Difference between revisions of "Security Plugins Table"
(Created page with '=Introduction= In this section some tables about the security plugins are provided. For every plugin the java class, the description and the configurations steps required are rep…') |
|||
| Line 1: | Line 1: | ||
=Introduction= | =Introduction= | ||
| − | In this section some tables about the security plugins are provided. For every plugin the java class, the description and the configurations steps required are reported. In particular, in the field ''Configuration'' only the plugin-related configurations are provided (if required): the presence of a ''Security Descriptor'' service based or, at least, a | + | In this section some tables about the security plugins are provided. For every plugin the java class, the description and the configurations steps required are reported. In particular, in the field ''Configuration'' only the plugin-related configurations are provided (if required): the presence of a ''Security Descriptor'' service based or, at least, a ''Default Services Security Configuration'' is considered mandatory and is explained in the section [[GHN Security Configuration]]. |
The plugins are grouped in ''Security Managers'', ''Authentication Controllers'' and ''Authorization Controller'' and are presented in different subsections each of which is dedicated to the owner jar. | The plugins are grouped in ''Security Managers'', ''Authentication Controllers'' and ''Authorization Controller'' and are presented in different subsections each of which is dedicated to the owner jar. | ||
Revision as of 11:17, 29 July 2011
Contents
Introduction
In this section some tables about the security plugins are provided. For every plugin the java class, the description and the configurations steps required are reported. In particular, in the field Configuration only the plugin-related configurations are provided (if required): the presence of a Security Descriptor service based or, at least, a Default Services Security Configuration is considered mandatory and is explained in the section GHN Security Configuration.
The plugins are grouped in Security Managers, Authentication Controllers and Authorization Controller and are presented in different subsections each of which is dedicated to the owner jar.
GCore Framework
The following plugins are shipped in org.gcube.common.core.jar. It contains the essentials security modules that should not be considered as plugins because they provide only basic, fundamental features.
Security Managers
Service
| Name | Java Class | Description | Configuration |
|---|---|---|---|
| Basic Security Manager | org.gcube.common.core.security.impl.GCUBESimpleServiceSecurityManager | Sets the security protocol (TLS) and security level (Signature, Encryption or all), used for backward compatibility | Not required |
Authentication controllers
| Name | Java Class | Description | Configuration |
|---|---|---|---|
| Basic Authentication Controller | org.gcube.common.core.security.impl.GCUBESimpleServiceAuthController | Does nothing: the TLS Authentication controls are performed by underlaying API by default | Not required |
Authorization controllers
| Name | Java Class | Description | Configuration |
|---|---|---|---|
| Authorization Chain Controller | org.gcube.common.core.security.impl.GCUBEAuthzChainAuthorizationController | Sets an Authorization Chain for Authorization controls | Explained in the section Authorization Chain configuration |
Main Security Library
The plugins of this section are shipped in the Main Security Library, that contains all the modules required for gCube internal security infrastructure. The jar of the distribution is: org.gcube.common.vomanagement.security.jar.
Security Managers
Service
| Name | Java Class | Description | Configuration |
|---|---|---|---|
| Assertion Based Security Manager | org.gcube.common.vomanagement.security.configuration.GCUBESamlAssertionServiceSecurityManager | Sets the transport level security (with host certificate) and manages the SAML Assertion used to identify the service role or the caller role | Not required |
| Host Credentials Security Manager | org.gcube.common.vomanagement.security.configuration.GCUBEHostCredentialServiceSecurityManager | Sets the transport level security with host certificate | Not required |
Client
| Name | Java Class | Description | Configuration |
|---|---|---|---|
| Assertion Based Security Manager | org.gcube.common.vomanagement.security.configuration.client.GCUBESamlAssertionAutoInsertClientSecurityManager | Sets the transport level security (with host certificate) and manages the SAML Assertion used to identify the service role or the caller role | The client that uses this security manager should set as identity the role of the user. |
| Host Credentials Security Manager | org.gcube.common.vomanagement.security.configuration.client.GCUBEHostCredentialClientSecurityManager | Sets the transport level security with the host certificate of the GHN of the Node on which the client runs | Not required |
| Proxy Credentials Security Manager | org.gcube.common.vomanagement.security.configuration.client.GCubeProxyCertificateClientSecurityManager | Sets the transport level security with a proxy certificate | The client that uses this security manager should set as identity the path to a proxy certificate file. |
Authentication controllers
| Name | Java Class | Description | Configuration |
|---|---|---|---|
| DN List Controller | org.gcube.common.vomanagement.security.authentication.DNListAuthenticationController | Authenticates the requests with a certificate signed by a CA present in a list | the parameter trustedca a list of CA DN: every DN is separated by a | |
Authorization controllers
| Name | Java Class | Description | Configuration |
|---|---|---|---|
| Equal DN Controller | org.gcube.common.vomanagement.security.authorisation.control.impl.EqualDNAuthorizationController | Authorizes only the calls signed by the server GHN host certificate (i.e. local calls) | Not required |
| DN Selection Controller | org.gcube.common.vomanagement.security.authorisation.control.impl.DNSelectionAuthorizationController | Is composed by the Equal DN Controller and the Auth Chain controller: if the call is local, it is authorized, otherwise the Authorization Chain is called | Only the Authorization Chain configuration. |
VOMS Based Security Library
This extension security library provides a security manager to obtain automatically a VOMS Proxy Certificate starting from a local certificate. The jar is org.gcube.vomanagement.voms-api.jar.
Security Manager
Service
| Name | Java Class | Description | Configuration |
|---|---|---|---|
| VOMS Based Security Manager | org.gcube.vomanagement.vomsapi.securitymanager.VOMSServiceCredentialsSecurityManager | Loads a local certificates, generates a VOMS Proxy contacting a VOMS Server and used it to sign the request | Described in Extension Security Libraries section |
DN Based Security Controller
This controller is used when our services are contacted by external infrastructures: the requests are recognized only from the DN, that must belong to one of our infrastructure's users. To perform this check the user management service of the Portal must be contacted, so this controller could also be called Portal Based Authorization Controller or Edge Authorization Controller. It is contained in the jar org.gcube.common.vomanagement.edge.sec.controller.jar.
Authorization controller
| Name | Java Class | Description | Configuration |
|---|---|---|---|
| User DN Authorization Controller | org.gcube.common.vomanagement.security.authorisation.control.IncomingMessageEdgeServiceDNAuthorizationController | Checks if the caller DN belongs to a user of our infrastructure: if the user is found his roles are loaded and a SAML Assertion is generated for every further call | Described in Extension Security Libraries section |
