Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Services Tiered Internet Authorization (WSTIERIA)


Published on

Presented by Fiona Culloch at AIM End of Programme meeting, Birmingham, 21/06/2011

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Web Services Tiered Internet Authorization (WSTIERIA)

  1. 1. Web Services Tiered Internet Authorization (WSTIERIA) 21 June 2011 Fiona Culloch [email_address]
  2. 2. Output 1: Digimap changes <ul><li>Modified production Digimap service </li></ul><ul><ul><li>To give non-browser GIS clients (ArcView etc.) </li></ul></ul><ul><ul><ul><li>Access to Digimap data via web services </li></ul></ul></ul><ul><ul><ul><li>Using OGC standards (Web Map Service etc.) </li></ul></ul></ul><ul><ul><ul><li>UK federation authentication of registered users, with SSO </li></ul></ul></ul><ul><ul><ul><li>As alternative to large downloads of raw data </li></ul></ul></ul>
  3. 3. Output 2: DIY instructions <ul><li>Short document (7 pages) on “how-to” </li></ul><ul><ul><li>Control access to existing web services </li></ul></ul><ul><ul><li>From non-browser clients </li></ul></ul><ul><ul><li>Without modifying the web service </li></ul></ul><ul><ul><li>Implementable by average sysadmin </li></ul></ul><ul><ul><li>Using only off-the-shelf software </li></ul></ul><ul><ul><ul><li>Apache web server (with mod_rewrite) </li></ul></ul></ul><ul><ul><ul><li>A little scripting (perl, or anything else) </li></ul></ul></ul>
  4. 4. Output 3: Try Shibboleth delegation <ul><li>Set up dev & test environment </li></ul><ul><ul><li>PM1: Eclipse + Maven2 </li></ul></ul><ul><ul><li>VM1: IdP + delegation plugin </li></ul></ul><ul><ul><li>VM2: example client (JSP) + Shib SP1 + JASIG delegation library </li></ul></ul><ul><ul><li>PM2: example web service (WSP) + Shib SP2 </li></ul></ul><ul><li>“ Hello, world”-level success! </li></ul><ul><ul><li>User goes to JSP/SP1, logs in at IdP </li></ul></ul><ul><ul><li>JSP calls JASIG library to GET from WSP/SP2 </li></ul></ul><ul><ul><li>Lib accesses SP2 using delegatable token from IdP; user does not need to log in to SP2 </li></ul></ul>
  5. 5. Successes <ul><li>Production service (Digimap) using UK fed. for non-browser web services </li></ul><ul><li>Route to interoperation of unmodified web services, unmodified non-browser clients with UK federation </li></ul><ul><li>Demonstrated deployability of new Shibboleth delegation software by developer outside the Shibboleth team </li></ul>
  6. 6. Lesson 1: Delegation limitations <ul><li>Delegation depends on IdP & all SPs </li></ul><ul><ul><li>Supporting SAML2, bits of Liberty </li></ul></ul><ul><ul><li>SP implementation (Shibboleth 2.2+) </li></ul></ul><ul><li>IdP deployer must explicitly name: </li></ul><ul><ul><li>SP entities allowed to delegate </li></ul></ul><ul><ul><li>SP entities they can delegate to, etc, etc. </li></ul></ul><ul><li>Probably rules out cross-organisational scenarios for now, leaving </li></ul><ul><ul><li>Intra-org applications (e.g. student portal) </li></ul></ul>
  7. 7. Lesson 2: uPortal not needed <ul><li>Original delegation use case was uPortal web app invoking portlets </li></ul><ul><li>Wasn’t known if delegation library depended on this uPortal context </li></ul><ul><li>Project showed how a non-uPortal web app (JSP) can use delegation library </li></ul>
  8. 8. Lesson 3: Delegation & UK federation <ul><li>Potential issue identified </li></ul><ul><ul><li>UK federation (& others, e.g. InCommon) moving from CAs to self-signed trust-fabric certs </li></ul></ul><ul><ul><li>Delegation library rejects these because not in std. Java CA trust list </li></ul></ul><ul><ul><li>Reported to developer (Unicon), response awaited </li></ul></ul>
  9. 9. Failures <ul><li>No deployments outside EDINA </li></ul><ul><li>No future external partner identified </li></ul><ul><li>Attempt to apply the simple Apache + scripting technique to WebDAV </li></ul><ul><ul><li>Limited success (only easy cases worked) </li></ul></ul><ul><ul><li>Protocol with server URLs in data & headers defeats simple technique </li></ul></ul><ul><ul><li>Wrote up experience as tech note </li></ul></ul>
  10. 10. Future <ul><li>Shibboleth developers </li></ul><ul><ul><li>Migrate delegation library into SP code? </li></ul></ul><ul><ul><li>IdP config optionally take delegation audiences (SP2,…,n) from SP1 metadata </li></ul></ul><ul><li>EDINA </li></ul><ul><ul><li>More interesting examples (INSPIRE?) </li></ul></ul><ul><li>Community </li></ul><ul><ul><li>Apply techniques! </li></ul></ul>