AAA Component Notes

The Authentication, Authorization and Accounting component is responsible authenticating a requestor against the list of registered users and for providing the methods to check that this user is allowed to perform the actions that are requested. It also  provides the methods for managing users and their attributes. At this point it does no accounting. The authorization policy that is being implemented is described in Authorization Policy.

External interfaces

Web
User connects to https://oscars.es.net/OSCARS/ and sees a login page.
Logs in with oscars login name e.g. mrthompson@lbl.gov and password
If the name is found in the users table and the password is correct, he receives two cookies, one named userName that contains a hash that indexes this user in the user table and one named tabName which is used to determine what tabs will be displayed on the next web page the user sees.
    servlets.UserSession

String checkSession(PrintWriter out, HttpServletRequest request) -
if there is userName cookie in the request, returns the userName from the cookie.
Otherwise returns an xml error message.

void setCookie(String cookieName, String cookieValue, HttpServletResponse response)
includes the cookie in the servlet repsonse.

String getCookie(String cookieName, HttpServletRequest request)
called by servlets.UserSession.checkSession and servlets.Utils.tabSection
If there is a cookie named "userName", uses the value of the cookie to determine user's login name
Otherwise returns null.

API
All messages are digitally signed by an X.509 priviate key and the corresponding certificate is included in the message. To do this set the signatureKeyIdentifier to DirectReference in the client side axis2.xml file. Other message creators may do it differently but the request message should include a wsse:Security element in the header which inlcudes a wsse:BinarySecurityToken that contains the base64-encoded certificate. This element is referenced by the wsse:SecurityTokenReference element in the ds:KeyInfo in the ds:Signature.
(note: wsse==http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd ds==http://www.w3.org/2000/09/xmldsig#)

For each message the axis2 rampart module verifies the signature on the message using the enclosed certificate. It also validates the certificate as being signed by one of the trust anchors (CAs) stored in its keystore. So far we trust the DOEGrids CA, the ESnet Root CA 1, the ESnet SSL Server Certificates CA, the DCS Test CA, the JRA3_Prototype CA, the nortel CA, and the OASIS interop CA. Once the message has been validated the corresponding method: create,cancel,list,query in OSCARSSkeleton is called. Each method starts out with a checkUser call which first calls setOperationContext

   
oscars.OSCARSSkeleton

private void setOperationContext() - called by checkUser
extracts the users DN and issuers DN from the message context which are then
stored in private variables within the OSCARSSkeleton.

String checkUser()
Calls set OperationContext and checks that a certificate was found. This should only fail if
the axis2/rampart configuration is wrong.
Then calls userManager.loginFromDN to check if the DN is entered in the user table and to get the
login name which is used for subsequent authorization.

Internal interfaces:

aaa/UserManager
String LoginFromDN(String DN) -called from OSCARSSkeleton.checkUser
uses UserDAO to lookup DN and return login name

String verifyLogin(String userName, String password) - called from servlets.AuthenticateUser.doGet
user UserDAO to see if user is already authenticate
if not looks up login Name
looks up enrypted password and compares to input password

AuthValue checkAccess(String userName, String resourceName,
String permissionName)
called by
servlets(AuthenticateUser,CancelReservations,QueryReservations,ListReservations,
UserAdd,userAddForm,UserModify,UserQuery,UserRemove)
OSCARSSkeleton.listReservations,queryReservations,cancelReservation,
createPath,refreshPath,teardownPath,
getNetworkTopology,initiateTopologyPull,
verifies that this user has the specified permission to the specified resource
gets userid, resourceid and permissionid from the appropropriate tables
queries authorization table based the the userid, resourceid and permissionid tuple.

AuthValue checkModResAccess(String userName, String resourceName, String permissionName,
int reqBandwidth, int reqDuration, boolean specPathElems, boolean specGRI)
called by
servlets(CreateReservationForm,createReservation,createReservationform)
OSCARSSkelton.createReservation

also contains the methods to create, query, list and delete users.

Internal Data Structures

       	UserManger
private LogWrapper log;
private String salt;
Session session; From HibernateUtil.getSessionFactory("aaa").getCurrentSession();

aaa.User
contains all the items in the user table with get and set methods
adapted from a Middlegen class automatically generated

private Integer id; /** identifier field */
private String login; /** persistent field */
private String certificate; /** nullable persistent field */
private String certSubject; /** nullable persistent field */
private String lastName; /** persistent field */
private String firstName; /** persistent field */
private String emailPrimary; /** persistent field */
private String phonePrimary; /** persistent field */
private String password; /** nullable persistent field */
private String description; /** nullable persistent field */
private String emailSecondary; /** nullable persistent field */
private String phoneSecondary; /** nullable persistent field */
private String status; /** nullable persistent field */
private String activationKey; /** nullable persistent field */
private Long lastActiveTime; /** nullable persistent field */
private Long registerTime; /** nullable persistent field */
private Institution institution; /** persistent field */

aaa.Authorization
adapted from a Middlegen class automatically generated
contains the items from the authorization table with get and set methods

aaa.Resource
adapted from an Middlegen class automatically generated
contains the items from the authorization table with get and set methods

aaa.Permissions
adapted from an Middlegen class automatically generated
contains the items from the permissions table with get and set methods