Custom Query – NDG Security

Reported by pjkersha, 13 years ago.

Description

#855 raised for the BADC applies to the other data providers.

Each Data Provider needs a permanent URI set aside for their Attribute Authority. MOLES [and CMSL] include the role name, Attribute Authority address tuple in their records. The latter should be fixed to avoid the need to have to change all data records should the Attribute Authority move location.

The address could be set up with a proxy e.g.

http://some-host-inside-firewall:51000/AttributeAuthority -> http://aa.data-provider-name.nerc.ac.uk

Reported by pjkersha, 11 years ago.

Description

The paster templates in ndg.security.server.paster_templates should be updated. Templates should exist for:

Security services middleware stack: an ini file deploying in a pipeline these services mounted in a WSGI script running over SSL,
- Attribute Authority
- Authorization Service
- Session Middleware
- SSL Client Authentication
- OpenID Relying Party
- OpenID Provider
Secured Application: the middleware to front a given application that needs securing,
- Authentication Redirect Filter - redirects unauthenticated sessions to Security middleware stack above for SSL client authentication / OpenID Relying Party sign in
- Authorisation Filter
- Placeholder for application to be secured
Secured application with OpenID Relying Party: where the application is running on another domain to the main services 1.) where no SSL certificate is available to host an OpenID Relying Party over SSL.
- OpenID Relying Party
- Authorisation Filter
- Placeholder for application to be secured
OpenID Relying Party and SSL Client Authentication filters running over SSL: where an application is running on a different domain to the main services 1.) but an SSL certificate is available for the domain,
- SSL Client Authentication
- OpenID Relying Party
(Standalone Attribute Authority)
(Standalone Authorization Service)
(Standalone OpenID Provider)

Other possibilities in brackets.

Reported by pjkersha, 10 years ago.

Description

For ESGF, the XRDS document returned by the OpenID Provider returns additional service endpoints. These should be listed at the level of a single XRD element and not one per XRD element.

This is the current wrong way:

<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
        <XRD>
                <Service priority="0">
                       <Type>http://specs.openid.net/auth/2.0/signon</Type>
                       <Type>http://openid.net/signon/1.0</Type>
                       <URI>https://openid.provider.somewhere.ac.uk</URI>
                       <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID>
                 </Service>
        </XRD>
        <XRD>
                 <Service priority="10">
                       <Type>urn:esg:security:myproxy-service</Type>
                       <URI>socket://myproxy-server.somewhere.ac.uk:7512</URI>
                       <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID>
                 </Service>
        </XRD>
        <XRD>
                 <Service priority="20">
                       <Type>urn:esg:security:attribute-service</Type>
                       <URI>https://attributeservice.somewhere.ac.uk</URI>
                       <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID>
                 </Service>
        </XRD>
</xrds:XRDS>

This is the correct way:

<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
        <XRD>
                <Service priority="0">
                       <Type>http://specs.openid.net/auth/2.0/signon</Type>
                       <Type>http://openid.net/signon/1.0</Type>
                       <URI>https://openid.provider.somewhere.ac.uk</URI>
                       <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID>
                 </Service>
                 <Service priority="10">
                       <Type>urn:esg:security:myproxy-service</Type>
                       <URI>socket://myproxy-server.somewhere.ac.uk:7512</URI>
                       <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID>
                 </Service>
                 <Service priority="20">
                       <Type>urn:esg:security:attribute-service</Type>
                       <URI>https://attributeservice.somewhere.ac.uk</URI>
                       <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID>
                 </Service>
        </XRD>
</xrds:XRDS>

Context Navigation

Custom Query (4 matches)

Results (1 - 3 of 4)

Download in other formats:

Ticket	Resolution	Summary	Owner	Reporter
#870	fixed	[S] NOCS Attribute Authority address needs to be permanent	hsnaith	pjkersha
Reported by pjkersha, 13 years ago.
Description	#855 raised for the BADC applies to the other data providers. Each Data Provider needs a permanent URI set aside for their Attribute Authority. MOLES [and CMSL] include the role name, Attribute Authority address tuple in their records. The latter should be fixed to avoid the need to have to change all data records should the Attribute Authority move location. The address could be set up with a proxy e.g. `http://some-host-inside-firewall:51000/AttributeAuthority -> http://aa.data-provider-name.nerc.ac.uk`
#1101	fixed	[S] Update Paster templates for Security Installation	pjkersha	pjkersha
Reported by pjkersha, 11 years ago.
Description	The paster templates in `ndg.security.server.paster_templates` should be updated. Templates should exist for: Security services middleware stack: an ini file deploying in a pipeline these services mounted in a WSGI script running over SSL, Attribute Authority Authorization Service Session Middleware SSL Client Authentication OpenID Relying Party OpenID Provider Secured Application: the middleware to front a given application that needs securing, Authentication Redirect Filter - redirects unauthenticated sessions to Security middleware stack above for SSL client authentication / OpenID Relying Party sign in Authorisation Filter Placeholder for application to be secured Secured application with OpenID Relying Party: where the application is running on another domain to the main services 1.) where no SSL certificate is available to host an OpenID Relying Party over SSL. OpenID Relying Party Authorisation Filter Placeholder for application to be secured OpenID Relying Party and SSL Client Authentication filters running over SSL: where an application is running on a different domain to the main services 1.) but an SSL certificate is available for the domain, SSL Client Authentication OpenID Relying Party (Standalone Attribute Authority) (Standalone Authorization Service) (Standalone OpenID Provider) Other possibilities in brackets.
#1122	fixed	[S] Wrong format for Yadis XRDS additional service endpoints	pjkersha	pjkersha
Reported by pjkersha, 10 years ago.
Description	For ESGF, the XRDS document returned by the OpenID Provider returns additional service endpoints. These should be listed at the level of a single XRD element and not one per XRD element. This is the current wrong way: <?xml version="1.0" encoding="UTF-8"?> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd($v2.0)"> <XRD> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/signon/1.0</Type> <URI>https://openid.provider.somewhere.ac.uk</URI> <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID> </Service> </XRD> <XRD> <Service priority="10"> <Type>urn:esg:security:myproxy-service</Type> <URI>socket://myproxy-server.somewhere.ac.uk:7512</URI> <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID> </Service> </XRD> <XRD> <Service priority="20"> <Type>urn:esg:security:attribute-service</Type> <URI>https://attributeservice.somewhere.ac.uk</URI> <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID> </Service> </XRD> </xrds:XRDS> This is the correct way: <?xml version="1.0" encoding="UTF-8"?> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd($v2.0)"> <XRD> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/signon/1.0</Type> <URI>https://openid.provider.somewhere.ac.uk</URI> <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID> </Service> <Service priority="10"> <Type>urn:esg:security:myproxy-service</Type> <URI>socket://myproxy-server.somewhere.ac.uk:7512</URI> <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID> </Service> <Service priority="20"> <Type>urn:esg:security:attribute-service</Type> <URI>https://attributeservice.somewhere.ac.uk</URI> <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID> </Service> </XRD> </xrds:XRDS>