Bug 5545 – Order of interceptor initialization

Bug 5545 - Order of interceptor initialization

Summary:

Order of interceptor initialization

Status:	RESOLVED FIXED

Product:	Java WS Security
Component:	Authorization
Version:	4.0.4
Platform:	All All

Importance:	P3 normal
Target Milestone:	4.0.6
Assigned To:	Rachana Ananthakrishnan

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2007-09-11 08:23 by Tom Scavo
Modified:	2008-01-16 16:38 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Tom Scavo 2007-09-11 08:23:43

Interceptor initialization caused by the authz chain configured in the global
security descriptor occurs *after* the interceptor initialization caused by the
authz chain configured in the service security descriptor.  See the following
thread for details:

http://www.globus.org/mail_archive/gt-user/2007/09/msg00025.html

------- Comment #1 From Rachana Ananthakrishnan 2007-09-11 10:36:37 -------

The container security descriptor is loaded and initialized at container start
up. I reviewed the code and look in order. Also, I could not replicate the
reported behavior. Below are logs with my container security config set to
gridmap authorization and service configured to be self authorization. I added
a logger.warn in SelfAuthorization.initialize() to see when it gets called.

2007-09-11 10:27:24,819 DEBUG authorization.ServiceAuthorizationChain
[main,init:325] Trying to load:
org.globus.wsrf.impl.security.authorization.GridMapAuthorization
2007-09-11 10:27:24,829 DEBUG authorization.GridMapAuthorization
[main,initialize:73] service null
2007-09-11 10:27:27,623 DEBUG authorization.AuthorizationHandler
[ServiceThread-1,invoke:50] Authorization
2007-09-11 10:27:27,623 DEBUG authorization.AuthorizationHandler
[ServiceThread-1,invoke:66] Service path ContainerRegistryService
2007-09-11 10:27:27,633 DEBUG authorization.AuthorizationHandler
[ServiceThread-1,invoke:73] Authz not required, since auth not enforced
Starting SOAP server at: https://192.168.1.102:8443/wsrf/services/ 
With the following services:
[1]: https://192.168.1.102:8443/wsrf/services/AdminService
[2]: https://192.168.1.102:8443/wsrf/services/AuthzCalloutTestService
... (Removed for brevity)
2007-09-11 10:28:04,286 DEBUG authorization.AuthorizationHandler
[ServiceThread-1,invoke:50] Authorization
2007-09-11 10:28:04,286 DEBUG authorization.AuthorizationHandler
[ServiceThread-1,invoke:66] Service path SecureCounterService
2007-09-11 10:28:04,286 DEBUG authorization.AuthorizationHandler
[ServiceThread-1,invoke:90] Error getting resource/may not exist
...
2007-09-11 10:33:00,351 DEBUG authorization.ServiceAuthorizationChain
[ServiceThread-3,init:325] Trying to load:
org.globus.wsrf.impl.security.authorization.SelfAuthorization
2007-09-11 10:33:00,351 WARN  authorization.SelfAuthorization
[ServiceThread-3,initialize:75] Initialize called

Please send in logs and descriptor configuration where you see different
behaviour.

------- Comment #2 From Tom Scavo 2007-09-11 13:23:27 -------

Here is some sample output.  In this example, both the global security
descriptor (scope: global) and the service security descriptor (scope:
secctxecho) contain the following line:

<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP
secctxecho:org.globus.gridshib.AttributeAcceptancePIP
secctxecho:org.globus.gridshib.SAMLBlacklistPDP"/>

Here is what happens when I start the container:

C:\globus\ws-core-4.0.5-bin\ws-core-4.0.5>bin\globus-start-container
2007-09-11 14:18:19,415 DEBUG authorization.SAMLAssertionPushPIPImpl
[main,initi
alize:43] configs = {enableBlacklisting=true, consultDefaultGridmap=true,
useVOM
S=false,
gridshibAuthzPolicyFile=etc/gridshib-gt-echo-0_6_0/echo-attr-authz-vo.x
ml, gridSPEntityID=https://globus.org/gridshib, respectMDAttributes=true,
metada
taPath=etc/gridshib-gt-echo-0_6_0/idp-metadata,
blacklistIPAddressesFile=etc/gri
dshib-gt-echo-0_6_0/blacklist_ip_addresses.txt, requireAuthzMap=false,
enableAtt
ributeQuery=false}
2007-09-11 14:18:19,435 INFO  authorization.SAMLAssertionPushPIPImpl
[main,initi
alize:44] SAMLAssertionPushPIPImpl initializing for service secctxecho
2007-09-11 14:18:19,435 INFO  authorization.SAMLAssertionPushPIPImpl
[main,initi
alize:55] Config parameter (metadataPath) found:
etc/gridshib-gt-echo-0_6_0/idp-
metadata
2007-09-11 14:18:19,455 INFO  common.StringMapDir [main,load:281] Loading
direct
ory...
2007-09-11 14:18:19,535 ERROR common.StringMapFile [main,load:411] Unable to
par
se file etc\gridshib-gt-echo-0_6_0\idp-metadata\gridshib-ca-metadata.xml
2007-09-11 14:18:19,535 ERROR common.StringMapDir [main,load:310] File failed
to
 load: etc\gridshib-gt-echo-0_6_0\idp-metadata\gridshib-ca-metadata.xml
2007-09-11 14:18:19,565 ERROR common.StringMapFile [main,load:411] Unable to
par
se file etc\gridshib-gt-echo-0_6_0\idp-metadata\metadata.xml
2007-09-11 14:18:19,565 ERROR common.StringMapDir [main,load:310] File failed
to
 load: etc\gridshib-gt-echo-0_6_0\idp-metadata\metadata.xml
2007-09-11 14:18:19,585 INFO  common.StringMapFile [main,load:418] Map entry
add
ed: (https://test-sp.ncsa.uiuc.edu/shibboleth, CN=GridShib CA,O=Certificate
Auth
ority,DC=computer,DC=ncsa,DC=uiuc,DC=edu)
2007-09-11 14:18:19,585 INFO  common.StringMapFile [main,load:418] Map entry
add
ed: (https://gridshib.example.org/idp,
CN=trscavo@openidp.org,OU=urn:mace:inqueu
e:shib13.openidp.org,O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu)
2007-09-11 14:18:19,605 INFO  common.StringMapDir [main,load:316] Found 3
files;
 successfully loaded 1 files
2007-09-11 14:18:19,605 INFO  common.StringMapDir [main,load:283] Directory
load
ed.
2007-09-11 14:18:19,605 INFO  authorization.SAMLAssertionPushPIPImpl
[main,initi
alize:61] Config parameter (metadataPath) successfully registered
2007-09-11 14:18:19,605 INFO  authorization.SAMLAssertionPushPIPImpl
[main,initi
alize:68] SAMLAssertionPushPIPImpl initialization complete
2007-09-11 14:18:19,615 DEBUG authorization.AttributeAcceptancePIPImpl
[main,ini
tialize:54] configs = {enableBlacklisting=true, consultDefaultGridmap=true,
useV
OMS=false,
gridshibAuthzPolicyFile=etc/gridshib-gt-echo-0_6_0/echo-attr-authz-vo
.xml, gridSPEntityID=https://globus.org/gridshib, respectMDAttributes=true,
meta
dataPath=etc/gridshib-gt-echo-0_6_0/idp-metadata,
blacklistIPAddressesFile=etc/g
ridshib-gt-echo-0_6_0/blacklist_ip_addresses.txt, requireAuthzMap=false,
enableA
ttributeQuery=false}
2007-09-11 14:18:19,615 INFO  authorization.AttributeAcceptancePIPImpl
[main,ini
tialize:55] AttributeAcceptancePIPImpl initializing for service secctxecho
2007-09-11 14:18:19,615 INFO  authorization.AttributeAcceptancePIPImpl
[main,ini
tialize:58] AttributeAcceptancePIPImpl initialization complete
2007-09-11 14:18:19,996 DEBUG authorization.SAMLAssertionPushPIPImpl
[main,initi
alize:43] configs = {enableBlacklisting=true,
metadataPath=etc/globus_wsrf_core/
idp-metadata,
blacklistIPAddressesFile=etc/globus_wsrf_core/blacklist_ip_address
es.txt}
2007-09-11 14:18:20,006 INFO  authorization.SAMLAssertionPushPIPImpl
[main,initi
alize:44] SAMLAssertionPushPIPImpl initializing for service global
2007-09-11 14:18:20,006 INFO  authorization.SAMLAssertionPushPIPImpl
[main,initi
alize:55] Config parameter (metadataPath) found:
etc/globus_wsrf_core/idp-metada
ta
2007-09-11 14:18:20,006 INFO  common.StringMapDir [main,load:281] Loading
direct
ory...
2007-09-11 14:18:20,026 INFO  common.StringMapFile [main,load:418] Map entry
add
ed: (https://test-sp.ncsa.uiuc.edu/shibboleth, CN=GridShib CA,O=Certificate
Auth
ority,DC=computer,DC=ncsa,DC=uiuc,DC=edu)
2007-09-11 14:18:20,026 INFO  common.StringMapFile [main,load:418] Map entry
add
ed: (https://gridshib.example.org/idp,
CN=trscavo@openidp.org,OU=urn:mace:inqueu
e:shib13.openidp.org,O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu)
2007-09-11 14:18:20,026 INFO  common.StringMapDir [main,load:316] Found 1
files;
 successfully loaded 1 files
2007-09-11 14:18:20,026 INFO  common.StringMapDir [main,load:283] Directory
load
ed.
2007-09-11 14:18:20,026 INFO  authorization.SAMLAssertionPushPIPImpl
[main,initi
alize:61] Config parameter (metadataPath) successfully registered
2007-09-11 14:18:20,026 INFO  authorization.SAMLAssertionPushPIPImpl
[main,initi
alize:68] SAMLAssertionPushPIPImpl initialization complete
2007-09-11 14:18:20,026 DEBUG authorization.AttributeAcceptancePIPImpl
[main,ini
tialize:54] configs = {enableBlacklisting=true,
metadataPath=etc/globus_wsrf_cor
e/idp-metadata,
blacklistIPAddressesFile=etc/globus_wsrf_core/blacklist_ip_addre
sses.txt}
2007-09-11 14:18:20,026 INFO  authorization.AttributeAcceptancePIPImpl
[main,ini
tialize:55] AttributeAcceptancePIPImpl initializing for service global
2007-09-11 14:18:20,036 INFO  authorization.AttributeAcceptancePIPImpl
[main,ini
tialize:58] AttributeAcceptancePIPImpl initialization complete
2007-09-11 14:18:20,036 WARN  gridshib.BasePDP [main,initialize:91] default
grid
map is null
2007-09-11 14:18:20,036 DEBUG authorization.SAMLBlacklistPDPImpl
[main,initializ
e:53] configs = {enableBlacklisting=true,
metadataPath=etc/globus_wsrf_core/idp-
metadata,
blacklistIPAddressesFile=etc/globus_wsrf_core/blacklist_ip_addresses.t
xt}
2007-09-11 14:18:20,046 INFO  authorization.SAMLBlacklistPDPImpl
[main,initializ
e:54] SAMLBlacklistPDPImpl initializing for service global
2007-09-11 14:18:20,046 DEBUG authorization.SAMLBlacklistPDPImpl
[main,initializ
e:60] Blacklisting is enabled
2007-09-11 14:18:20,046 DEBUG authorization.SAMLBlacklistPDPImpl
[main,initializ
e:72] IP address blacklist file:
etc/globus_wsrf_core/blacklist_ip_addresses.txt

2007-09-11 14:18:20,046 INFO  common.StringSetFile [main,load:341] String added
to set: 111.111.111.111
2007-09-11 14:18:20,046 INFO  authorization.SAMLBlacklistPDPImpl
[main,initializ
e:81] SAMLBlacklistPDPImpl initialization complete
2007-09-11 14:18:20,046 WARN  gridshib.BasePDP [main,initialize:91] default
grid
map is null
2007-09-11 14:18:20,046 DEBUG authorization.SAMLBlacklistPDPImpl
[main,initializ
e:53] configs = {enableBlacklisting=true, consultDefaultGridmap=true,
useVOMS=fa
lse, gridshibAuthzPolicyFile=etc/gridshib-gt-echo-0_6_0/echo-attr-authz-vo.xml,
gridSPEntityID=https://globus.org/gridshib, respectMDAttributes=true,
metadataPa
th=etc/gridshib-gt-echo-0_6_0/idp-metadata,
blacklistIPAddressesFile=etc/gridshi
b-gt-echo-0_6_0/blacklist_ip_addresses.txt, requireAuthzMap=false,
enableAttribu
teQuery=false}
2007-09-11 14:18:20,046 INFO  authorization.SAMLBlacklistPDPImpl
[main,initializ
e:54] SAMLBlacklistPDPImpl initializing for service secctxecho
2007-09-11 14:18:20,046 DEBUG authorization.SAMLBlacklistPDPImpl
[main,initializ
e:60] Blacklisting is enabled
2007-09-11 14:18:20,056 DEBUG authorization.SAMLBlacklistPDPImpl
[main,initializ
e:72] IP address blacklist file:
etc/gridshib-gt-echo-0_6_0/blacklist_ip_address
es.txt
2007-09-11 14:18:20,056 INFO  common.StringSetFile [main,load:341] String added
to set: 111.111.111.111
2007-09-11 14:18:20,056 INFO  authorization.SAMLBlacklistPDPImpl
[main,initializ
e:81] SAMLBlacklistPDPImpl initialization complete
Starting SOAP server at: https://192.168.1.102:8443/wsrf/services/
With the following services:

[1]: https://192.168.1.102:8443/wsrf/services/AdminService
[2]: https://192.168.1.102:8443/wsrf/services/AuthzCalloutTestService
[3]: https://192.168.1.102:8443/wsrf/services/ContainerRegistryEntryService
[4]: https://192.168.1.102:8443/wsrf/services/ContainerRegistryService
[5]: https://192.168.1.102:8443/wsrf/services/CounterService
[6]: https://192.168.1.102:8443/wsrf/services/ManagementService
[7]:
https://192.168.1.102:8443/wsrf/services/NotificationConsumerFactoryService

[8]: https://192.168.1.102:8443/wsrf/services/NotificationConsumerService
[9]: https://192.168.1.102:8443/wsrf/services/NotificationTestService
[10]:
https://192.168.1.102:8443/wsrf/services/PersistenceTestSubscriptionManage
r
[11]: https://192.168.1.102:8443/wsrf/services/SampleAuthzService
[12]: https://192.168.1.102:8443/wsrf/services/SecureCounterService
[13]: https://192.168.1.102:8443/wsrf/services/SecurityContextEchoService
[14]: https://192.168.1.102:8443/wsrf/services/SecurityTestService
[15]: https://192.168.1.102:8443/wsrf/services/ShutdownService
[16]: https://192.168.1.102:8443/wsrf/services/SubscriptionManagerService
[17]: https://192.168.1.102:8443/wsrf/services/TestAuthzService
[18]: https://192.168.1.102:8443/wsrf/services/TestRPCService
[19]: https://192.168.1.102:8443/wsrf/services/TestService
[20]: https://192.168.1.102:8443/wsrf/services/TestServiceRequest
[21]: https://192.168.1.102:8443/wsrf/services/TestServiceWrongWSDL
[22]: https://192.168.1.102:8443/wsrf/services/Version
[23]: https://192.168.1.102:8443/wsrf/services/WidgetNotificationService
[24]: https://192.168.1.102:8443/wsrf/services/WidgetService
[25]: https://192.168.1.102:8443/wsrf/services/gsi/AuthenticationService

------- Comment #3 From Rachana Ananthakrishnan 2007-09-11 15:42:50 -------

Does the service have  activateOnStartup configured ? Can you please turn on
debug logging for org.globus.wsrf.container and
org.globus.wsrf.impl.security.descriptor and send me the log ? Attachments are
not allowed in Bugzilla, so please add a link or email it to me. Thanks.

------- Comment #4 From Tim Freeman 2007-09-11 16:12:12 -------

The ctx echo service does have loadOnStartup set to true in the wsdd, yes.

------- Comment #5 From Tom Scavo 2007-09-11 16:25:47 -------

Here is a link to the log output requested in Comment #3:

http://dev.globus.org/wiki/Image:Gt-container-log-output-20070911.txt

------- Comment #6 From Rachana Ananthakrishnan 2007-10-04 11:47:30 -------

In 4.0.x, if service is laoded at start up the security properties are also
initialized first. I have documented the behavior and a potential work around
here to force the container intiailization here:
http://www.globus.org/toolkit/docs/4.0/security/authzframe/developer-index.html.
Changing this behavior to a public interface change and cannot be done without
some backwards compatibility. If you are unable to use work around, please
reopen the bug and I'll look into incorporating some solution.

In trunk code, the container security descriptor is always initialized first.