Changes between Version 4 and Version 5 of T12_Security/ESG/SecuringOPeNDAP


Ignore:
Timestamp:
12/11/09 12:52:11 (10 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • T12_Security/ESG/SecuringOPeNDAP

    v4 v5  
    11[[WikiInclude(T12_Security/_menu)]] 
    2 = Security Layer for OPeNDAP Service = 
     2== Security Layer for OPeNDAP Service == 
    33The Sequence Diagram below shows the series of steps for a HTTP client to access a secured OPeNDAP service.  The User Agent could be a web browser, wget program or other HTTP client.   A scenario is envisaged with a BADC Data Node hosting an OPeNDAP service.  The Data Node has security middleware components which front the OPeNDAP application and intercept requests.  The component architecture is assumed to be Python [http://wsgi.org/wsgi/WSGI] based.  Components in the web application middleware stack communicate with one another using WSGI. 
    44 
    5 The User Agent makes a request to the OPeNDAP service.  This is intercepted by the SessionHandler.  This checks with the authorisation handler to see if the requested URI is a secured one.  This is the case, so the Session Handler then checks to see if the user has a valid session cookie.  The user does not so they are returned a redirect request to redirect them to the Authentication Handler.   
     5The User Agent makes a request to the OPeNDAP service.  This is intercepted by the Session Handler.  This checks with the authorisation handler to see if the requested URI is a secured one.  This is the case, so the Session Handler then checks to see if the user has a valid session cookie.  The user does not so they are returned a redirect request to redirect them to the Authentication Handler.   
    66 
    7 The authentication handler is hosted on a separate BADC node.  The handler receives the request over HTTPS and checks for a client certificate in the SSL handshake.  If none is provided, the handler returns a HTTP 401 Unauthorised response but this also contains OpenID Relying Party interface.  If the User Agent is browser, the user can intervene and enter their OpenID URL and proceed with OpenID based sign in.  In this case though, on receipt of the HTTP 401 Unauthorised response, the agent re-invokes the URL but this time passing a client certificate.  For ESG, to enable compatibility with OpenID and certificate based authentication, the certificate contains the users OpenID URL embedded in a certificate extension.  This extension is a SAML assertion. 
     7The Authentication Handler is hosted on a separate BADC node.  The handler receives the request over HTTPS and checks for a client certificate in the SSL handshake.  If none is provided, the handler returns a HTTP 401 Unauthorised response but this also contains OpenID Relying Party interface.  If the User Agent is browser, the user can intervene and enter their OpenID URL and proceed with OpenID based sign in.  In this case though, on receipt of the HTTP 401 Unauthorised response, the agent re-invokes the URL but this time passing a client certificate.  For ESG, to enable compatibility with OpenID and certificate based authentication, the certificate contains the users OpenID URL embedded in a certificate extension.  This extension is a SAML assertion. 
    88 
    99The authentication handler, checks for client certificate passed, and if present, authenticates based on this certificate.  The certificate is accepted and the agent is returned a redirect response containing a session cookie.  The agent invokes this redirect back to the original OPeNDAP URI it requested.  This time, the Session Handler receives the request and finds a session cookie confirming the user has previously authenticated.  It then passes the request to the Authorisation Handler.