issrg.globus
Class PermisAuthzServiceImpl

java.lang.Object
  extended by PersistentGridServiceImpl
      extended by issrg.globus.PermisAuthzServiceImpl
All Implemented Interfaces:
PermisAuthzServicePortType, SignatureVerifier

public class PermisAuthzServiceImpl
extends PersistentGridServiceImpl
implements PermisAuthzServicePortType, SignatureVerifier

This class is an implementation of Permis Authorization Service for Globus Toolkit v3.4. It can be deployed as a standalone service that serves SAML authorization requests (the format is specified by OGSA-Authz).

It can also be deployed as a ServiceAuthorization to get authorization decisions locally (and avoid SAML encoding/decoding and some network traffic).

Author:
A.Otenko

Field Summary
protected  SamlADF adf
           
protected static java.util.Map adfs
           
 
Constructor Summary
PermisAuthzServiceImpl()
           
 
Method Summary
 void authorize(javax.security.auth.Subject peerSubject, ServiceProperties service, MessageContext context)
          This method will perform authorization of a call to a particular service.
 boolean checkSignature(byte[] Value, byte[] Signature, java.lang.String algorithmID, TokenLocator Signer)
          This method provides default signature verification - always returns true.
protected  PBAAPI getPBAAPI(ServiceProperties sp)
          This method gets a PBA API, identified in the Service Properties.
 void postCreate(GridContext gc)
          This method is invoked by GT3.4 after the service has been created.
 SAMLResponseType SAMLRequest(org.globus.ogsa.security.authorization.SAMLRequestType req)
          This method will process a SAML request and return a SAML response.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 
Methods inherited from interface issrg.globus.PermisAuthzServicePortType
destroy, findServiceData, requestTerminationAfter, requestTerminationBefore, setServiceData
 

Field Detail

adf

protected SamlADF adf

adfs

protected static java.util.Map adfs
Constructor Detail

PermisAuthzServiceImpl

public PermisAuthzServiceImpl()
Method Detail

postCreate

public void postCreate(GridContext gc)
                throws GridServiceException
This method is invoked by GT3.4 after the service has been created.

Throws:
GridServiceException

getPBAAPI

protected PBAAPI getPBAAPI(ServiceProperties sp)
                    throws GridServiceException,
                           PbaException
This method gets a PBA API, identified in the Service Properties. If such PBA API has already been constructed, it will use that one; otherwise, it will build a new PERMIS RBAC and record it in the register (so next time it is requested, it will use the same one).

Parameters:
sp - the ServiceProperties, containing the configuration (Policy OID, SOA DN, LDAP URL, Root CA PKC, LDAP AC Attribute
Returns:
a PBA API object described by the configuration parameters
Throws:
GridServiceException
PbaException

SAMLRequest

public SAMLResponseType SAMLRequest(org.globus.ogsa.security.authorization.SAMLRequestType req)
                             throws java.rmi.RemoteException
This method will process a SAML request and return a SAML response. It is invoked by PermisAuthz clients (e.g. GridSamlSender and GT3.4 when SAMLCallout is configured into it)

Specified by:
SAMLRequest in interface PermisAuthzServicePortType
Parameters:
req - - the SAMLRequest to be processed
Returns:
SAMLResponse with the authorisation decision in it
Throws:
java.rmi.RemoteException

authorize

public void authorize(javax.security.auth.Subject peerSubject,
                      ServiceProperties service,
                      MessageContext context)
               throws AuthorizationException
This method will perform authorization of a call to a particular service. (part of ServiceAuthorization)

This method is invoked by GT3.4 directly.

Throws:
AuthorizationException

checkSignature

public boolean checkSignature(byte[] Value,
                              byte[] Signature,
                              java.lang.String algorithmID,
                              TokenLocator Signer)
This method provides default signature verification - always returns true.

Specified by:
checkSignature in interface SignatureVerifier
Parameters:
Value - is the byte array that had been signed
Signature - is the byte array of the resulting signature
algorithmID - is the String representation (dotted form) of the object identifier of the algorithm used for signing
Signer - is the TokenLocator of the signer
Returns:
true, if there is a valid non-revoked PKI token, which proves the signature is valid; false otherwise