Bug 6690 – Define new SecurityPrincipal interface

Bug 6690 - Define new SecurityPrincipal interface

Summary:

Define new SecurityPrincipal interface

Status:	RESOLVED FIXED

Product:	GridShib
Component:	SAML/Binding Tools
Version:	0.5.3
Platform:	All All

Importance:	P3 enhancement
Target Milestone:	0.5.4
Assigned To:	Tom Scavo

URL:
Keywords:

Depends on:	6689
Blocks:
	Show dependency tree / graph

Reported:	2009-03-14 12:23 by Tom Scavo
Modified:	2009-03-15 12:48 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Tom Scavo 2009-03-14 12:23:20

Define a new SecurityPrincipal interface:

public interface SecurityPrincipal extends Principal {
    public String getType();
}

Instances of SecurityPrincipal are distinguished by type.  A TeraGridPrincipal,
for example, has type

http://teragrid.org/names/nameid-format/principalname

The type of a SAMLPrincipal depends on its source (SAMLIdentity or
BasicAttribute).  A GlobusPrincipal has type "X.500 distinguished name,"
whatever that turns out to be.

------- Comment #1 From Tom Scavo 2009-03-14 17:47:02 -------

Added two new methods to the SecurityContext interface:

public SecurityPrincipal getSecurityPrincipal();
public SecurityPrincipal[] getSecurityPrincipals();

Implemented these methods in the SAMLSecurityContext class.

The latter requires that the SAMLPrincipal class implement the SecurityContext
interface.  This was easy since the SAMLPrincipal class already has a type
member (Bug 6689).

------- Comment #2 From Tom Scavo 2009-03-14 18:05:25 -------

Decreased the visibility of two methods in the SAMLSecurityContext class:

static SAMLPrincipal getSAMLPrincipal(SAMLIdentity identity);
static List getSAMLPrincipals(BasicAttribute attribute);

Developers should call the convenience methods in the SAMLIdentity class and
the BasicAttribute class instead.

------- Comment #3 From Tom Scavo 2009-03-14 18:16:40 -------

All resources have been committed to CVS HEAD.  This new feature will be
distributed with GS-ST v0.5.4 (which will not be publicly released).

------- Comment #4 From Tom Scavo 2009-03-15 10:16:49 -------

(In reply to comment #0)
> 
> public interface SecurityPrincipal extends Principal {
>     public String getType();
> }

The above is necessary but not sufficient.  I need the following interface:

public interface SecurityPrincipal extends IssuedSecurityItem {
    public String getName();
    public String getType();
}

This permits the following generalization in SAMLSecurityContextLogger:

SecurityPrincipal[] principals = secCtx.getSecurityPrincipals();
assert (principals != null);
for (int i = 0; i < principals.length; i++) {
    String msg = "CallerID=" + quote(callerID) +
                 " SecurityPrincipal" +
                 " ID=" + principals[i].getId() +
                 " Trusted=" +
                   (principals[i].isTrusted() ? "true" : "false") +
                 " Name=" +
                   quote(principals[i].getName()) +
                 " Type=" +
                   principals[i].getType();
    logger.info(msg);
}

This simplifies other implementations of SecurityContextLogger, and in the case
of TGSecurityContextLogger, it eliminates that implementation entirely.

------- Comment #5 From Tom Scavo 2009-03-15 12:48:41 -------

Refactored the getTeraGridPrincipal method in the GatewaySecurityContext class:

http://viewcvs.globus.org/viewcvs.cgi/gridshib/saml/teragrid/java/tests/org/teragrid/ncsa/gridshib/security/GatewaySecurityContext.java?r1=1.5&r2=1.6

The above simplification, and the modification to SAMLSecurityContextLogger
described in Comment #4, was the goal of this bug (which depends on Bug 6689
and Bug 6691).  I can now move on to GridShib for GT and finish the
implementation of TeraGridGatewayPDP (Bug 6668).