Security Plugins Table
Contents
Introduction
In this section some tables about the security modules are provided. The main infrastructure includes the essential security modules with some minimal Security Managers and Controllers. The plugins used for particular operation are provided in different jars. For every module the java class, the description and the configurations steps required are reported. In particular, in the field Configuration only the module-related configurations are provided (if required): the presence of a Security Descriptor service based or, at least, a Default Services Security Configuration is considered mandatory and is explained in the section GHN Security Configuration.
The plugins are grouped in Security Managers, Authentication Controllers and Authorization Controller and are presented in different subsections grouped by the belonging jar.
GCore Framework
The following Security Managers and Controllers are shipped in org.gcube.common.core.jar. It contains the essential security modules that should not be considered as plugins because they provide only basic, fundamental features.
Security Managers
Name | Java Class | Description | Configuration |
---|---|---|---|
Basic Security Manager | org.gcube.common.core.security.impl.GCUBESimpleServiceSecurityManager | Sets the security protocol (TLS) and security level (Signature, Encryption or all), used for backward compatibility | Not required |
Authentication controllers
Name | Java Class | Description | Configuration |
---|---|---|---|
Basic Authentication Controller | org.gcube.common.core.security.impl.GCUBESimpleServiceAuthController | Does nothing: the TLS Authentication controls are performed by underlying API by default | Not required |
Authorization controllers
Name | Java Class | Description | Configuration |
---|---|---|---|
Authorization Chain Controller | org.gcube.common.core.security.impl.GCUBEAuthzChainAuthorizationController | Sets an Authorization Chain for Authorization controls | Explained in the section Authorization Chain configuration |
Main Security Library
The plugins of this section are shipped in the Main Security Library, that contains all the modules required for gCube internal infrastructure security . The jar of the distribution is: org.gcube.common.vomanagement.security.jar.
Security Managers
Name | Java Class | Description | Configuration |
---|---|---|---|
Assertion Based Security Manager | org.gcube.common.vomanagement.security.configuration.GCUBESamlAssertionServiceSecurityManager | Sets the transport level security (with host certificate) and manages the SAML Assertion used to identify the service role or the caller role | Not required |
Host Credentials Security Manager | org.gcube.common.vomanagement.security.configuration.GCUBEHostCredentialServiceSecurityManager | Sets the transport level security with host certificate | Not required |
'
Name | Java Class | Description | Configuration |
---|---|---|---|
Assertion Based Security Manager | org.gcube.common.vomanagement.security.configuration.client.GCUBESamlAssertionAutoInsertClientSecurityManager | It is the client counterpart of GCUBESamlAssertionServiceSecurityManager. It sets the transport level security (with host certificate) and manages the SAML Assertion used to identify the service role or the caller role | The client that uses this security manager should set as identity the role of the user. |
Host Credentials Security Manager | org.gcube.common.vomanagement.security.configuration.client.GCUBEHostCredentialClientSecurityManager | Sets the transport level security using the GHN host certificate of the Node where client runs | Not required |
Proxy Credentials Security Manager | org.gcube.common.vomanagement.security.configuration.client.GCubeProxyCertificateClientSecurityManager | Sets the transport level security with a proxy certificate | The client that uses this security manager should set as identity the path to a proxy certificate file. |
Authentication controllers
Name | Java Class | Description | Configuration |
---|---|---|---|
DN List Controller | org.gcube.common.vomanagement.security.authentication.DNListAuthenticationController | Authenticates the requests with a certificate signed by a CA present in a list | the parameter trustedca a list of CA DN: every DN is separated by a | |
Authorization controllers
Name | Java Class | Description | Configuration |
---|---|---|---|
Equal DN Controller | org.gcube.common.vomanagement.security.authorisation.control.impl.EqualDNAuthorizationController | Authorizes only the calls signed by the server GHN host certificate (i.e. local calls) | Not required |
DN Selection Controller | org.gcube.common.vomanagement.security.authorisation.control.impl.DNSelectionAuthorizationController | Is composed by the Equal DN Controller and the Auth Chain controller: if the call is local, it is authorized, otherwise the Authorization Chain is called | Only the Authorization Chain configuration. |
VOMS Based Security Library
This extension security library provides a security manager to obtain automatically a VOMS Proxy Certificate starting from a local certificate. The jar is org.gcube.vomanagement.voms-api.jar.
Security Manager
Name | Java Class | Description | Configuration |
---|---|---|---|
VOMS Based Security Manager | org.gcube.vomanagement.vomsapi.securitymanager.VOMSServiceCredentialsSecurityManager | Loads a local certificates, generates a VOMS Proxy contacting a VOMS Server and used it to sign the request | Described in Extension Security Libraries section |
DN Based Security Controller
This controller is used when our services are contacted by external infrastructures: the requests are recognized only from the DN, that must belong to one of our infrastructure's users. To perform this check the user management service of the Portal must be contacted, so this controller could also be called Portal Based Authorization Controller or Edge Authorization Controller. It is contained in the jar org.gcube.common.vomanagement.edge.sec.controller.jar.
Authorization controller
Name | Java Class | Description | Configuration |
---|---|---|---|
User DN Authorization Controller | org.gcube.common.vomanagement.security.authorisation.control.IncomingMessageEdgeServiceDNAuthorizationController | Checks if the caller DN belongs to a user of our infrastructure: if the user is found his roles are loaded and a SAML Assertion is generated for every further call | Described in Extension Security Libraries section |