AAA Component Notes

External interfaces

Web
User connects to https://oscars.es.net/OSCARS/ and sees a login page.
Logs in with oscars login name e.g. mrthompson@lbl.gov and password
Receives two cookies, one named userName with a value of mrthompson@lbl.gov and one named tabName which starts out as ListReservations and changes to UserList, CreateReservationFor, Logout depending on the last tab viewed. This will be changed so the user only gets a reference to the cookies.
    
    servlets.UserSession
          String checkSession(PrintWriter out, HttpServletRequest request) - 
               returns the userName from the cookie or an xml status message
          void setCookie(String cookieName, String cookieValue,
            HttpServletResponse response)
         String getCookie(String cookieName, HttpServletRequest request) 
         	called by servlets.UserSession.checkSession
         	               servlets.Utils.tabSection
         If there is a cookie named "userName" , returns the value of the cookie which is the user's login name
         Otherwise returns null. 

    

API
All messages are digitally signed by an X.509 priviate key and the corresponding certificate is included in the message. To do this set the signatureKeyIdentifier to DirectReference in the client side axis2.xml file. Other message creators may do it differently but the request message should include a wsse:Security element in the header which inlcudes a wsse:BinarySecurityToken that contains the base64-encoded certificate. This element is referenced by the wsse:SecurityTokenReference element in the ds:KeyInfo in the ds:Signature.
(note: wsse==http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd ds==http://www.w3.org/2000/09/xmldsig#)

For each message the axis2 rampart module verifies the signature on the message using the enclosed certificate. It also validates the certificate as being signed by one of the trust anchors (CAs) stored in its keystore. So far we trust the DOEGrids CA and the OASIS interop CA. Once the message has been validated the corresponding method: create,cancel,list,query in OSCARSSkeleton is called. Each method starts out with a checkUser call which first calls setOperationContext

   
     oscars.OSCARSSkeleton
     private void  setOperationContext() - called by checkUser
          extracts the users DN and issuers DN from the message context  which are then 
          stored in private variables within the OSCARSSkeleton.
     String checkUser() 
          Calls set OperationContext and checks that a certificate was found. This should only  fail if
          the axis2/rampart configuration is wrong.
          Then calls userManager.loginFromDN to check if the DN is entered in the user table and to get the 
          login name which is used for subsequent authorization.
 

Internal interfaces:

aaa/UserManager
       String LoginFromDN(String DN)   -called from OSCARSSkeleton.checkUser
       		uses UserDAO to lookup DN and return login name
       String verifyLogin(String userName, String password)  - called from servlets.AuthenticateUser.doGet
       		user UserDAO to see if user is already authenticate
       		if not looks up login Name
       		looks up enrypted password and compares to input password
       	boolean verifyAuthorized(String userName, String resourceName,
                                    String permissionName) {
                          called by
                            servlets.CreateReservationForm.contentSection
                            servlets.AuthenticateUser.doGet
                            servlets.ListReservations.getReservations
                            OSCARSSkeleton.listReservations
                            OSCARSSkeleton.queryReservations
                 verifies that this user has the specified permission to the specified resource
                 gets userid, resourceid and permissionid from the appropropriate tables
                 queries authorization table based the the userid, resourceid and permissionid tuple.
       	also contains the methods to create, query, list and delete users.
     
     

Internal Data Structures

       	UserManger
       	   	private LogWrapper log;
     		private String salt;
    		Session session;  From HibernateUtil.getSessionFactory("aaa").getCurrentSession();
    		
     	aaa.User
    	    contains all the items in the user table  with get and set methods
    	    adapted from a Middlegen class automatically generated 
    	    
               	private Integer id;   	      /** identifier field */
    		private String login;    /** persistent field */
    		private String certificate;    /** nullable persistent field */
    		private String certSubject;    /** nullable persistent field */
    		private String lastName;     /** persistent field */
    		private String firstName;   /** persistent field */
    		private String emailPrimary;   /** persistent field */
    		private String phonePrimary;   /** persistent field */
    		private String password;    /** nullable persistent field */
    		private String description;    /** nullable persistent field */
    		private String emailSecondary;    /** nullable persistent field */
    		private String phoneSecondary;    /** nullable persistent field */
    		private String status;    /** nullable persistent field */
    		private String activationKey;    /** nullable persistent field */
    		private Long lastActiveTime;    /** nullable persistent field */
    		private Long registerTime;    /** nullable persistent field */
    		private Institution institution;    /** persistent field */
    	    
    aaa.Authorization
        adapted from a Middlegen class automatically generated 
        May not be called by anybody
        contains the items from the authorization table with get and set methods
    		
   aaa.Resource
        adapted from an Middlegen class automatically generated 
        May not be called by anybody
        contains the items from the authorization table with get and set methods
     
 aaa.Permissions
        adapted from an Middlegen class automatically generated 
        May not be called by anybody
        contains the items from the perissions table with get and set methods