100 likes | 217 Views
Web Services Tiered Internet Authorization (WSTIERIA). 21 June 2011 Fiona Culloch fiona.culloch@ed.ac.uk. Output 1: Digimap changes. Modified production Digimap service To give non-browser GIS clients (ArcView etc.) Access to Digimap data via web services
E N D
Web Services Tiered Internet Authorization (WSTIERIA) 21 June 2011 Fiona Culloch fiona.culloch@ed.ac.uk
Output 1: Digimap changes Modified production Digimap service To give non-browser GIS clients (ArcView etc.) Access to Digimap data via web services Using OGC standards (Web Map Service etc.) UK federation authentication of registered users, with SSO As alternative to large downloads of raw data
Output 2: DIY instructions Short document (7 pages) on “how-to” Control access to existing web services From non-browser clients Without modifying the web service Implementable by average sysadmin Using only off-the-shelf software Apache web server (with mod_rewrite) A little scripting (perl, or anything else)
Output 3: Try Shibboleth delegation Set up dev & test environment PM1: Eclipse + Maven2 VM1: IdP + delegation plugin VM2: example client (JSP) + Shib SP1 + JASIG delegation library PM2: example web service (WSP) + Shib SP2 “Hello, world”-level success! User goes to JSP/SP1, logs in at IdP JSP calls JASIG library to GET from WSP/SP2 Lib accesses SP2 using delegatable token from IdP; user does not need to log in to SP2
Successes Production service (Digimap) using UK fed. for non-browser web services Route to interoperation of unmodified web services, unmodified non-browser clients with UK federation Demonstrated deployability of new Shibboleth delegation software by developer outside the Shibboleth team
Lesson 1: Delegation limitations Delegation depends on IdP & all SPs Supporting SAML2, bits of Liberty SP implementation (Shibboleth 2.2+) IdP deployer must explicitly name: SP entities allowed to delegate SP entities they can delegate to, etc, etc. Probably rules out cross-organisational scenarios for now, leaving Intra-org applications (e.g. student portal)
Lesson 2: uPortal not needed Original delegation use case was uPortal web app invoking portlets Wasn’t known if delegation library depended on this uPortal context Project showed how a non-uPortal web app (JSP) can use delegation library
Lesson 3: Delegation & UK federation Potential issue identified UK federation (& others, e.g. InCommon) moving from CAs to self-signed trust-fabric certs Delegation library rejects these because not in std. Java CA trust list Reported to developer (Unicon), response awaited
Failures No deployments outside EDINA No future external partner identified Attempt to apply the simple Apache + scripting technique to WebDAV Limited success (only easy cases worked) Protocol with server URLs in data & headers defeats simple technique Wrote up experience as tech note
Future Shibboleth developers Migrate delegation library into SP code? IdP config optionally take delegation audiences (SP2,…,n) from SP1 metadata EDINA More interesting examples (INSPIRE?) Community Apply techniques!