM2: example web service (WSP) + Shib SP2
• “Hello, world”-level success!
– User goes to JSP/SP1, logs in at IdP
– JSP calls JASIG library to GET from WSP/SP2
– Lib accesses SP2 using delegatable token from
IdP; user does not need to log in to SP2
Successes
• Production service (Digimap) using UK
fed. for non-browser web services
• Route to interoperation of unmodified
web services, unmodified non-browser
clients with UK federation
• Demonstrated deployability of new
Shibboleth delegation software by
developer outside the Shibboleth team
Lesson 1: Delegation limitations
• Delegation depends on IdP & all SPs
– Supporting SAML2, bits of Liberty
– SP implementation (Shibboleth 2.2+)
• IdP deployer must explicitly name:
– SP entities allowed to delegate
– SP entities they can delegate to, etc, etc.
• Probably rules out cross-organisational
scenarios for now, leaving
– Intra-org applications (e.g. student portal)
Lesson 2: uPortal not needed
• Original delegation use case was
uPortal web app invoking portlets
• Wasn’t known if delegation library
depended on this uPortal context
• Project showed how a non-uPortal web
app (JSP) can use delegation library
Lesson 3: Delegation & UK federation
• Potential issue identified
– UK federation (& others, e.g. InCommon)
moving from CAs to self-signed trustfabric certs
– Delegation library rejects these because
not in std. Java CA trust list
– Reported to developer (Unicon), response
awaited
Failures
• No deployments outside EDINA
• No future external partner identified
• Attempt to apply the simple Apache +
scripting technique to WebDAV
– Limited success (only easy cases worked)
– Protocol with server URLs in data &
headers defeats simple technique
– Wrote up experience as tech note
Future
• Shibboleth developers
– Migrate delegation library into SP code?
– IdP config optionally take delegation
audiences (SP2,…,n) from SP1 metadata
• EDINA
– More interesting examples (INSPIRE?)
• Community
– Apply techniques!