SlideShare uma empresa Scribd logo

The WSTIERIA Project – A Web of Services

Transferir como PPT, PDF
EDINA, University of Edinburgh
EDINA, University of Edinburgh

Presentation given by Fiona Culloch at FAM10 on 6 October 2010

EducaçãoTecnologia
1 de 20
The WSTIERIA Project – A Web of Services 6 October 2010 Fiona Culloch fiona.culloch@ed.ac.uk
Project context • Previous EDINA (geo) web services authentication work (SEE-GEO project) • EDINA Digimap uses web services in back end • Delegated authentication work by Shibboleth core team and U. Chicago • JISC Access and Identity Management (AIM) Programme, “n-tier” call
The requirement • Browser-based federated SSO protocols require: – HTTP redirection – Cookies – SSL/TLS – User input (usernames, passwords, etc.) – HTML processing
The problem • Web service clients may support none of these requirements. Consider: – Floating, “back end” client process – Without direct access to user input – Supporting only HTTP, not HTTPS – Or closed-source desktop app with no cookie or redirect support
The consequence • Web services generally do not support federated authentication – Talking about plain HTTP web services – SOAP-based services do have mechanisms • WS-Federation, WS-Trust,… • But complex standards, dependent on framework implementations • Implementations have inter-op issues
First approach: “façade” concept • Separate: – Client data flow (XML over HTTP) – From browser auth flow (HTML, SAML over HTTP) • In the client flow: – URI must contain a valid token – Token obtained from browser auth flow
“Façade” is an authenticating proxy WS Façade Client http://proxy/...438657...XML XML
Façade has two faces WS Façade Client http://url1/...438657...XML XML BrowserSAML HTM L SP http://url2/...438657...
In practice • First step: browser login to façade SP – Standard Shibboleth IdP/SP flow – Façade authorizes (here using ePSA) – If successful, URL with token generated
Copy access link • Paste URL into client application
Unmodified client accesses WS • Via façade, using URL with token – Not via Shibboleth
Implementation methods • In previous work, façade was: – Java servlet – Bespoke SAML SP implementation • Shared tokens with servlet via in-memory DB • WSTIERIA: – Saw similarity to standard HTTP proxy – Investigated off-the-shelf solutions – Pursued Apache + mod_rewrite
Use Apache as façade • Does URL contain /session/nnn/xxx ? – No: reject (Forbidden) – Yes: replace by /ws/xxx • RewriteMap M txt:file RewriteRule ^/session/(.*) ${M:$1|/forbid} RewriteRule ^/forbid – [F] RewriteRule ^/ws(.*) http://wsv/path$1 [P] • File maps valid tokens to “/wms”: • 123456 /ws • 789012 /ws etc.
Problem with façade concept • What if a web service response contains URLs of WS endpoints? – Client may try to access those URLs – But blocked by firewall – Can only be accessed via the façade • Façade must rewrite response data, … http://ws… => …http://façade…
Rewriter implementation • Problem not theoretical: affects Web Map Service example above (GetCapabilities) • Original servlet did Java string processing • Apache can do it by filtering proxied response through a perl script (SetOutputFilter). Details at: – http://edina.ac.uk/projects/wstieria/files/TN01-facad
Problem more general than thought • Thought GetCapabilities was odd accident of OWS protocol • Try to apply method to WebDAV (remote file access) expecting no issue • Same problem, with knobs on: – XML responses require URL rewriting – “Destination:” header in move requests contains URLs of WS (RequestHeader edit) – “Location:” response header is a bridge too far (Header edit, subst. string can’t be an env. var.)
Persevered for completeness • Façade-protected WebDAV partially working (issues with folder creation) – http://edina.ac.uk/projects/wstieria/files/TN0 • Proper fix would be protocol-specific – Which is what we wanted to avoid
Lessons learned • Façade method depends on – “clean” application-level protocol – Or at least a well-understood one • Applying mechanically to arbitrary app protocol may lead to trouble • If you control (understand) the app: – Façade method may be applicable – Simple Apache config + scripts
Shibboleth approach • Recent work by Shibboleth core team and U. Chicago – Extends Shibboleth with delegated authentication • User logs in to “portal” (SP#1) • Using IdP with delegation plug-in • SP#1 app invokes web service at SP#2 • SP#2 gets user attributes without login there • Library lets portal app transparently forward SP#2 authN request back to IdP
Current work • Install/configure required components SP#1 /portal library tomcat shibd SP#2 /ws tomcat shibd IdP /idp tomcat, deleg. plug-in Dev. Env. (/portal, /ws) Eclipse Maven2 ECP/PAOS using SP#1’s authN assertion

Recomendados

Collaboration to Curation: The High Rise Project meets Edinburgh DataShare
Collaboration to Curation: The High Rise Project meets Edinburgh DataShareCollaboration to Curation: The High Rise Project meets Edinburgh DataShare
Collaboration to Curation: The High Rise Project meets Edinburgh DataShare
EDINA, University of Edinburgh
 
Exploiting the value of Dublin Core through pragmatic development
Exploiting the value of Dublin Core through pragmatic developmentExploiting the value of Dublin Core through pragmatic development
Exploiting the value of Dublin Core through pragmatic development
Paul Walk
 
Ukla uksg 2013_final
Ukla uksg 2013_finalUkla uksg 2013_final
Ukla uksg 2013_final
UKSG: connecting the knowledge community
 
The Heterogenous Zone: Six use cases for six research data collections in Edi...
The Heterogenous Zone: Six use cases for six research data collections in Edi...The Heterogenous Zone: Six use cases for six research data collections in Edi...
The Heterogenous Zone: Six use cases for six research data collections in Edi...
EDINA, University of Edinburgh
 
MANTRA & Open Educational Resources
MANTRA & Open Educational ResourcesMANTRA & Open Educational Resources
MANTRA & Open Educational Resources
EDINA, University of Edinburgh
 
SafeNet: Progress and Data Gathering
SafeNet: Progress and Data GatheringSafeNet: Progress and Data Gathering
SafeNet: Progress and Data Gathering
EDINA, University of Edinburgh
 
RDM Programme @ Edinburgh - Service Interoperation
RDM Programme @ Edinburgh - Service InteroperationRDM Programme @ Edinburgh - Service Interoperation
RDM Programme @ Edinburgh - Service Interoperation
EDINA, University of Edinburgh
 
Open Access Repository Junction
Open Access Repository JunctionOpen Access Repository Junction
Open Access Repository Junction
EDINA, University of Edinburgh
 

Recomendados

Collaboration to Curation: The High Rise Project meets Edinburgh DataShare
Collaboration to Curation: The High Rise Project meets Edinburgh DataShareCollaboration to Curation: The High Rise Project meets Edinburgh DataShare
Collaboration to Curation: The High Rise Project meets Edinburgh DataShare
EDINA, University of Edinburgh
 
Exploiting the value of Dublin Core through pragmatic development
Exploiting the value of Dublin Core through pragmatic developmentExploiting the value of Dublin Core through pragmatic development
Exploiting the value of Dublin Core through pragmatic development
Paul Walk
 
Ukla uksg 2013_final
Ukla uksg 2013_finalUkla uksg 2013_final
Ukla uksg 2013_final
UKSG: connecting the knowledge community
 
The Heterogenous Zone: Six use cases for six research data collections in Edi...
The Heterogenous Zone: Six use cases for six research data collections in Edi...The Heterogenous Zone: Six use cases for six research data collections in Edi...
The Heterogenous Zone: Six use cases for six research data collections in Edi...
EDINA, University of Edinburgh
 
MANTRA & Open Educational Resources
MANTRA & Open Educational ResourcesMANTRA & Open Educational Resources
MANTRA & Open Educational Resources
EDINA, University of Edinburgh
 
SafeNet: Progress and Data Gathering
SafeNet: Progress and Data GatheringSafeNet: Progress and Data Gathering
SafeNet: Progress and Data Gathering
EDINA, University of Edinburgh
 
RDM Programme @ Edinburgh - Service Interoperation
RDM Programme @ Edinburgh - Service InteroperationRDM Programme @ Edinburgh - Service Interoperation
RDM Programme @ Edinburgh - Service Interoperation
EDINA, University of Edinburgh
 
Open Access Repository Junction
Open Access Repository JunctionOpen Access Repository Junction
Open Access Repository Junction
EDINA, University of Edinburgh
 
Aggregation as Tactic
Aggregation as TacticAggregation as Tactic
Aggregation as Tactic
EDINA, University of Edinburgh
 
OGC Web Service Shibboleth Interoperability Experiment
OGC Web Service Shibboleth Interoperability ExperimentOGC Web Service Shibboleth Interoperability Experiment
OGC Web Service Shibboleth Interoperability Experiment
EDINA, University of Edinburgh
 
Edinburgh DataShare - DSpace for Data
Edinburgh DataShare - DSpace for DataEdinburgh DataShare - DSpace for Data
Edinburgh DataShare - DSpace for Data
Historic Environment Scotland
 
Preservation of Research Data: Dataverse / Archivematica Integration by Allan...
Preservation of Research Data: Dataverse / Archivematica Integration by Allan...Preservation of Research Data: Dataverse / Archivematica Integration by Allan...
Preservation of Research Data: Dataverse / Archivematica Integration by Allan...
datascienceiqss
 
EDINA National Datacentre Activity Update to GWG
EDINA National Datacentre Activity Update to GWGEDINA National Datacentre Activity Update to GWG
EDINA National Datacentre Activity Update to GWG
EDINA, University of Edinburgh
 
Edina cigs-21-september-2012
Edina cigs-21-september-2012Edina cigs-21-september-2012
Edina cigs-21-september-2012
EDINA, University of Edinburgh
 
IASSIST40: Data management & curation workshop
IASSIST40: Data management & curation workshopIASSIST40: Data management & curation workshop
IASSIST40: Data management & curation workshop
Robin Rice
 
Shibboleth Access Management Federations and Secure SDI: ESDIN Experience
Shibboleth Access Management Federations and Secure SDI: ESDIN Experience Shibboleth Access Management Federations and Secure SDI: ESDIN Experience
Shibboleth Access Management Federations and Secure SDI: ESDIN Experience
EDINA, University of Edinburgh
 
The Keepers Registry: Enabling Trust in E-Journal Preservation
The Keepers Registry: Enabling Trust in E-Journal PreservationThe Keepers Registry: Enabling Trust in E-Journal Preservation
The Keepers Registry: Enabling Trust in E-Journal Preservation
EDINA, University of Edinburgh
 
Open archives initiatives(final)
Open archives initiatives(final) Open archives initiatives(final)
Open archives initiatives(final)
marevil awas
 
Jisc Mediahub: Preview + The Back Story
Jisc Mediahub: Preview + The Back StoryJisc Mediahub: Preview + The Back Story
Jisc Mediahub: Preview + The Back Story
EDINA, University of Edinburgh
 
Sept 24 NISO Virtual Conference: Library Data in the Cloud
Sept 24 NISO Virtual Conference: Library Data in the CloudSept 24 NISO Virtual Conference: Library Data in the Cloud
Sept 24 NISO Virtual Conference: Library Data in the Cloud
National Information Standards Organization (NISO)
 
Six Use Cases for Edinburgh DataShare
Six Use Cases for Edinburgh DataShareSix Use Cases for Edinburgh DataShare
Six Use Cases for Edinburgh DataShare
Robin Rice
 
Deep Impact: Metadata and SUNCAT
Deep Impact: Metadata and SUNCATDeep Impact: Metadata and SUNCAT
Deep Impact: Metadata and SUNCAT
EDINA, University of Edinburgh
 
Tales from the Keepers Registry
Tales from the Keepers RegistryTales from the Keepers Registry
Tales from the Keepers Registry
EDINA, University of Edinburgh
 
Clipper, research data network
Clipper, research data networkClipper, research data network
Clipper, research data network
Jisc RDM
 
Center for Open Science and the Open Science Framework: Dataverse Add-on by S...
Center for Open Science and the Open Science Framework: Dataverse Add-on by S...Center for Open Science and the Open Science Framework: Dataverse Add-on by S...
Center for Open Science and the Open Science Framework: Dataverse Add-on by S...
datascienceiqss
 
Archiving The Worlds E-Journals:The Keepers Registry As Global Monitor
Archiving The Worlds E-Journals:The Keepers Registry As Global MonitorArchiving The Worlds E-Journals:The Keepers Registry As Global Monitor
Archiving The Worlds E-Journals:The Keepers Registry As Global Monitor
EDINA, University of Edinburgh
 
Sept 24 NISO Virtual Conference: Library Data in the Cloud
Sept 24 NISO Virtual Conference: Library Data in the CloudSept 24 NISO Virtual Conference: Library Data in the Cloud
Sept 24 NISO Virtual Conference: Library Data in the Cloud
National Information Standards Organization (NISO)
 
Data Library Services at the University of Edinburgh
Data Library Services at the University of EdinburghData Library Services at the University of Edinburgh
Data Library Services at the University of Edinburgh
Robin Rice
 
A Service Perspective: Unlocking metadata to enhance discoverability and conn...
A Service Perspective: Unlocking metadata to enhance discoverability and conn...A Service Perspective: Unlocking metadata to enhance discoverability and conn...
A Service Perspective: Unlocking metadata to enhance discoverability and conn...
EDINA, University of Edinburgh
 
Nature jobsexpo 26sept2012osborne
Nature jobsexpo 26sept2012osborneNature jobsexpo 26sept2012osborne
Nature jobsexpo 26sept2012osborne
EDINA, University of Edinburgh
 

Mais conteúdo relacionado

Mais procurados

Preservation of Research Data: Dataverse / Archivematica Integration by Allan...
Preservation of Research Data: Dataverse / Archivematica Integration by Allan...Preservation of Research Data: Dataverse / Archivematica Integration by Allan...
Preservation of Research Data: Dataverse / Archivematica Integration by Allan...
datascienceiqss
 
Archiving The Worlds E-Journals:The Keepers Registry As Global Monitor
Archiving The Worlds E-Journals:The Keepers Registry As Global MonitorArchiving The Worlds E-Journals:The Keepers Registry As Global Monitor
Archiving The Worlds E-Journals:The Keepers Registry As Global Monitor
EDINA, University of Edinburgh
 

Mais procurados (20)

Aggregation as Tactic
Aggregation as TacticAggregation as Tactic
Aggregation as Tactic
 
OGC Web Service Shibboleth Interoperability Experiment
OGC Web Service Shibboleth Interoperability ExperimentOGC Web Service Shibboleth Interoperability Experiment
OGC Web Service Shibboleth Interoperability Experiment
 
Edinburgh DataShare - DSpace for Data
Edinburgh DataShare - DSpace for DataEdinburgh DataShare - DSpace for Data
Edinburgh DataShare - DSpace for Data
 
Preservation of Research Data: Dataverse / Archivematica Integration by Allan...
Preservation of Research Data: Dataverse / Archivematica Integration by Allan...Preservation of Research Data: Dataverse / Archivematica Integration by Allan...
Preservation of Research Data: Dataverse / Archivematica Integration by Allan...
 
EDINA National Datacentre Activity Update to GWG
EDINA National Datacentre Activity Update to GWGEDINA National Datacentre Activity Update to GWG
EDINA National Datacentre Activity Update to GWG
 
Edina cigs-21-september-2012
Edina cigs-21-september-2012Edina cigs-21-september-2012
Edina cigs-21-september-2012
 
IASSIST40: Data management & curation workshop
IASSIST40: Data management & curation workshopIASSIST40: Data management & curation workshop
IASSIST40: Data management & curation workshop
 
Shibboleth Access Management Federations and Secure SDI: ESDIN Experience
Shibboleth Access Management Federations and Secure SDI: ESDIN Experience Shibboleth Access Management Federations and Secure SDI: ESDIN Experience
Shibboleth Access Management Federations and Secure SDI: ESDIN Experience
 
The Keepers Registry: Enabling Trust in E-Journal Preservation
The Keepers Registry: Enabling Trust in E-Journal PreservationThe Keepers Registry: Enabling Trust in E-Journal Preservation
The Keepers Registry: Enabling Trust in E-Journal Preservation
 
Open archives initiatives(final)
Open archives initiatives(final) Open archives initiatives(final)
Open archives initiatives(final)
 
Jisc Mediahub: Preview + The Back Story
Jisc Mediahub: Preview + The Back StoryJisc Mediahub: Preview + The Back Story
Jisc Mediahub: Preview + The Back Story
 
Sept 24 NISO Virtual Conference: Library Data in the Cloud
Sept 24 NISO Virtual Conference: Library Data in the CloudSept 24 NISO Virtual Conference: Library Data in the Cloud
Sept 24 NISO Virtual Conference: Library Data in the Cloud
 
Six Use Cases for Edinburgh DataShare
Six Use Cases for Edinburgh DataShareSix Use Cases for Edinburgh DataShare
Six Use Cases for Edinburgh DataShare
 
Deep Impact: Metadata and SUNCAT
Deep Impact: Metadata and SUNCATDeep Impact: Metadata and SUNCAT
Deep Impact: Metadata and SUNCAT
 
Tales from the Keepers Registry
Tales from the Keepers RegistryTales from the Keepers Registry
Tales from the Keepers Registry
 
Clipper, research data network
Clipper, research data networkClipper, research data network
Clipper, research data network
 
Center for Open Science and the Open Science Framework: Dataverse Add-on by S...
Center for Open Science and the Open Science Framework: Dataverse Add-on by S...Center for Open Science and the Open Science Framework: Dataverse Add-on by S...
Center for Open Science and the Open Science Framework: Dataverse Add-on by S...
 
Archiving The Worlds E-Journals:The Keepers Registry As Global Monitor
Archiving The Worlds E-Journals:The Keepers Registry As Global MonitorArchiving The Worlds E-Journals:The Keepers Registry As Global Monitor
Archiving The Worlds E-Journals:The Keepers Registry As Global Monitor
 
Sept 24 NISO Virtual Conference: Library Data in the Cloud
Sept 24 NISO Virtual Conference: Library Data in the CloudSept 24 NISO Virtual Conference: Library Data in the Cloud
Sept 24 NISO Virtual Conference: Library Data in the Cloud
 
Data Library Services at the University of Edinburgh
Data Library Services at the University of EdinburghData Library Services at the University of Edinburgh
Data Library Services at the University of Edinburgh
 

Destaque

Destaque (20)

A Service Perspective: Unlocking metadata to enhance discoverability and conn...
A Service Perspective: Unlocking metadata to enhance discoverability and conn...A Service Perspective: Unlocking metadata to enhance discoverability and conn...
A Service Perspective: Unlocking metadata to enhance discoverability and conn...
 
Nature jobsexpo 26sept2012osborne
Nature jobsexpo 26sept2012osborneNature jobsexpo 26sept2012osborne
Nature jobsexpo 26sept2012osborne
 
Osgis sept2012 cartogrammar
Osgis sept2012 cartogrammarOsgis sept2012 cartogrammar
Osgis sept2012 cartogrammar
 
Geospatial Tech in Teaching
Geospatial Tech in TeachingGeospatial Tech in Teaching
Geospatial Tech in Teaching
 
Introduction to EDINA & National Data Services
Introduction to EDINA & National Data ServicesIntroduction to EDINA & National Data Services
Introduction to EDINA & National Data Services
 
Repositories Update (UK)
Repositories Update (UK) Repositories Update (UK)
Repositories Update (UK)
 
Cabaret of Dangerous Ideas Presentation on FieldTrip GB
Cabaret of Dangerous Ideas Presentation on FieldTrip GBCabaret of Dangerous Ideas Presentation on FieldTrip GB
Cabaret of Dangerous Ideas Presentation on FieldTrip GB
 
Preserving the Integrity of the Scholarly Record
Preserving the Integrity of the Scholarly RecordPreserving the Integrity of the Scholarly Record
Preserving the Integrity of the Scholarly Record
 
End of COBWEB Co-Design Projects Celebration
End of COBWEB Co-Design Projects Celebration End of COBWEB Co-Design Projects Celebration
End of COBWEB Co-Design Projects Celebration
 
RDM Programme @ Edinburgh: Data Librarian Experience
RDM Programme @ Edinburgh: Data Librarian ExperienceRDM Programme @ Edinburgh: Data Librarian Experience
RDM Programme @ Edinburgh: Data Librarian Experience
 
A Importância da IDE-a no Reino-Unido
A Importância da IDE-a no Reino-UnidoA Importância da IDE-a no Reino-Unido
A Importância da IDE-a no Reino-Unido
 
Is It Too Late to Ensure Continuity of Access to the Scholarly Record?
Is It Too Late to Ensure Continuity of Access to the Scholarly Record?Is It Too Late to Ensure Continuity of Access to the Scholarly Record?
Is It Too Late to Ensure Continuity of Access to the Scholarly Record?
 
PEPRS: Recording The Extent Preserved
PEPRS: Recording The Extent PreservedPEPRS: Recording The Extent Preserved
PEPRS: Recording The Extent Preserved
 
Introduction to RDM for trainee physicians
Introduction to RDM for trainee physiciansIntroduction to RDM for trainee physicians
Introduction to RDM for trainee physicians
 
RDM Programme @ Edinburgh
RDM Programme @ Edinburgh RDM Programme @ Edinburgh
RDM Programme @ Edinburgh
 
UK RepositoryNet+ Mimas Workshop
UK RepositoryNet+ Mimas WorkshopUK RepositoryNet+ Mimas Workshop
UK RepositoryNet+ Mimas Workshop
 
Introduction to data support services and resources for public policy
Introduction to data support services and resources for public policyIntroduction to data support services and resources for public policy
Introduction to data support services and resources for public policy
 
Repository Fringe 2016 - Survey Documentation and Analysis
Repository Fringe 2016 - Survey Documentation and AnalysisRepository Fringe 2016 - Survey Documentation and Analysis
Repository Fringe 2016 - Survey Documentation and Analysis
 
Free and Open Source Software for Regional Spatial Data Infrastructures
Free and Open Source Software for Regional Spatial Data InfrastructuresFree and Open Source Software for Regional Spatial Data Infrastructures
Free and Open Source Software for Regional Spatial Data Infrastructures
 
Open Source Software and Open Interoperability Standards at EDINA National Da...
Open Source Software and Open Interoperability Standards at EDINA National Da...Open Source Software and Open Interoperability Standards at EDINA National Da...
Open Source Software and Open Interoperability Standards at EDINA National Da...
 

Semelhante a The WSTIERIA Project – A Web of Services

Tuenti Release Workflow v1.1
Tuenti Release Workflow v1.1Tuenti Release Workflow v1.1
Tuenti Release Workflow v1.1
Tuenti
 
Introduction to Web Programming - first course
Introduction to Web Programming - first courseIntroduction to Web Programming - first course
Introduction to Web Programming - first course
Vlad Posea
 
Mobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best PracticesMobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best Practices
Andrew Ferrier
 

Semelhante a The WSTIERIA Project – A Web of Services (20)

Tuenti Release Workflow v1.1
Tuenti Release Workflow v1.1Tuenti Release Workflow v1.1
Tuenti Release Workflow v1.1
 
Share point development 101
Share point development 101Share point development 101
Share point development 101
 
Contract-Based Web Services API Deep Dive
Contract-Based Web Services API Deep DiveContract-Based Web Services API Deep Dive
Contract-Based Web Services API Deep Dive
 
Journey towards serverless infrastructure
Journey towards serverless infrastructureJourney towards serverless infrastructure
Journey towards serverless infrastructure
 
I - Front-end Spectrum
I - Front-end SpectrumI - Front-end Spectrum
I - Front-end Spectrum
 
StoryCode Tech Immersion 1
StoryCode Tech Immersion 1StoryCode Tech Immersion 1
StoryCode Tech Immersion 1
 
SharePoint 2013 - What's New
SharePoint 2013 - What's NewSharePoint 2013 - What's New
SharePoint 2013 - What's New
 
Impact of cloud services on the work of oracle technology experts
Impact of cloud services on the work of oracle technology expertsImpact of cloud services on the work of oracle technology experts
Impact of cloud services on the work of oracle technology experts
 
Impact of cloud services on the work of oracle technology experts
Impact of cloud services on the work of oracle technology expertsImpact of cloud services on the work of oracle technology experts
Impact of cloud services on the work of oracle technology experts
 
JavaScript Service Worker Design Patterns for Better User Experience
JavaScript Service Worker Design Patterns for Better User ExperienceJavaScript Service Worker Design Patterns for Better User Experience
JavaScript Service Worker Design Patterns for Better User Experience
 
Bringing HTML5 alive in SharePoint
Bringing HTML5 alive in SharePointBringing HTML5 alive in SharePoint
Bringing HTML5 alive in SharePoint
 
Code for Startup MVP (Ruby on Rails) Session 1
Code for Startup MVP (Ruby on Rails) Session 1Code for Startup MVP (Ruby on Rails) Session 1
Code for Startup MVP (Ruby on Rails) Session 1
 
NodeJS - Server Side JS
NodeJS - Server Side JS NodeJS - Server Side JS
NodeJS - Server Side JS
 
MyFaces CODI and JBoss Seam3 become Apache DeltaSpike
MyFaces CODI and JBoss Seam3 become Apache DeltaSpikeMyFaces CODI and JBoss Seam3 become Apache DeltaSpike
MyFaces CODI and JBoss Seam3 become Apache DeltaSpike
 
Introduction to Web Programming - first course
Introduction to Web Programming - first courseIntroduction to Web Programming - first course
Introduction to Web Programming - first course
 
Mobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best PracticesMobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best Practices
 
FlexDeploy Product Technical Overview
FlexDeploy Product Technical OverviewFlexDeploy Product Technical Overview
FlexDeploy Product Technical Overview
 
Lecture 9: Dynamic web application
Lecture 9: Dynamic web applicationLecture 9: Dynamic web application
Lecture 9: Dynamic web application
 
Web Landscape - updated in Jan 2016
Web Landscape - updated in Jan 2016Web Landscape - updated in Jan 2016
Web Landscape - updated in Jan 2016
 
Webservices
WebservicesWebservices
Webservices
 

Mais de EDINA, University of Edinburgh

Mais de EDINA, University of Edinburgh (20)

The Making of the English Landscape:
The Making of the English Landscape: The Making of the English Landscape:
The Making of the English Landscape:
 
Spatial Data, Spatial Humanities
Spatial Data, Spatial HumanitiesSpatial Data, Spatial Humanities
Spatial Data, Spatial Humanities
 
Land Cover Map 2015
Land Cover Map 2015Land Cover Map 2015
Land Cover Map 2015
 
We have the technology... We have the data... What next?
We have the technology... We have the data... What next?We have the technology... We have the data... What next?
We have the technology... We have the data... What next?
 
Reference Rot in Theses: A HiberActive Pilot - 10x10 session for Repository F...
Reference Rot in Theses: A HiberActive Pilot - 10x10 session for Repository F...Reference Rot in Theses: A HiberActive Pilot - 10x10 session for Repository F...
Reference Rot in Theses: A HiberActive Pilot - 10x10 session for Repository F...
 
GeoForum EDINA report 2017
GeoForum EDINA report 2017GeoForum EDINA report 2017
GeoForum EDINA report 2017
 
If I Googled You, What Would I Find? Managing your digital footprint - Nicola...
If I Googled You, What Would I Find? Managing your digital footprint - Nicola...If I Googled You, What Would I Find? Managing your digital footprint - Nicola...
If I Googled You, What Would I Find? Managing your digital footprint - Nicola...
 
Moray housemarch2017
Moray housemarch2017Moray housemarch2017
Moray housemarch2017
 
Uniof stirlingmarch2017secondary
Uniof stirlingmarch2017secondaryUniof stirlingmarch2017secondary
Uniof stirlingmarch2017secondary
 
Uniof glasgow jan2017_secondary
Uniof glasgow jan2017_secondaryUniof glasgow jan2017_secondary
Uniof glasgow jan2017_secondary
 
Managing your Digital Footprint : Taking control of the metadata and tracks a...
Managing your Digital Footprint : Taking control of the metadata and tracks a...Managing your Digital Footprint : Taking control of the metadata and tracks a...
Managing your Digital Footprint : Taking control of the metadata and tracks a...
 
Social media and blogging to develop and communicate research in the arts and...
Social media and blogging to develop and communicate research in the arts and...Social media and blogging to develop and communicate research in the arts and...
Social media and blogging to develop and communicate research in the arts and...
 
Enhancing your research impact through social media - Nicola Osborne
Enhancing your research impact through social media - Nicola OsborneEnhancing your research impact through social media - Nicola Osborne
Enhancing your research impact through social media - Nicola Osborne
 
Social Media in Marketing in Support of Your Personal Brand - Nicola Osborne
Social Media in Marketing in Support of Your Personal Brand - Nicola OsborneSocial Media in Marketing in Support of Your Personal Brand - Nicola Osborne
Social Media in Marketing in Support of Your Personal Brand - Nicola Osborne
 
Best Practice for Social Media in Teaching & Learning Contexts - Nicola Osborne
Best Practice for Social Media in Teaching & Learning Contexts - Nicola OsborneBest Practice for Social Media in Teaching & Learning Contexts - Nicola Osborne
Best Practice for Social Media in Teaching & Learning Contexts - Nicola Osborne
 
SCURL and SUNCAT serials holdings comparison service
SCURL and SUNCAT serials holdings comparison serviceSCURL and SUNCAT serials holdings comparison service
SCURL and SUNCAT serials holdings comparison service
 
Big data in Digimap
Big data in DigimapBig data in Digimap
Big data in Digimap
 
Introduction to Edinburgh University Data Library and national data services
Introduction to Edinburgh University Data Library and national data servicesIntroduction to Edinburgh University Data Library and national data services
Introduction to Edinburgh University Data Library and national data services
 
Digimap for Schools: Introduction to an ICT based cross curricular resource f...
Digimap for Schools: Introduction to an ICT based cross curricular resource f...Digimap for Schools: Introduction to an ICT based cross curricular resource f...
Digimap for Schools: Introduction to an ICT based cross curricular resource f...
 
Digimap Update - Geoforum 2016 - Guy McGarva
Digimap Update - Geoforum 2016 - Guy McGarvaDigimap Update - Geoforum 2016 - Guy McGarva
Digimap Update - Geoforum 2016 - Guy McGarva
 

Último

Último (20)

Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 

The WSTIERIA Project – A Web of Services

  • 1. The WSTIERIA Project – A Web of Services 6 October 2010 Fiona Culloch fiona.culloch@ed.ac.uk
  • 2. Project context • Previous EDINA (geo) web services authentication work (SEE-GEO project) • EDINA Digimap uses web services in back end • Delegated authentication work by Shibboleth core team and U. Chicago • JISC Access and Identity Management (AIM) Programme, “n-tier” call
  • 3. The requirement • Browser-based federated SSO protocols require: – HTTP redirection – Cookies – SSL/TLS – User input (usernames, passwords, etc.) – HTML processing
  • 4. The problem • Web service clients may support none of these requirements. Consider: – Floating, “back end” client process – Without direct access to user input – Supporting only HTTP, not HTTPS – Or closed-source desktop app with no cookie or redirect support
  • 5. The consequence • Web services generally do not support federated authentication – Talking about plain HTTP web services – SOAP-based services do have mechanisms • WS-Federation, WS-Trust,… • But complex standards, dependent on framework implementations • Implementations have inter-op issues
  • 6. First approach: “façade” concept • Separate: – Client data flow (XML over HTTP) – From browser auth flow (HTML, SAML over HTTP) • In the client flow: – URI must contain a valid token – Token obtained from browser auth flow
  • 7. “Façade” is an authenticating proxy WS Façade Client http://proxy/...438657...XML XML
  • 8. Façade has two faces WS Façade Client http://url1/...438657...XML XML BrowserSAML HTM L SP http://url2/...438657...
  • 9. In practice • First step: browser login to façade SP – Standard Shibboleth IdP/SP flow – Façade authorizes (here using ePSA) – If successful, URL with token generated
  • 10. Copy access link • Paste URL into client application
  • 11. Unmodified client accesses WS • Via façade, using URL with token – Not via Shibboleth
  • 12. Implementation methods • In previous work, façade was: – Java servlet – Bespoke SAML SP implementation • Shared tokens with servlet via in-memory DB • WSTIERIA: – Saw similarity to standard HTTP proxy – Investigated off-the-shelf solutions – Pursued Apache + mod_rewrite
  • 13. Use Apache as façade • Does URL contain /session/nnn/xxx ? – No: reject (Forbidden) – Yes: replace by /ws/xxx • RewriteMap M txt:file RewriteRule ^/session/(.*) ${M:$1|/forbid} RewriteRule ^/forbid – [F] RewriteRule ^/ws(.*) http://wsv/path$1 [P] • File maps valid tokens to “/wms”: • 123456 /ws • 789012 /ws etc.
  • 14. Problem with façade concept • What if a web service response contains URLs of WS endpoints? – Client may try to access those URLs – But blocked by firewall – Can only be accessed via the façade • Façade must rewrite response data, … http://ws… => …http://façade…
  • 15. Rewriter implementation • Problem not theoretical: affects Web Map Service example above (GetCapabilities) • Original servlet did Java string processing • Apache can do it by filtering proxied response through a perl script (SetOutputFilter). Details at: – http://edina.ac.uk/projects/wstieria/files/TN01-facad
  • 16. Problem more general than thought • Thought GetCapabilities was odd accident of OWS protocol • Try to apply method to WebDAV (remote file access) expecting no issue • Same problem, with knobs on: – XML responses require URL rewriting – “Destination:” header in move requests contains URLs of WS (RequestHeader edit) – “Location:” response header is a bridge too far (Header edit, subst. string can’t be an env. var.)
  • 17. Persevered for completeness • Façade-protected WebDAV partially working (issues with folder creation) – http://edina.ac.uk/projects/wstieria/files/TN0 • Proper fix would be protocol-specific – Which is what we wanted to avoid
  • 18. Lessons learned • Façade method depends on – “clean” application-level protocol – Or at least a well-understood one • Applying mechanically to arbitrary app protocol may lead to trouble • If you control (understand) the app: – Façade method may be applicable – Simple Apache config + scripts
  • 19. Shibboleth approach • Recent work by Shibboleth core team and U. Chicago – Extends Shibboleth with delegated authentication • User logs in to “portal” (SP#1) • Using IdP with delegation plug-in • SP#1 app invokes web service at SP#2 • SP#2 gets user attributes without login there • Library lets portal app transparently forward SP#2 authN request back to IdP
  • 20. Current work • Install/configure required components SP#1 /portal library tomcat shibd SP#2 /ws tomcat shibd IdP /idp tomcat, deleg. plug-in Dev. Env. (/portal, /ws) Eclipse Maven2 ECP/PAOS using SP#1’s authN assertion