Bug 6689 – Define new SecurityAttributes interface

Bug 6689 - Define new SecurityAttributes interface

Summary:

Define new SecurityAttributes interface

Status:	RESOLVED FIXED

Product:	GridShib
Component:	SAML/Binding Tools
Version:	0.5.3
Platform:	All All

Importance:	P3 enhancement
Target Milestone:	0.5.4
Assigned To:	Tom Scavo

URL:	http://dev.globus.org/wiki/GridShib_S...
Keywords:

Depends on:	6691
Blocks:	6690
	Show dependency tree / graph

Reported:	2009-03-14 10:23 by Tom Scavo
Modified:	2009-03-15 10:16 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Tom Scavo 2009-03-14 10:23:48

Define a new SecurityAttributes interface that lets you decorate a security
item (or even a security context implementation) with attributes.  Here the
term "attribute" refers to the most general notion of attribute, as discussed
in the wiki article entitled "GridShib Security Table" (see link above).  This
new interface will in fact support the Security Table implementation.

The SecurityAttributes interface implicitly defines a "security attribute" as a
name-value pair whose name is a simple string and whose value is a set of
strings.  One string in the set of value strings is distinguished in some
manner, to be determined by the implementation.

public interface SecurityAttributes {
    public boolean addAttributeValue(String name, String value);
    public boolean removeAttribute(String name);
    public String getAttributeValue(String name);
    public Set getAttributeValues(String name);
    public Set getAttributeNames();
}

Not all of the current security items will implement this interface. 
SAMLIdentity and BasicAttribute will implement this interface.  SAMLPrincipal
and TeraGridPrincipal will also implement this interface.  The rest of the
security items will probably not implement this interface.  SAMLAuthnContext,
for example, doesn't seem to have anything to add to the set of
SecurityAttributes.

------- Comment #1 From Tom Scavo 2009-03-14 17:13:37 -------

New implementation of SecurityAttributes interface:

public abstract class DecoratedSecurityItem extends BaseSecurityItem
                                         implements SecurityAttributes;

Concrete classes SAMLIdentity, BasicAttribute, and SAMLPrincipal now extend the
above class.  Each of these classes adds a security attribute when the security
item becomes trusted.

------- Comment #2 From Tom Scavo 2009-03-14 17:36:10 -------

The SAMLPrincipal class has a new type member and a corresponding getType
method.  Constructor SAMLPrincipal(String, String, String) was deprecated in
favor of the SAMLPrincipal(String, String, String, String) constructor.  The
latter takes a new type parameter.

In the constructor, a security attribute is added:

this.addAttributeValue(this.type, this.name);

The type and name of this SAMLPrincipal instance are the name and value of the
security attribute, respectively.  Presumably the type is a URI that uniquely
identifies the attribute.

------- Comment #3 From Tom Scavo 2009-03-14 17:39:21 -------

Committed all resources to CVS HEAD.  This new feature will be distributed with
GS-ST v0.5.4 (which will not be publicly release).

------- Comment #4 From Tom Scavo 2009-03-14 17:54:30 -------

(In reply to comment #2)
> Constructor SAMLPrincipal(String, String, String) was deprecated in
> favor of the SAMLPrincipal(String, String, String, String) constructor.

The SAMLSecurityContext class invokes the new constructor instead of the
deprecated constructor.

------- Comment #5 From Tom Scavo 2009-03-14 18:09:50 -------

(In reply to comment #4)
> (In reply to comment #2)
> > Constructor SAMLPrincipal(String, String, String) was deprecated in
> > favor of the SAMLPrincipal(String, String, String, String) constructor.
> 
> The SAMLSecurityContext class invokes the new constructor instead of the
> deprecated constructor.

Same goes for the unit tests BasicAttributeTest and SAMLPrincipalTest.

------- Comment #6 From Tom Scavo 2009-03-14 18:15:37 -------

(In reply to comment #2)
> Constructor SAMLPrincipal(String, String, String) was deprecated in
> favor of the SAMLPrincipal(String, String, String, String) constructor.

Since the TeraGridPrincipal class is a subclass of the SAMLPrincipal class, the
former now invokes the new constructor, not the deprecated constructor.  The
TeraGridPrincipal class passes the following type value to the constructor:

http://teragrid.org/names/nameid-format/principalname

Other instances of SAMLPrincipal will behave similarly.

------- Comment #7 From Tom Scavo 2009-03-15 09:40:40 -------

Added unit tests to each of SAMLIdentityTest, SAMLPrincipalTest, and
BasicAttributeTest.