NIH | National Cancer Institute | NCI Wiki  

Error rendering macro 'rw-search'

null

Versions Compared

Old Version 32

changes.mady.by.user Unknown User (brennanrm)

Saved on

compared with

New Version 33

changes.mady.by.user Unknown User (lustbaders)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Alter Service Context(s) within Introduce
    • Modify each service context accordingly to add security
      1. Highlight Service Context, click Modify Service button
      2. Under Information Page, User Resource Framework Options section, check Secure
      3. Under Security Page (tab/button at top of dialogue), choose Custom
      4. Then under Secure Communication tab, check Transport Layer Security, choose Privacy for Communication Method
        (info) Specifying Transport Layer Security (TLS) enables encryption
      5. Then under Authorization tab, select No for Client should connect anonymously AND select Enforce Authentication for Authorization Mechanism
        (info) These settings force the user to authenticate with the Grid and provide a valid user credential when calling the grid data service
      6. Then under Service Credentials tab, select System for Run As
    • Add Service Property to your (Main Service) context within Introduce,
      1. Select Service Properties tab, input the following values:

        Key

        Default Value

        Description

        gridServicePrincipalSeparator

        ||

        The separator used to encord the gridServicePrincipal and grid user's identity when Using the com.fiveamsolutions.nci.commons.authentication.CommonsGridLoginModule

      2. Click Add button
    • Ensure the appropriate Types are included within your grid service, if not add the types (XSDs) by doing the following:
      1. Import Data Types -> caDSR; Project: caGrid_Metadata_Models (version 1); Package gov.nih.nci.cagrid.metadata.security
    • Save your changes within Introduce (must be successful)
  2. Ensure the Service Property is specified within service.properties
    Code Block
    #service deployment properties
#Wed Nov 04 17:13:39 EST 2009
gridServicePrincipalSeparator=||
  3. Alter how remote services (eg, EJBs) are authenticated and authorized for each grid service request.
    As an example, create a GridSecurityJNDIServiceLocator class to authenticate using both the Grid User's Identity (eg, /O=caBIG/OU=caGrid/OU=Training/OU=Dorian/CN=coppagridtest instead of a typical remote service user. In short, you'll base your implementation off of your existing Locator (eg, JNDIServiceLocator) and replace existing occurrences with the new GridSecurityJNDIServiceLocator.
    (warning) Don't forget to update the values for the java.naming.security.principal and java.naming.security.credentials when using the the new GridSecurityJNDIServiceLocator, see example below.
    Code Block
    <property name="java.naming.security.principal" value="Gr1DU5er" />
<property name="java.naming.security.credentials" value="Pa44Wurd" />

    Tip
    Example GridSecurityJNDIServiceLocator implementation within COPPA PO Grid Service
    Example GridSecurityJNDIServiceLocator implementation within COPPA PO Grid Service

    See httphttps://gforgencisvn.nci.nih.gov/svnrootsvn/coppa/trunk/code/po-grid/src/gov/nih/nci/coppa/po/grid/remote/GridSecurityJNDIServiceLocator.java for full code

    Below is an example that demonstrates the essence of how to code it up your new GridSecurityJNDIServiceLocator class.
    Note
    titleAbout example

    CoreServicesConfiguration is the ServiceConfiguration for our (Main Service) context that you previously added a Service Property when updating your services using Introduce.

    Warning

    GridSecurityJNDIServiceLocator may not be a singleton (static) within your application as the contained InitialContext instance needs to reference the Grid Identity for the incoming request by using SecurityUtils.getCallerIdentity().

    Note

    While this is recognized as a performance hit, we've yet to figure a better way. If anyone is able to determine a better way, please let the COPPA team know team-po@5amsolutions.com --thanks

    Code Block
    java
    java
    titleEssentials for a GridSecurityJNDIServiceLocator implementation
    ...
    private InitialContext context;
    private static final String JNDI_PRINCIPAL = "java.naming.security.principal";
    private static final String JNDI_CREDENTIALS = "java.naming.security.credentials";

    /**
     * @return a ServiceLocator with the caller's identity
     * @throws Exception if a problem occurs
     */
    public static ServiceLocator newInstance() throws Exception {
        return new GridSecurityJNDIServiceLocator(SecurityUtils.getCallerIdentity());
    }

    /**
     * Get an instance of the service locator. specific to the grid user.
     *
     * @param userIdentity user identity of the grid user
     */
    public GridSecurityJNDIServiceLocator(String userIdentity) {
        try {
            Properties props = new Properties();
            props.load(GridSecurityJNDIServiceLocator.class.getClassLoader().getResourceAsStream("jndi.properties"));

            // set grid service principal and grid identity as java.naming.security.principal
            CoreServicesConfiguration coreConfiguration = CoreServicesConfiguration.getConfiguration();
            String principal = props.getProperty(JNDI_PRINCIPAL)
                    + coreConfiguration.getGridServicePrincipalSeparator() + userIdentity;
            props.setProperty(JNDI_PRINCIPAL, principal);

            LOG.debug("Properties " + props.toString());

            context = new InitialContext(props);

        } catch (Exception e) {
            LOG.error("Unable to load jndi properties.", e);
            throw new RuntimeException("Unable to load jndi properties.", e);
        }
    }


    private Object lookup(String name) throws NamingException {
        Object object = null;
        int i = 0;
        while (object == null && i < MAX_RETRIES) {
             try {
                 LOG.debug("Performing JNDI Lookup of : " + name);
                 object = context.lookup(name);
             } catch (CommunicationException com) {
                 LOG.warn("Unable to lookup: " + name);
             }
             i++;
        }

        return object;
    }

    /**
     * {@inheritDoc}
     */
    public PersonEntityServiceRemote getPersonService() throws NamingException {
        PersonEntityServiceRemote object = (PersonEntityServiceRemote) lookup("po/PersonEntityServiceBean/remote");
        return object;
    }
...

    Next, an example of demonstrating the use of the GridSecurityJNDIServiceLocator class
    Code Block
    java
    java
    titleUsing GridSecurityJNDIServiceLocator
    /**
     * {@inheritDoc}
     */
    public PersonDTO getPerson(Ii ii) throws NullifiedEntityException {

        try {
            PersonDTO person = GridSecurityJNDIServiceLocator.newInstance().getPersonService().getPerson(ii);
            return person;
        } catch (NullifiedEntityException e) {
            throw e;
        } catch (UndeclaredThrowableException e) {
            throw (e);
        } catch (Exception e) {
            throw new InvokeCoppaServiceException(e.toString(), e);
        }
    }

    Lastly, here are the JNDI Properties
    Code Block
    titlejndi.properties
    java.naming.factory.initial=${java.naming.factory.initial}
java.naming.provider.url=${java.naming.provider.url}
java.naming.factory.url.pkgs=${java.naming.factory.url.pkgs}
java.naming.security.principal=${java.naming.security.principal}
java.naming.security.credentials=${java.naming.security.credentials}

    Be sure to filter the values as a part of your build process
    Code Block
    <property name="java.naming.factory.initial" value="org.jboss.security.jndi.JndiLoginInitialContextFactory" />
<property name="java.naming.provider.url.host" value="localhost" />
<property name="java.naming.provider.url.port" value="1099" />
<property name="java.naming.provider.url" value="jnp://${java.naming.provider.url.host}:${java.naming.provider.url.port}" />
<property name="java.naming.factory.url.pkgs" value="org.jboss.naming:org.jnp.interfaces" />
<property name="java.naming.security.principal" value="Gr1DU5er" />
<property name="java.naming.security.credentials" value="Pa44Wurd" />

...

Note

It is important that the updated version of the cog-jglobus.jar is used. It is located within httphttps://gforgencisvn.nci.nih.gov/svnrootsvn/coppa/trunk/code/build-po/common/resources/grid/jboss-globus-libs-cagrid1_1.zip. Ideally these prepackaged WSRF & Globus archives should be within the IVY Repo or elsewhere within the BDA Repositories.

Code Block
$ md5 cog-jglobus.jar
MD5 (cog-jglobus.jar) = ff78337a0af216fc946ad81fde1d0961
No Format
$ svn log  httphttps://gforgencisvn.nci.nih.gov/svnrootsvn/coppa/trunk/code/build-po/common/resources/grid/jboss-globus-libs-cagrid1_1.zip
------------------------------------------------------------------------
r7183 | smatyas | 2009-10-19 17:14:37 -0400 (Mon, 19 Oct 2009) | 1 line

PO-1292: adding security to po-grid; updates to bda-based builds; updates to poear security on remote endpoints; -pr slustbader
------------------------------------------------------------------------
r4198 | saksass | 2009-01-16 16:20:23 -0500 (Fri, 16 Jan 2009) | 1 line

Upgrade to bda-utils-0.10.0-beta with smatyas, plan to change to 0.9.1 when released shortly
------------------------------------------------------------------------

...

Business Application Updates

...