Secuirity components

Authentication modules

Authentication module (AM) mechanism has been designed to enable portal administrator to add custom policies executed upon user log in action.

As you will see in the following examples, authentication modules can coexist with each other. In order to make sure they are invoked in a desired way we have added an 'order' attribute to the AM element.

Second thing worth to remember is that we assume user is logged in when at least one authentication module performed user authentication successfully.

Below we present authentication modules provided by Vine Toolkit.

CredentialRepositoryAuthModule

Description:

Adds user which already have a portal account to Vine as well ( to enable him to use Vine services ).

Workflow of CredentialRepositoryAuthModule:

  1. Tries to retrieve a credential from MyProxy server with a given name/password pair.
  2. Check credential Dn against user account mapping. If it is correct, enables credential for the user.

Configuration:

Direct child of domain element in the Domain.xml

Example:

<domain name="blazeds" label="BlazeDs" description="Vine ( Adobe Flex with BlazeDs ) showcase">

    <!-- Credential repository authentication -->
    <authenticationModule key="CredentialRepositoryAuthModule"
                          order="1"/>


    .....
    .....

</domain>

GSSDemoCertAuthModule

Description:

Adds user which already have a portal account to Vine as well ( to enable him to use Vine services ).

Workflow of GSSDemoCertAuthModule:

  1. Check whether user exists in the Vine Toolkit database.
  2. Check for the user certificate/key stored in portal.
  3. Tries to create user credential with given certificate/key and username/password values.

Configuration:

Direct child of domain element in the Domain.xml

Example:

<domain name="blazeds" label="BlazeDs" description="Vine ( Adobe Flex with BlazeDs ) showcase">

    <!-- Demo GSS certificate authentication -->
    <authenticationModule key="GSSDemoCertAuthModule"
                          order="1"/>


    .....
    .....

</domain>

OnFlyAccountAuthModule

Description:

Adds user which already have a portal account to Vine as well ( to enable him to use Vine services ).

Workflow of OnFlyAccountAuthModule:

  1. Looks in the request for the portletAuthenticatedattribute set to true which means that user has been successfully authentication in the portlet container.
  2. Search for the user in the Vine Toolkit database with a given username. In case there is such a user it finish his work. Opposite it tries to create a new Vine user with given username/passoword.

Configuration:

Direct child of domain element in the Domain.xml

Example:

<domain name="blazeds" label="BlazeDs" description="Vine ( Adobe Flex with BlazeDs ) showcase">

    <!-- Import portal users to the Vine -->
    <authenticationModule key="OnFlyAccountAuthModule"
                          order="1"/>


    .....
    .....

</domain>

PortletAuthModule

Description:

Looks in the request for the portletAuthenticated and previouslyAuthenticated attributes set to true. In other words it depends on the authentication mechanisms from the hosting portlet container.

Configuration:

Direct child of domain element in the Domain.xml

Example:

<domain name="blazeds" label="BlazeDs" description="Vine ( Adobe Flex with BlazeDs ) showcase">

    <!-- Portlet authentication -->
    <authenticationModule key="PortletAuthModule"
                          order="1"/>


    .....
    .....

</domain>

VomsDefaultCredentialAuthModule

Description:

Adds user which already have a portal account to Vine as well ( to enable him to use Vine services ).

Workflow of VomsDefaultCredentialAuthModule:

  1. Check whether user exists in the Vine Toolkit database.
  2. Check for the user certificate/key stored in portal.
  3. Tries to create user credential with given certificate/key and username/password values ( with GSIConstants.GSI_2_PROXY type ).

Configuration:

Direct child of domain element in the Domain.xml

Example:

<domain name="blazeds" label="BlazeDs" description="Vine ( Adobe Flex with BlazeDs ) showcase">

    <authenticationModule key="VomsDefaultCredentialAuthModule"
                          order="1"/>


    .....
    .....

</domain>

Registration resources

Vine Toolkit has got a set of registration modules which allows to register users on some resources. These registration resources are:

  • GridsphereRegistrationResource - allows adding new users to Gridsphere portal.
  • GssCertificateRegistrationResource - creates x509 certificate and key pair for a new user.
  • Gt4RegistrationResource - creates a user account on Globus Toolkit 4 host machine.
  • GriaRegistrationResource - create a user account in Gria 5.3 Trade Account Service.
  • Unicore6RegistrationResource - creates a user account on Unicore 6 host machine.
  • DmsRegistrationResource - register a user on Data Management Service.
  • VomsRegistrationResource - register a user to Virtual Organization Membership Service.

To create new users and register them to mentioned resources Domain.xml file should has proper entries. Part of Domain.xml file which describes portal hostResource should has an accountResource added and needed registration resouces entries. Example:

    <hostResource name="portal"
                  hostname="localhost"
                  label="Portal"
                  description="Portal">

	<!-- Account manager -->
        <accountResource name="GuestAccountManager"
                         label="Guest Account"
                         description="Guest Account Manager">
        
            <gridsphereRegistrationResource name="GridsphereRegistration"
                                            label="GridsphereRegistration"/>

            <!-- GSS demo certificate registration -->
            <gssCertificateRegistrationResource name="GssDemoCertRegistration"
                                                label="GssDemoCertRegistration"
                                                caCertFilePath="/home/user/ca/cacert.pem"
                                                caKeyFilePath="/home/user/ca/cakey.pem"
                                                caKeyPassword="secret"/>
            <!-- GT4 registration -->
            <gt4RegistrationResource name="Gt4Registration"
                                     label="Gt4Registration"
                                     targetHost="yourhost.pl"
                                     superUserName="adminuser"
                                     mkdirCmd="/home/adminuser/bin/mkdir"
                                     chownCmd="/home/adminuser/bin/chown"
                                     gridMapfileAddEntryCmd="sudo /usr/local/globus/gt404/sbin/grid-mapfile-add-entry"
                                     gridMapfileDelEntryCmd="sudo /usr/local/globus/gt404/sbin/grid-mapfile-delete-entry"/>
        </accountResource>
    </hostResource>

By default user who creates a new account will be automatically registered to all registration resources which are in Domain.xml file and will have an access to his account. This solution was made just for test purposes. If portal administrator wants to have more control on each user account accountResource should have a flag accountActivationAutomatic set to false:

	<!-- Account manager -->
        <accountResource name="GuestAccountManager"
                         label="Guest Account"
                         accountActivationAutomatic="false"
                         description="Guest Account Manager">
        
                [.....]

        </accountResource>

This option allows portal administrator to activate and deactivate user accounts. If flag accountActivateionAutomatic is set to false newly created user accounts are inactive. User is registered to needed registration resources but his/her account has to be approved by portal administrator.

UserRegistrationApp is an application which allows to create requests for new accounts in Vine.
If flag accountActivateionAutomatic in Domain.xml file isn't set or is set to true users have their accounts activated automatically. Portal administrator in UserManagementApp portlet activate newly created accounts requests. Also in UserManagementApp administrator has got option for deactivate user account and edit his/her profile information.