Changes between Version 2 and Version 3 of TI12_Security/DEWSHealthStreamPortalAccess2MetOfficeGeoserverUseCase


Ignore:
Timestamp:
09/01/07 15:17:35 (13 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TI12_Security/DEWSHealthStreamPortalAccess2MetOfficeGeoserverUseCase

    v2 v3  
    1212 * Portal Attribute Authority WS (PortalAA) - AA for where user is registered. 
    1313 * Portal Session Manager WS (PortalSM) - where user's session is held 
    14  * Portal Credential Wallet (PortalCW) - part of the user's session.  It holds user's proxy certificate and caches Attribute Certificates (ACs) 
     14 * Credential Wallet (!CredentialWallet) - part of the user's session held by the PortalSM.  It holds the user's proxy certificate/private key and caches Attribute Certificates (ACs) 
    1515 * !MetOffice (Data provider) 
    16  * !MetOffice Geoserver Gatekeeper (!MetOfficeGatekeeper) 
    17  * !MetOffice Geoserver (!MetOfficeGeoserver) 
     16 * !MetOfficeGatekeeper (!MetOfficeGatekeeper) 
     17 * !MetOfficeGeoserver (!MetOfficeGeoserver) 
    1818 * Resource at !MetOffice Geoserver to be accessed 
    1919 * !MetOffice Attribute Authority WS (!MetOfficeAA) 
     
    3232 1. User selects a secured resource from the Health Stream portal web site. 
    3333 1. !PortalWebServer server side code checks for the existence of a security session cookie. 
    34  1. No security cookie is present so they are redirected to the Portal login page. 
    35  1. The user enters their username and pass-phrase at the login page (!PortalLogin) over a HTTPS connection. 
     34 1. No security cookie is present so they are redirected to the Portal login page (!PortalLogin). 
     35 1. The user enters their username and pass-phrase at the !PortalLogin over a HTTPS connection. 
    3636 1. The !PortalLogin passes the credentials over HTTPS to the PortalSM. 
    3737 1. PortalSM authenticates the user, makes and holds a session for them and returns a cookie back to the !PortalLogin 
    38  1. !PortalLogin sets the security session cookie and redirects the user's browser back  
    39  1. Credentials interface at A requires an Attribute Certificate from the user in order to get access.  It calls Session Manager A to make the request passing cookie returned from domain B as ID and the URI for the Attribute Authority A. 
    40  1. Session Manager A checks the cookie, finds that the user's session is held at Session Manager B.  IT forwards the request there. 
    41  1. Session Manager B checks in the user's wallet for existing Attribute Certificates issued by Attribute Authority A 
    42  1. If none are present it requests one from Attribute Authority A 
    43  1. Attribute Authority A denies the request as the user is not registered with site A.  However, it also returns a list of the Attribute Authorities of trusted organisations. 
    44  1. Session Manager B checks it's wallet for an Attribute Certificate from one of these trusted sites. 
    45  1. B is a trusted site and the wallet contains an Attribute Certificate issued by B. 
    46  1. At this point the credentials interface at B can prompt the user to see if they wish to use their B  Attribute Certificate to gain access or if they would prefer to get an Attribute Certificate from one of the other trusted sites. 
    47  1. The chosen Attribute Certificate is sent in a second request to Attribute Authority A in order to get access. 
    48  1. Attribute Authority A accepts the B Attribute Certificate as it is from a trusted site. It uses its role map to map the roles contained in the B Attribute Certificate to local roles understood by site A. 
    49  1. The mapped roles are returned in a mapped certificate to Session Manager B. 
    50  1. Session Manager B adds the new mapped Attribute Certificate to the user's wallet and returns the Attribute Certificate to the Credentials interface at A. 
    51  1. The Credentials Interface passes the mapped Attribute Certificate to the Gatekeeper WS controlling access to the resource at A. 
    52  1. The Gatekeeper checks the roles in the mapped Attribute Certificate against the role(s) controlling access to the resource.  If they match, access to the resource can proceed. 
     38 1. !PortalLogin sets the security session cookie and redirects the user's browser back 
     39 1. The Portal calls the PortalSM with getAttCert to ask it to retrieve an Attribute Certificate from the PortalAA. 
     40 1. PortalAA accepts the request since the user is registered with the Portal. 
     41 1. The PortalSM caches the Attribute Certificate returned in the user's CredentialWallet. 
     42 1. The PortalSM calls the !MetOfficeAA with a getAttCert request passing its portal Attribute Certificate. 
     43 1. !MetOfficeAA accepts the Portal Attribute Certificate as it is from a `trusted` site.  It uses its role map to map the roles contained in the Portal Attribute Certificate to local roles understood by !MetOfficeGeoserver. 
     44 1. The mapped roles are returned in a mapped certificate to !PortalSM. 
     45 1. PortalSM adds the new mapped Attribute Certificate to the user's wallet and returns the Attribute Certificate to the Portal. 
     46 1. The Portal passes the mapped Attribute Certificate to the !MetOfficeGatekeeper with the Geoserver request. 
     47 1. The !MetOfficeGatekeeper checks the roles in the mapped Attribute Certificate against the role(s) controlling access to the resource.  If they match, access to the resource can proceed.