Java WS Core/Independent Java Authz Module

From Globus

The Java Authorization module has been reorganized to allow for a separate module for Java authorization. Bug 5559 provides details and tracks the work.

Module organization

New authorization module

A new module authorization has been created under globus-pacakges and the server side authorization code has been moved from wsrf module to the new module. Specifically there are three components in the new module,

• authorization/java/engine: Java authorization framework engine. Depends on Java WS Core Common only for log4j.properties jar. Also contains test for the framework.
• authorization/java/base: Basic PDPs and PIPs that don't require any third party jars to be added for processing. Depends on Java WS Core. Also contains test for the framework.
• authorization/java/saml: PDP and PIP that process SAML, depends on Java WS Core and base package for Parameter PIP. Also contains test and a sample authorization service.

Each of the above is a separate GPT package and can be built and deployed separately.

Changes in core module

• The code base in wsrf/java/authzFramework has been moved to the new authorization module and removed from wsrf.
• Code in org.globus.wsrf.impl.security.authorization package has been split into server and client side authorization.
  • Server side implementations have been moved to new package.
  • Client implementations remain in the same package.
• The authorization implementations contained both client and server side authorization
  • The existing implementations have been modfiied to have only client authorization now
  • Server side authorization classes have new names and are part of the new authorization module.
• Changes in package org.globus.wsrf.security.authorization
  • Authorization interface has been moved to org.globus.wsrf.authorization.client.Authorization.
  • An AuthorizationException thrown by client authorization has been added to this package.
• Sample authorization service has been moved to new module, authorization/java/saml/samples.
• Following schema has been removed from wsrf and moved to new module:
  • All server side authorization test schem schema
  • SAML Authz port type
  • SAML Authz Service
• Default bootstrap
  • Configured as parameter in server config.wsdd using property defaultBootstrapPIP and value is expected to be any class that implements BootstrapPIP interface. By default, this is set to X509BootstrapPIP

Package Data Changes

• The following packages now has a major version of 2:
  • globus_ws_core_schema
  • globus_java_ws_core
  • globus_java_ws_core_test_unit

Server side authorization class name changes

• PDPs
  • org.globus.wsrf.impl.security.authorization.AccessContolListPDP
  • org.globus.wsrf.impl.security.authorization.IdentityAuthzPDP
  • org.globus.wsrf.impl.security.authorization.ResourcePropertiesPDP
  • org.globus.wsrf.impl.security.authorization.UsernameAuthzPDP
  • org.globus.wsrf.impl.security.authorization.HostAuthzPDP
  • org.globus.wsrf.impl.security.authorization.SelfAuthzPDP
• PIPs
  • org.globus.wsrf.impl.security.authorization.X509BootstrapPIP
  • org.globus.wsrf.impl.security.authorization.ParameterPIP

Required changes in higher level service

//Client authorization interface
-import org.globus.wsrf.security.authorization.Authorization;
+import org.globus.wsrf.security.authorization.client.Authorization;

// client side exceptions
-import org.globus.security.authorization.AuthorizationException;
+import org.globus.wsrf.security.authorization.client.AuthorizationException;

Building core using Ant

*Check out wsrf
*Check out authorization
*ant all -Dauthz.install="path to authorization module"
*By default it expects wsrf and authorization to be checked out in the same directory.

To Do

• SAML schema is within authz/java, but should be pulled out if we have other implementations