issrg.globus
Class SamlADF

java.lang.Object
  issrg.globus.SamlADF

public class SamlADF
extends java.lang.Object

This is a standalone ADF. It runs on port 80 and listens for SAML requests on input. It is also used in issrg.globus.impl.PermisAuthzImpl, which is a Grid Service.

The ADF understands SAML requests and sends SAML responses valid for 1 Hour (this will be made configurable).

Field Summary

static java.lang.String	AC_STRING
static java.lang.String	HELP_SCREEN
static java.lang.String	LDAP_AC_ATTRIBUTE_STRING
static java.lang.String	LDAP_PKC_ATTRIBUTE_STRING
static java.lang.String	LDAP_URL_STRING
static java.lang.String	LOG_STRING
static java.lang.String	OID_STRING
static java.lang.String	PKC_STRING
static java.lang.String	ROOT_CA_STRING
static java.lang.String	SOA_STRING
static java.lang.String	URL_STRING

Constructor Summary

SamlADF(PBAAPI pbaApi)
This constructor wraps SamlADF around a given PBAAPI.

Method Summary

void	authenticate(java.security.Principal user) This method checks that the user has been authenticated.
boolean	execute(java.security.Principal user, Action action, Target target) This method checks that the user is authenticated and then gets the user's credentials and makes a decision using those credentials.
static PBAAPI	getPBAAPI(java.lang.String oid, java.lang.String soa, java.util.Vector ldapURL, java.util.Vector url, java.lang.String rootCA, SignatureVerifier sv, java.lang.String ac_attribute, java.lang.String pkc_attribute) This method gets an instance of PBAAPI given a bunch of configuration parameters.
static void	loadAC(VirtualRepository vr, java.lang.String filename) This method loads an X.509 Attribute Certificate into a given VirtualRepository.
static void	loadPKC(VirtualRepository vr, java.lang.String filename) This method loads an X.509 Public Key Certificate into a given VirtualRepository.
static void	main(java.lang.String[] args) This method starts up a standalone SamlADF - a standalone SAML Authorisation server.
static void	print(java.lang.String s) This method outputs a String to the standard output.
static void	println(java.lang.String s) This method outputs a String and a new line to the standard output.
SAMLResponse	process(SAMLRequest request) This method processes a SAMLRequest and returns a reply as a SAMLResponse.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SOA_STRING

public static final java.lang.String SOA_STRING

See Also:

Constant Field Values

OID_STRING

public static final java.lang.String OID_STRING

See Also:

Constant Field Values

LDAP_URL_STRING

public static final java.lang.String LDAP_URL_STRING

See Also:

Constant Field Values

URL_STRING

public static final java.lang.String URL_STRING

See Also:

Constant Field Values

LDAP_AC_ATTRIBUTE_STRING

public static final java.lang.String LDAP_AC_ATTRIBUTE_STRING

See Also:

Constant Field Values

LDAP_PKC_ATTRIBUTE_STRING

public static final java.lang.String LDAP_PKC_ATTRIBUTE_STRING

See Also:

Constant Field Values

ROOT_CA_STRING

public static final java.lang.String ROOT_CA_STRING

See Also:

Constant Field Values

AC_STRING

public static final java.lang.String AC_STRING

See Also:

Constant Field Values

PKC_STRING

public static final java.lang.String PKC_STRING

See Also:

Constant Field Values

LOG_STRING

public static final java.lang.String LOG_STRING

See Also:

Constant Field Values

HELP_SCREEN

public static final java.lang.String HELP_SCREEN

See Also:

Constant Field Values

Constructor Detail

SamlADF

public SamlADF(PBAAPI pbaApi)

This constructor wraps SamlADF around a given PBAAPI. SamlADF will extract the input to getCreds and decision from the SAMLRequests, and will wrap the decision into a SAMLResponse.

Parameters:

pbaApi - - the PBAAPI to wrap around

Method Detail

main

public static void main(java.lang.String[] args)

This method starts up a standalone SamlADF - a standalone SAML Authorisation server.

loadAC

public static void loadAC(VirtualRepository vr,
                          java.lang.String filename)

This method loads an X.509 Attribute Certificate into a given VirtualRepository. The AC will be loaded into the Holder's entry; if such entry doesn't exist, it will be created. The attribute name is taken from CustomisePERMIS.getAttributeCertificateAttribute()

Parameters:

vr - - the VirtualRepository to load the AC into

filename - - the filename of the X.509 AC; if it is a malformed AC or an IOException occurs while reading the file, no AC will be loaded (and stack trace will be printed onto System.err)

loadPKC

public static void loadPKC(VirtualRepository vr,
                           java.lang.String filename)

This method loads an X.509 Public Key Certificate into a given VirtualRepository. The PKC will be loaded into the Subject's entry; if such entry doesn't exist, it will be created. The attribute name is taken from CustomisePERMIS.getUserCertificateAttribute()

Parameters:

vr - - the VirtualRepository to load the PKC into

filename - - the filename of the X.509 PKC; if it is a malformed PKC or an IOException occurs while reading the file, no PKC will be loaded (and stack trace will be printed onto System.err)

print

public static void print(java.lang.String s)

This method outputs a String to the standard output. This will be configurable to output to a log instead.

Parameters:

s - - the String to output

println

public static void println(java.lang.String s)

This method outputs a String and a new line to the standard output. This will be configurable to output to a log instead.

Parameters:

s - - the String to output

execute

public boolean execute(java.security.Principal user,
                       Action action,
                       Target target)
                throws PbaException

This method checks that the user is authenticated and then gets the user's credentials and makes a decision using those credentials.

Parameters:

user - - the Principal of the user

action - - the action the user wants to perform

target - - the target on which the action is to be performed

Returns:

true, if action is allowed by the underlying PBAPI; false otherwise

Throws:

PbaException - if there was a problem during evaluation of authorisation decision

authenticate

public void authenticate(java.security.Principal user)
                  throws PbaException

This method checks that the user has been authenticated. At the moment it does nothing, but the subclasses should perform the actual check.

Throws:

PbaException

getPBAAPI

public static PBAAPI getPBAAPI(java.lang.String oid,
                               java.lang.String soa,
                               java.util.Vector ldapURL,
                               java.util.Vector url,
                               java.lang.String rootCA,
                               SignatureVerifier sv,
                               java.lang.String ac_attribute,
                               java.lang.String pkc_attribute)
                        throws PbaException

This method gets an instance of PBAAPI given a bunch of configuration parameters.

Parameters:

oid - - the OID of the PERMIS Policy

soa - - the SOA name (LDAP DN)

ldapURL - - the URLs of the LDAP repository to use to retrieve the policy and user ACs

url - - the URLs of another repository where the user ACs are stored (this may be different from the policy LDAP)

rootCA - - the filename of the Root CA PKC; can be null, if no signature verification is required

sv - - the SignatureVerifier to use; if rootCA is not null SignatureVerifier is ignored; both cannot be null

ac_attribute - - the attribute name of the ACs in the repositories

pkc_attribute - - the attribute name of the PKCs in the repositories

Returns:

PermisRBAC configured with these parameters

Throws:

PbaException

process

public SAMLResponse process(SAMLRequest request)
                     throws PbaException

This method processes a SAMLRequest and returns a reply as a SAMLResponse. It will throw a PbaException (or a SamlException) if there was an error parsing the SAML. If an error occured during decision-making, a string message will still be produced.

Parameters:

request - is the SAMLRequest to process

Returns:

the response generated for the request

Throws:

PbaException