Globus Toolkit SecurityJava Components.pptVIP

Globus Toolkit SecurityJava Components Rachana Ananthakrishnan Frank Siebenlist Authentication Framework Authentication Schemes Secure Transport Secure Sockets (https) Anonymous access support Container-level configuration Secure Message Each individual message is secured Replay Attack Prevention Secure Conversation Handshake to establish secure context Anonymous access support Server-side features Message Protection options Integrity and Privacy Configure required authentication as policy At service or resource level Programmatic or security descriptors Server response Same authentication scheme as request Client-side features Configurable client side authentication Per invocation granularity Properties on the Stub Programmatically or Security Descriptors Message Protection options Integrity and Privacy Default: Integrity protection Planned Work Pluggable Path Validation Allow OCSP integration Allows XKMS and trust-root provisioning schemes Kerberos Work (long term) If a real user requirement is motivated Requirements ? Delegation Delegation Service Higher level service Authentication protocol independent Refresh interface Delegate once, share across services and invocation Delegation Secure Conversation Can delegate as part of protocol Extra round trip with delegation Delegation Service is preferred way of delegating Secure Message and Secure Transport Cannot delegate as part of protocol Planned Work Client side support for X509Extensions Consolidation with EGEE’s equivalent solution Requirements ? Authorization Framework Server-side Authorization Framework Establishes if a client is allowed to invoke an operation on a resource Only authenticated calls are authorized Authorization policy configurable at resource, service or container level Server-side Authorization Framework Policy Information Points (PIPs) Collect attributes (subject, action, resource) Ex: Parameter PIP Policy Decision Points (PDPs) Evaluate authorization policy Ex: GridMap Authorization