Ignore:
Timestamp:
02/06/09 15:42:32 (11 years ago)
Author:
pjkersha
Message:

Implemented a caching scheme for Attribute Certificates in the security filter deployed on the application middleware stack:

  • Credentials are already cached in the Session Manager but this resides on a separate WSGI stack so that in order to make a retrieval, a SOAP call is required
  • Caching is implemented on the Security filter by extending the Policy Information Point class (PIP) to make it a WSGI app - PIPMiddleware. This gives it visibility to the current beaker session. When PIPMiddleware makes a request to retrieve an Attribute Certificate it can query the certificate cache held in a CredentialWallet? tied to the beaker session.
  • The CredentialWallet? is pickleable so that beaker session can pickle its content and retrieve when the middleware comes back from being offline.
Location:
TI12-security/trunk/python/ndg.security.common/ndg/security/common
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/msi.py

    r5285 r5355  
    318318         
    319319        attributeCertificate = self._getAttributeCertificate( 
    320                                         attributeAuthorityURI, 
    321                                         username, 
    322                                         sessionId, 
    323                                         subject[Subject.SESSIONMANAGERURI_NS]) 
     320                    attributeAuthorityURI, 
     321                    username=username, 
     322                    sessionId=sessionId, 
     323                    sessionManagerURI=subject[Subject.SESSIONMANAGERURI_NS]) 
    324324 
    325325        attributeResponse = PIPAttributeResponse() 
     
    453453        '''Retrieve an Attribute Certificate direct from an Attribute 
    454454        Authority.  This method is invoked if no session ID or Session  
    455         MAnager endpoint where provided 
     455        Manager endpoint where provided 
    456456         
    457457        @type username: basestring 
     
    487487            raise PDPUserAccessDenied() 
    488488         
    489         # TODO: handle othe specific Exception types here for more fine 
     489        # TODO: handle other specific Exception types here for more fine 
    490490        # grained response info 
    491491 
     
    493493            log.error("Request to Attribute Authority [%s] for attribute " 
    494494                      "certificate: %s: %s", attributeAuthorityURI, 
    495                        e.__class__, e) 
     495                      e.__class__, e) 
    496496            raise AttributeCertificateRequestError() 
    497497 
     
    505505        self.policy = policy 
    506506        self.pip = pip 
    507          
     507 
     508    def _getPolicy(self): 
     509        if self._policy is None: 
     510            raise TypeError("Policy object has not been initialised") 
     511        return self._policy 
     512     
     513    def _setPolicy(self, policy): 
     514        if not isinstance(policy, (Policy, None.__class__)): 
     515            raise TypeError("Expecting %s or None type for PDP policy; got %r"% 
     516                            (Policy.__class__.__name__, policy)) 
     517        self._policy = policy 
     518 
     519    policy = property(fget=_getPolicy, 
     520                      fset=_setPolicy, 
     521                      doc="Policy type object used by the PDP to determine " 
     522                          "access for resources") 
     523 
     524    def _getPIP(self): 
     525        if self._pip is None: 
     526            raise TypeError("PIP object has not been initialised") 
     527         
     528        return self._pip 
     529     
     530    def _setPIP(self, pip): 
     531        if not isinstance(pip, (PIP, None.__class__)): 
     532            raise TypeError("Expecting %s or None type for PDP PIP; got %r"% 
     533                            (PIP.__class__.__name__, pip)) 
     534        self._pip = pip 
     535 
     536    pip = property(fget=_getPIP, 
     537                   fset=_setPIP, 
     538                   doc="Policy Information Point - PIP type object used by " 
     539                       "the PDP to retrieve user attributes") 
     540    
    508541    def evaluate(self, request): 
    509542        '''Make access control decision''' 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/credentialwallet.py

    r5182 r5355  
    172172    @type attributeAuthorityURI: string 
    173173    @ivar attributeAuthorityURI: URI of Attribute Authority to make  
    174     requests to.  Setting this ALSO creates an AttributeAuthorityClient instance  
    175     _attributeAuthorityClnt.  - See attributeAuthorityURI property for 
     174    requests to.  Setting this ALSO creates an AttributeAuthorityClient  
     175    instance _attributeAuthorityClnt.  - See attributeAuthorityURI property for 
    176176    details. (property attribute) 
    177177     
     
    361361         
    362362        # Credentials are stored as a dictionary one element per attribute 
    363         # certicate held and indexed by certificate issuer name 
     363        # certificate held and indexed by certificate issuer name 
    364364        self._credentials = {} 
     365         
     366        # A second dictionary indexes by Attribute Authority URI: 
     367        self._credentialsKeyedByURI = {} 
    365368 
    366369 
     
    663666     
    664667    # Publish attribute 
    665     credentialsKeyedByURI = property(fget=_getCredentials, 
    666                            doc="List of Attribute Certificates linked to " 
    667                                "attribute authority URI") 
     668    credentialsKeyedByURI = property(fget=_getCredentialsKeyedByURI, 
     669                                     doc="List of Attribute Certificates " 
     670                                         "linked to attribute authority URI") 
    668671         
    669672    def _getCACertFilePathList(self): 
     
    932935                'id': -1,  
    933936                'attCert': attCert, 
     937                'issuerName': issuerName, 
    934938                'attributeAuthorityURI': attributeAuthorityURI 
    935939            } 
     
    12991303         
    13001304        @type attributeAuthorityURI: string 
    1301         @param attributeAuthorityURI: to call as a web service, specify the URI for the  
    1302         Attribute Authority. 
     1305        @param attributeAuthorityURI: to call as a web service, specify the URI 
     1306        for the Attribute Authority. 
    13031307         
    13041308        @type attributeAuthority: string 
Note: See TracChangeset for help on using the changeset viewer.