Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download PPT - Edina
Transcript
Web Services Tiered Internet Authorization (WSTIERIA) 21 June 2011 Fiona Culloch [email protected] Output 1: Digimap changes • Modified production Digimap service – To give non-browser GIS clients (ArcView etc.) • Access to Digimap data via web services • Using OGC standards (Web Map Service etc.) • UK federation authentication of registered users, with SSO • As alternative to large downloads of raw data Output 2: DIY instructions • Short document (7 pages) on “how-to” – Control access to existing web services – From non-browser clients – Without modifying the web service – Implementable by average sysadmin – Using only off-the-shelf software • Apache web server (with mod_rewrite) • A little scripting (perl, or anything else) Output 3: Try Shibboleth delegation • Set up dev & test environment – PM1: Eclipse + Maven2 – VM1: IdP + delegation plugin – VM2: example client (JSP) + Shib SP1 + JASIG delegation library – PM2: example web service (WSP) + Shib SP2 • “Hello, world”-level success! – User goes to JSP/SP1, logs in at IdP – JSP calls JASIG library to GET from WSP/SP2 – Lib accesses SP2 using delegatable token from IdP; user does not need to log in to SP2 Successes • Production service (Digimap) using UK fed. for non-browser web services • Route to interoperation of unmodified web services, unmodified non-browser clients with UK federation • Demonstrated deployability of new Shibboleth delegation software by developer outside the Shibboleth team Lesson 1: Delegation limitations • Delegation depends on IdP & all SPs – Supporting SAML2, bits of Liberty – SP implementation (Shibboleth 2.2+) • IdP deployer must explicitly name: – SP entities allowed to delegate – SP entities they can delegate to, etc, etc. • Probably rules out cross-organisational scenarios for now, leaving – Intra-org applications (e.g. student portal) Lesson 2: uPortal not needed • Original delegation use case was uPortal web app invoking portlets • Wasn’t known if delegation library depended on this uPortal context • Project showed how a non-uPortal web app (JSP) can use delegation library Lesson 3: Delegation & UK federation • Potential issue identified – UK federation (& others, e.g. InCommon) moving from CAs to self-signed trustfabric certs – Delegation library rejects these because not in std. Java CA trust list – Reported to developer (Unicon), response awaited Failures • No deployments outside EDINA • No future external partner identified • Attempt to apply the simple Apache + scripting technique to WebDAV – Limited success (only easy cases worked) – Protocol with server URLs in data & headers defeats simple technique – Wrote up experience as tech note Future • Shibboleth developers – Migrate delegation library into SP code? – IdP config optionally take delegation audiences (SP2,…,n) from SP1 metadata • EDINA – More interesting examples (INSPIRE?) • Community – Apply techniques!
