This guide explains the authentication and authorization mechanism supported in GRIMOIRES. In brief, GRIMOIRES supports
Note both Grimoires and Grimoires-WSRF are protected by the same authorization mechanism, and by the same authorization configuration file. For specifying access control list in the configuration file, See "Security - Grimoires" in Grimoires' documentation, under the section "Grimoires Security".
In Grimoires-GT4Authorization,
run "ant secureGrimoires" to transform a non-secure Grimoires GT4 deployment into a secure one.
run "ant unsecureGrimoires" to transform a secure Grimoires GT4 deployment into a non-secure one.
In fact "ant secureGrimoires" adds the following lines to each <service> in the "server-config.wsdd" file:
<service> ...... <parameter name="securityDescriptor" value="etc/grimoires/security-config.xml"/> ...... </service>
"security-config.xml" has the following content:
<securityConfig xmlns="http://www.globus.org"> <auth-method> <GSISecureMessage/> </auth-method> <authz value="aclscope:uk.ac.soton.ecs.grimoires.server.security.wsrf.GrimoiresAuthorisationPDP" /> </securityConfig>
GrimoiresAuthorisationPDP is the authorization handler, which implements org.globus.wsrf.security.authorization.PDP. It reads "authfile" defined in the "grimoires.properties" file for access control list. If you recall, in the installation guide, we set "authfile = _globus_location_/etc/grimoires/authlist.xml". "_globus_location_" should be replaced by the actual absolute path for $GLOBUS_LOCATION.
The "authlist.xml" file has the following content:
<!-- All users have full access control. --> <authlist> <permission identity="#AllUsers#" operationList=" " mode="restrict" /> </authlist>
It specifies that any user, as long as he can be authenticated, can perform any operation. See "Security - Grimoires" in Grimoires' documentation, under the section "Grimoires Security", for how to write more complicated access control list.
In Grimoires-GT4SecureClient, a "client-security-config.xml" file has the following content:
<?xml version="1.0" encoding="UTF-8"?> <securityConfig xmlns="http://www.globus.org"> <!--========================================================== To disable the security support enforced at the client side, comment the configuration below; to enable, uncomment below. ==========================================================--> <!-- <GSISecureMessage> <integrity/> </GSISecureMessage> <authz value="none"/> --> </securityConfig>
To make GShell work in a secure mode, uncomment the content. See GT4 documentation for explanation about this file.
In Grimoires-GT4Authorization,
run "ant secureGrimoiresWSRF" to transform a non-secure Grimoires-WSRF deployment into a secure one.
run "ant unsecureGrimoiresWSRF" to transform a secure Grimoires-WSRF deployment into a non-secure one.
We use standard GT4 Java WS core command to interact with Grimoires-WSRF. They can run in a secure mode with command line options. For instance,
wsrf-query -m msg -d -s http://localhost:8080/wsrf/services/grimoires/wsrf/query "//*[local-name()='AnnotatedRegistryEntity']/*/*/*[local-name()='name'][contains(.,'%1')] /../../../*[local-name()='EndpointReference']" > temp.epr
is a secure version of "functest/query-by-name.bat". It asks for a GSI secure message authentication mechanism. It is able to talk with the secure Grimoires-WSRF.