GPIR is implemented as a set of Java Web Services, one to handle the input of GPIR data (Ingester WS) and another to facilitate the querying of that data (Query WS)
The Ingester WS accepts or "ingests" several types of XML documents and stores them in a relational database (currently MySQL, Postgres).
These documents are created by a variety of means, including Java Clients that exist on the resources themselves, http "web scraping" of machine-specific flat-file formats, and queries of additional information providers such and MDS, GMS (Grid Monitor Service), and NWS (Network Weather Service).
Persistently stored data can then be queried via the Query Web Service which uses the same XML resources used by the Ingester, in addition to some Query specific documents that can return XML such as Machine Summary data.
Establish the security context with client for getting the shared key.
Handle the SOAP message.
Secure assertion message.
Secure body message.
Security mechanism name such as Kerberos, PKI.
Message format such as SAML, WS-security.
Unwrap the secure assertion
It checks the validity of the assertions.
“ Conditions” time limit
Authorization for accessing resources
Unwrap SOAP body message
Rebuild the SOAP message.
An assertion-based authentication service for Gateway Web Services Client login process for the user authentication Initialize the secure context to get the shared key. Generate the assertion such as SAML, WS-security. Sign the assertion. Add it to SOAP Header. Sign the SOAP Body message. Add it to SOAP Body. Send the SOAP request. The authentication service Process the SOAP message Check the assertion type such as SAML, WS-security and the security mechanism such as Kerberos, PKI. Unwrap the assertion. Test the user validity. Unwrap the SOAP Body message. Rebuild the SOAP message. Process the SOAP message. Send the SOAP response. Internet (HTTP) cloud Client
Usually, User Interface Server in computing portals federates a bunch of Web service proxies for accessing distributed services.
When we use the client-server interaction fashion shown in the previous picture, the client has each secure session object on each distributed service.
we need more effective system for handling client’s secure session object.
separating a secure server session object from an SOAP server which is running a bunch of Web services.
It is possible to use the messaging or event system, so called the Narada event brokering system developed by Community-Grids Lab. at Indiana University.
NaradaBrokering provides JMS compliance which follows the well-known publish-subscribe model.
Using NaradaBrokering system which is a messaging middleware, clients can interact with distributed computing services securely.
Interactions of secure Web service in a distributed environment - 1 (2) (8) (4) (5) (6) (3) (7) (1) NaradaBrokering Server User Interface Server Web Browser SOAP server A SOAP server C Security Handler SOAP server B
Interactions of secure Web service in a distributed environment - 2
UIS establishes the security context with the “Security Handler” subscriber for getting the shared key.
UIS makes secure SOAP message and then invoke the desired one of distributed services.
The selected SOAP server (SOAP server A) extracts SOAP Header message and SOAP Body message, respectively from the secure SOAP message and then publishes them into the NaradaBrokering server.
Those messages are processed in “Security Handler” subscriber which establishes and maintains a security context with the client for getting the shared session key that will be used for unwrapping the secure messages. It also checks the validity of the user assertion.
“ Security Handler” subscriber publishes the SOAP message with the decrypted SOAP Body message which is rebuilt in into the NaradaBrokering server if the test results for this user are valid.
The selected SOAP server takes the SOAP message through the NaradaBrokering server and then makes a process it.
UIS get the SOAP response message as the user’s service request.
UIS try to interact with another distributed service without authenticating again (Step 1), following with the above procedures.