Changes between Version 1 and Version 2 of TI12_Security/DEWSHealthStreamPortalAccess2MetOfficeGeoserverUseCase


Ignore:
Timestamp:
09/01/07 14:57:11 (13 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TI12_Security/DEWSHealthStreamPortalAccess2MetOfficeGeoserverUseCase

    v1 v2  
    99 * Health Stream Portal where user is registered (Portal) 
    1010 * Portal Web Server (!PortalWebServer) 
    11  * Portal login interface - where user logs in  
    12  * Portal Attribute Authority WS (!PortalAA) - AA for where user is registered. 
    13  * Portal Session Manager WS (!PortalSM) - where user's session is held 
    14  * Portal Credential Wallet (!PortalCW) - part of the user's session.  It holds user's proxy certificate and caches Attribute Certificates (ACs) 
     11 * Portal login interface (!PortalLogin) - where user logs in  
     12 * Portal Attribute Authority WS (PortalAA) - AA for where user is registered. 
     13 * Portal Session Manager WS (PortalSM) - where user's session is held 
     14 * Portal Credential Wallet (PortalCW) - part of the user's session.  It holds user's proxy certificate and caches Attribute Certificates (ACs) 
    1515 * !MetOffice (Data provider) 
    1616 * !MetOffice Geoserver Gatekeeper (!MetOfficeGatekeeper) 
     
    3030 
    3131== Normal Course == 
    32  1. User selects a resource from the Health Stream portal web site. 
    33  1. !PortalWebServer server side code checks the security constraints for that resource and determines that NDG security credentials are required. 
    34  1. It displays A's user credentials request interface over a secure connection. 
    35  1. The interface queries A's Attribute Authority WS to find out the list of NDG sites that A trusts.  The information includes the names of trusted sites and the URIs for their site login pages.  The interface gets A's Attribute Authority address from the secured resource's meta data. 
    36  1. The interface displays the list of trusted sites for the user to choose where they wish to retrieve their credentials from. 
    37  1. The user selects site B as they are registered there. 
    38  1. The interface redirects the user's browser to site B's NDG enabled login interface. 
    39  1. If the user has already authenticated there will be an NDG security session cookie present in site A's host domain.  Redirect back to the user credentials interface at A.  If A and B hosts are in different domains, include the session information in the URI so that it can set a new cookie in A's domain. 
    40  1. If the user has ''not'' already authenticated at B, then display B's login interface. 
    41  1. The user enters their username and pass-phrase. 
    42  1. Login interface passes the credentials over HTTPS to Session Manager B 
    43  1. B Session Manager authenticates the user, makes and holds a session for them and returns a cookie back to the login interface 
    44  1. Login interfaces sets the security session cookie and redirects the user's browser back to the user credentials interface at A.  If A and B hosts are in different domains, include the session information in the URI so that it can set a new cookie in A's domain. 
     32 1. User selects a secured resource from the Health Stream portal web site. 
     33 1. !PortalWebServer server side code checks for the existence of a security session cookie. 
     34 1. No security cookie is present so they are redirected to the Portal login page. 
     35 1. The user enters their username and pass-phrase at the login page (!PortalLogin) over a HTTPS connection. 
     36 1. The !PortalLogin passes the credentials over HTTPS to the PortalSM. 
     37 1. PortalSM authenticates the user, makes and holds a session for them and returns a cookie back to the !PortalLogin 
     38 1. !PortalLogin sets the security session cookie and redirects the user's browser back  
    4539 1. Credentials interface at A requires an Attribute Certificate from the user in order to get access.  It calls Session Manager A to make the request passing cookie returned from domain B as ID and the URI for the Attribute Authority A. 
    4640 1. Session Manager A checks the cookie, finds that the user's session is held at Session Manager B.  IT forwards the request there.