issrg.globus
Class SamlADF

java.lang.Object
  extended by issrg.globus.SamlADF

public class SamlADF
extends java.lang.Object

This is a standalone ADF. It runs on port 80 and listens for SAML requests on input. It is also used in issrg.globus.impl.PermisAuthzImpl, which is a Grid Service.

The ADF understands SAML requests and sends SAML responses valid for 1 Hour (this will be made configurable).


Field Summary
static java.lang.String AC_STRING
           
static java.lang.String HELP_SCREEN
           
static java.lang.String LDAP_AC_ATTRIBUTE_STRING
           
static java.lang.String LDAP_PKC_ATTRIBUTE_STRING
           
static java.lang.String LDAP_URL_STRING
           
static java.lang.String LOG_STRING
           
static java.lang.String OID_STRING
           
static java.lang.String PKC_STRING
           
static java.lang.String ROOT_CA_STRING
           
static java.lang.String SOA_STRING
           
static java.lang.String URL_STRING
           
 
Constructor Summary
SamlADF(PBAAPI pbaApi)
          This constructor wraps SamlADF around a given PBAAPI.
 
Method Summary
 void authenticate(java.security.Principal user)
          This method checks that the user has been authenticated.
 boolean execute(java.security.Principal user, Action action, Target target)
          This method checks that the user is authenticated and then gets the user's credentials and makes a decision using those credentials.
static PBAAPI getPBAAPI(java.lang.String oid, java.lang.String soa, java.util.Vector ldapURL, java.util.Vector url, java.lang.String rootCA, SignatureVerifier sv, java.lang.String ac_attribute, java.lang.String pkc_attribute)
          This method gets an instance of PBAAPI given a bunch of configuration parameters.
static void loadAC(VirtualRepository vr, java.lang.String filename)
          This method loads an X.509 Attribute Certificate into a given VirtualRepository.
static void loadPKC(VirtualRepository vr, java.lang.String filename)
          This method loads an X.509 Public Key Certificate into a given VirtualRepository.
static void main(java.lang.String[] args)
          This method starts up a standalone SamlADF - a standalone SAML Authorisation server.
static void print(java.lang.String s)
          This method outputs a String to the standard output.
static void println(java.lang.String s)
          This method outputs a String and a new line to the standard output.
 SAMLResponse process(SAMLRequest request)
          This method processes a SAMLRequest and returns a reply as a SAMLResponse.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

SOA_STRING

public static final java.lang.String SOA_STRING
See Also:
Constant Field Values

OID_STRING

public static final java.lang.String OID_STRING
See Also:
Constant Field Values

LDAP_URL_STRING

public static final java.lang.String LDAP_URL_STRING
See Also:
Constant Field Values

URL_STRING

public static final java.lang.String URL_STRING
See Also:
Constant Field Values

LDAP_AC_ATTRIBUTE_STRING

public static final java.lang.String LDAP_AC_ATTRIBUTE_STRING
See Also:
Constant Field Values

LDAP_PKC_ATTRIBUTE_STRING

public static final java.lang.String LDAP_PKC_ATTRIBUTE_STRING
See Also:
Constant Field Values

ROOT_CA_STRING

public static final java.lang.String ROOT_CA_STRING
See Also:
Constant Field Values

AC_STRING

public static final java.lang.String AC_STRING
See Also:
Constant Field Values

PKC_STRING

public static final java.lang.String PKC_STRING
See Also:
Constant Field Values

LOG_STRING

public static final java.lang.String LOG_STRING
See Also:
Constant Field Values

HELP_SCREEN

public static final java.lang.String HELP_SCREEN
See Also:
Constant Field Values
Constructor Detail

SamlADF

public SamlADF(PBAAPI pbaApi)
This constructor wraps SamlADF around a given PBAAPI. SamlADF will extract the input to getCreds and decision from the SAMLRequests, and will wrap the decision into a SAMLResponse.

Parameters:
pbaApi - - the PBAAPI to wrap around
Method Detail

main

public static void main(java.lang.String[] args)
This method starts up a standalone SamlADF - a standalone SAML Authorisation server.


loadAC

public static void loadAC(VirtualRepository vr,
                          java.lang.String filename)
This method loads an X.509 Attribute Certificate into a given VirtualRepository. The AC will be loaded into the Holder's entry; if such entry doesn't exist, it will be created. The attribute name is taken from CustomisePERMIS.getAttributeCertificateAttribute()

Parameters:
vr - - the VirtualRepository to load the AC into
filename - - the filename of the X.509 AC; if it is a malformed AC or an IOException occurs while reading the file, no AC will be loaded (and stack trace will be printed onto System.err)

loadPKC

public static void loadPKC(VirtualRepository vr,
                           java.lang.String filename)
This method loads an X.509 Public Key Certificate into a given VirtualRepository. The PKC will be loaded into the Subject's entry; if such entry doesn't exist, it will be created. The attribute name is taken from CustomisePERMIS.getUserCertificateAttribute()

Parameters:
vr - - the VirtualRepository to load the PKC into
filename - - the filename of the X.509 PKC; if it is a malformed PKC or an IOException occurs while reading the file, no PKC will be loaded (and stack trace will be printed onto System.err)

print

public static void print(java.lang.String s)
This method outputs a String to the standard output. This will be configurable to output to a log instead.

Parameters:
s - - the String to output

println

public static void println(java.lang.String s)
This method outputs a String and a new line to the standard output. This will be configurable to output to a log instead.

Parameters:
s - - the String to output

execute

public boolean execute(java.security.Principal user,
                       Action action,
                       Target target)
                throws PbaException
This method checks that the user is authenticated and then gets the user's credentials and makes a decision using those credentials.

Parameters:
user - - the Principal of the user
action - - the action the user wants to perform
target - - the target on which the action is to be performed
Returns:
true, if action is allowed by the underlying PBAPI; false otherwise
Throws:
PbaException - if there was a problem during evaluation of authorisation decision

authenticate

public void authenticate(java.security.Principal user)
                  throws PbaException
This method checks that the user has been authenticated. At the moment it does nothing, but the subclasses should perform the actual check.

Throws:
PbaException

getPBAAPI

public static PBAAPI getPBAAPI(java.lang.String oid,
                               java.lang.String soa,
                               java.util.Vector ldapURL,
                               java.util.Vector url,
                               java.lang.String rootCA,
                               SignatureVerifier sv,
                               java.lang.String ac_attribute,
                               java.lang.String pkc_attribute)
                        throws PbaException
This method gets an instance of PBAAPI given a bunch of configuration parameters.

Parameters:
oid - - the OID of the PERMIS Policy
soa - - the SOA name (LDAP DN)
ldapURL - - the URLs of the LDAP repository to use to retrieve the policy and user ACs
url - - the URLs of another repository where the user ACs are stored (this may be different from the policy LDAP)
rootCA - - the filename of the Root CA PKC; can be null, if no signature verification is required
sv - - the SignatureVerifier to use; if rootCA is not null SignatureVerifier is ignored; both cannot be null
ac_attribute - - the attribute name of the ACs in the repositories
pkc_attribute - - the attribute name of the PKCs in the repositories
Returns:
PermisRBAC configured with these parameters
Throws:
PbaException

process

public SAMLResponse process(SAMLRequest request)
                     throws PbaException
This method processes a SAMLRequest and returns a reply as a SAMLResponse. It will throw a PbaException (or a SamlException) if there was an error parsing the SAML. If an error occured during decision-making, a string message will still be produced.

Parameters:
request - is the SAMLRequest to process
Returns:
the response generated for the request
Throws:
PbaException