Difference between revisions of "Security Plugins Table"
Andrea.manzi (Talk | contribs) (→Introduction) |
|||
(3 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=Introduction= | =Introduction= | ||
− | In this section some tables about the security plugins are provided. For every | + | In this section some tables about the security modules are provided. The main infrastructure includes the essential security modules with some minimal Security Managers and Controllers. The plugins used for particular operation are provided in different jars. |
+ | For every module the java class, the description and the configurations steps required are reported. In particular, in the field ''Configuration'' only the module-related configurations are provided (if required): the presence of a ''Security Descriptor'' service based or, at least, a ''Default Services Security Configuration'' is considered mandatory and is explained in the section [[GHN Security Configuration]]. | ||
The plugins are grouped in ''Security Managers'', ''Authentication Controllers'' and ''Authorization Controller'' and are presented in different subsections grouped by the belonging jar. | The plugins are grouped in ''Security Managers'', ''Authentication Controllers'' and ''Authorization Controller'' and are presented in different subsections grouped by the belonging jar. | ||
==GCore Framework== | ==GCore Framework== | ||
− | The following | + | The following Security Managers and Controllers are shipped in '''org.gcube.common.core.jar'''. It contains the essential security modules that should not be considered as plugins because they provide only basic, fundamental features. |
===Security Managers=== | ===Security Managers=== | ||
− | + | ||
{| border="1" | {| border="1" | ||
− | |+ | + | |+ '''Service''' |
! scope="col" | Name | ! scope="col" | Name | ||
! scope="col" | Java Class | ! scope="col" | Java Class | ||
Line 25: | Line 26: | ||
{| border="1" | {| border="1" | ||
− | |||
! scope="col" | Name | ! scope="col" | Name | ||
! scope="col" | Java Class | ! scope="col" | Java Class | ||
Line 39: | Line 39: | ||
{| border="1" | {| border="1" | ||
− | |||
! scope="col" | Name | ! scope="col" | Name | ||
! scope="col" | Java Class | ! scope="col" | Java Class | ||
Line 55: | Line 54: | ||
===Security Managers=== | ===Security Managers=== | ||
− | + | ||
{| border="1" | {| border="1" | ||
− | |+ | + | |+ '''Service''' |
! scope="col" | Name | ! scope="col" | Name | ||
! scope="col" | Java Class | ! scope="col" | Java Class | ||
Line 71: | Line 70: | ||
− | + | ' | |
{| border="1" | {| border="1" | ||
− | |+ | + | |+ '''Client''' |
! scope="col" | Name | ! scope="col" | Name | ||
! scope="col" | Java Class | ! scope="col" | Java Class | ||
Line 80: | Line 79: | ||
! scope="col" | Configuration | ! scope="col" | Configuration | ||
|- | |- | ||
− | | Assertion Based Security Manager || org.gcube.common.vomanagement.security.configuration.client.GCUBESamlAssertionAutoInsertClientSecurityManager || | + | | Assertion Based Security Manager || org.gcube.common.vomanagement.security.configuration.client.GCUBESamlAssertionAutoInsertClientSecurityManager || It is the client counterpart of GCUBESamlAssertionServiceSecurityManager. It sets the transport level security (with host certificate) and manages the SAML Assertion used to identify the service role or the caller role|| The client that uses this security manager should set as identity the role of the user. |
|- | |- | ||
| Host Credentials Security Manager || org.gcube.common.vomanagement.security.configuration.client.GCUBEHostCredentialClientSecurityManager || Sets the transport level security using the GHN host certificate of the Node where client runs|| Not required | | Host Credentials Security Manager || org.gcube.common.vomanagement.security.configuration.client.GCUBEHostCredentialClientSecurityManager || Sets the transport level security using the GHN host certificate of the Node where client runs|| Not required | ||
Line 92: | Line 91: | ||
{| border="1" | {| border="1" | ||
− | |||
! scope="col" | Name | ! scope="col" | Name | ||
! scope="col" | Java Class | ! scope="col" | Java Class | ||
Line 106: | Line 104: | ||
{| border="1" | {| border="1" | ||
− | |||
! scope="col" | Name | ! scope="col" | Name | ||
! scope="col" | Java Class | ! scope="col" | Java Class | ||
Line 124: | Line 121: | ||
===Security Manager=== | ===Security Manager=== | ||
− | + | ||
{| border="1" | {| border="1" | ||
− | |+ | + | |+ '''Service''' |
! scope="col" | Name | ! scope="col" | Name | ||
! scope="col" | Java Class | ! scope="col" | Java Class |
Latest revision as of 11:48, 6 October 2011
Contents
Introduction
In this section some tables about the security modules are provided. The main infrastructure includes the essential security modules with some minimal Security Managers and Controllers. The plugins used for particular operation are provided in different jars. For every module the java class, the description and the configurations steps required are reported. In particular, in the field Configuration only the module-related configurations are provided (if required): the presence of a Security Descriptor service based or, at least, a Default Services Security Configuration is considered mandatory and is explained in the section GHN Security Configuration.
The plugins are grouped in Security Managers, Authentication Controllers and Authorization Controller and are presented in different subsections grouped by the belonging jar.
GCore Framework
The following Security Managers and Controllers are shipped in org.gcube.common.core.jar. It contains the essential security modules that should not be considered as plugins because they provide only basic, fundamental features.
Security Managers
Name | Java Class | Description | Configuration |
---|---|---|---|
Basic Security Manager | org.gcube.common.core.security.impl.GCUBESimpleServiceSecurityManager | Sets the security protocol (TLS) and security level (Signature, Encryption or all), used for backward compatibility | Not required |
Authentication controllers
Name | Java Class | Description | Configuration |
---|---|---|---|
Basic Authentication Controller | org.gcube.common.core.security.impl.GCUBESimpleServiceAuthController | Does nothing: the TLS Authentication controls are performed by underlying API by default | Not required |
Authorization controllers
Name | Java Class | Description | Configuration |
---|---|---|---|
Authorization Chain Controller | org.gcube.common.core.security.impl.GCUBEAuthzChainAuthorizationController | Sets an Authorization Chain for Authorization controls | Explained in the section Authorization Chain configuration |
Main Security Library
The plugins of this section are shipped in the Main Security Library, that contains all the modules required for gCube internal infrastructure security . The jar of the distribution is: org.gcube.common.vomanagement.security.jar.
Security Managers
Name | Java Class | Description | Configuration |
---|---|---|---|
Assertion Based Security Manager | org.gcube.common.vomanagement.security.configuration.GCUBESamlAssertionServiceSecurityManager | Sets the transport level security (with host certificate) and manages the SAML Assertion used to identify the service role or the caller role | Not required |
Host Credentials Security Manager | org.gcube.common.vomanagement.security.configuration.GCUBEHostCredentialServiceSecurityManager | Sets the transport level security with host certificate | Not required |
'
Name | Java Class | Description | Configuration |
---|---|---|---|
Assertion Based Security Manager | org.gcube.common.vomanagement.security.configuration.client.GCUBESamlAssertionAutoInsertClientSecurityManager | It is the client counterpart of GCUBESamlAssertionServiceSecurityManager. It sets the transport level security (with host certificate) and manages the SAML Assertion used to identify the service role or the caller role | The client that uses this security manager should set as identity the role of the user. |
Host Credentials Security Manager | org.gcube.common.vomanagement.security.configuration.client.GCUBEHostCredentialClientSecurityManager | Sets the transport level security using the GHN host certificate of the Node where client runs | Not required |
Proxy Credentials Security Manager | org.gcube.common.vomanagement.security.configuration.client.GCubeProxyCertificateClientSecurityManager | Sets the transport level security with a proxy certificate | The client that uses this security manager should set as identity the path to a proxy certificate file. |
Authentication controllers
Name | Java Class | Description | Configuration |
---|---|---|---|
DN List Controller | org.gcube.common.vomanagement.security.authentication.DNListAuthenticationController | Authenticates the requests with a certificate signed by a CA present in a list | the parameter trustedca a list of CA DN: every DN is separated by a | |
Authorization controllers
Name | Java Class | Description | Configuration |
---|---|---|---|
Equal DN Controller | org.gcube.common.vomanagement.security.authorisation.control.impl.EqualDNAuthorizationController | Authorizes only the calls signed by the server GHN host certificate (i.e. local calls) | Not required |
DN Selection Controller | org.gcube.common.vomanagement.security.authorisation.control.impl.DNSelectionAuthorizationController | Is composed by the Equal DN Controller and the Auth Chain controller: if the call is local, it is authorized, otherwise the Authorization Chain is called | Only the Authorization Chain configuration. |
VOMS Based Security Library
This extension security library provides a security manager to obtain automatically a VOMS Proxy Certificate starting from a local certificate. The jar is org.gcube.vomanagement.voms-api.jar.
Security Manager
Name | Java Class | Description | Configuration |
---|---|---|---|
VOMS Based Security Manager | org.gcube.vomanagement.vomsapi.securitymanager.VOMSServiceCredentialsSecurityManager | Loads a local certificates, generates a VOMS Proxy contacting a VOMS Server and used it to sign the request | Described in Extension Security Libraries section |
DN Based Security Controller
This controller is used when our services are contacted by external infrastructures: the requests are recognized only from the DN, that must belong to one of our infrastructure's users. To perform this check the user management service of the Portal must be contacted, so this controller could also be called Portal Based Authorization Controller or Edge Authorization Controller. It is contained in the jar org.gcube.common.vomanagement.edge.sec.controller.jar.
Authorization controller
Name | Java Class | Description | Configuration |
---|---|---|---|
User DN Authorization Controller | org.gcube.common.vomanagement.security.authorisation.control.IncomingMessageEdgeServiceDNAuthorizationController | Checks if the caller DN belongs to a user of our infrastructure: if the user is found his roles are loaded and a SAML Assertion is generated for every further call | Described in Extension Security Libraries section |