THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Summary of issues with the current arrangement
- Better separation of policy model from assembly model
- implementation policy sets held by component due to reuse of implementation model objects
- OASIS are talking about moving to an external attachment model so we need flexibility to follow that move if necessary
- "Applies to" happens right at the start of contribution and is not subject to later builder processing
...
- Consistency of model style between assembly and policy models
- Separate any policy processing from policy model
- Consistency of policy extension model
- definitions.xml processing should be domain wide and not restricted to a single contribution
Idealistic policy model
The make sure I understand the model I reproduced my version of it from the existing spec resources. It's slightly different from what we have at present as the code model is somewhat optimized but I want to use this as my baseline for reviewing what we have in the implementations
Policy model reading follows the assembly model in having read and resolve phases. The read phase will create dummy objects with "unresolved = true" set to represent any unresolved references. These dummy objects are replaced with the real thing at the resolve stage.
Policy and assembly model relationship
Policy plug points
A summary of where the pluggable policies will apply. Some education before reviewing the existing extensibility story.
Policy Processing
TBD
The net result of associating intents and policysets with model elements is that computed policy sets are associated with bindings and/or implementations.
Current Policy Providers
o.a.t.s.policy.logging
Sample: samples/calculator-implementation-policies
Intent:
Tuscany specific
| Code Block |
|---|
<intent name="logging" constrains="sca:implementation.java">
<description>
All messages to and from this implementation must be logged
</description>
</intent>
|
Policy Set:
The assembly model starts life with manually configured intents and policy sets on individual assembly elements. The result of applying the intent and policySet inheritance rules and the intent and policySet matching rules leads to a final set of relationships between assembly artifacts and policySets. I started to draw these externalized from the assembly model but expect that they will resolve to placing the correct policySet QNames on appropriate assembly artifacts. These relationships drive the configuration of each binding and implementation and with wires in between.
Policy touch points
A summary of what parts of the runtime are affected by policies.
Policy Runtime
Policy implementations are provided by interceptors and by the bindings and implementations themselves. The assembly model relationships shown at the top of this diagram are as they are at the moment I believe. Need to look see if rationalization is required.
Implementation Policy
Service Policy
Reference Policy
Binding Policy
Current Policy Providers
o.a.t.s.policy.logging
Sample: samples/calculator-implementation-policies
Intent:
Tuscany specific
| Code Block |
|---|
<intent name="logging" constrains |
| Code Block |
<policySet name="JDKLoggingPolicy" provides="tuscany:logging" appliesTo="sca:implementation.java"> <description> All messages to and from this implementation must be logged </description> </intent> |
Policy Set:
| Code Block |
|---|
xmlns="http://www.osoa.org/xmlns/sca/1.0"> <tuscany:jdkLogger name="calculator"> <policySet name="JDKLoggingPolicy" provides="tuscany:logging" appliesTo="sca:implementation.java" <logLevel>FINER</logLevel>xmlns="http://www.osoa.org/xmlns/sca/1.0"> </tuscany:jdkLogger><tuscany:jdkLogger name="calculator"> </ <logLevel>FINER</logLevel> </tuscany:jdkLogger> </policySet> |
Note:
The intent is read from the policy-logging definitions file
Each component is set up with all policy provider factories
During wire creation RuntimeWireImpl adds implementation interceptors and the policy provider factories for the component look at the component/operation to see if an interceptor is required
On invoke the logging takes place
...
These steps require a closer integration between the bindings and the policy providers than we have currently.
Example of how binding.ws is configured in this scenario
Authentication - HTTP Basic
...
Need same capability as described in single sign on to get close to the web service binding and configure the transport (reference side) extract transport context (service side).the transport (reference side) extract transport context (service side).
Definitions.xml
| Code Block |
|---|
<sca:policySet name="WSBasicAuthenticationPolicySet"
provides="authentication"
appliesTo="sca:reference/sca:binding.ws">
<tuscany:wsBasicAuthentication>
<tuscany:userName>myname</tuscany:userName>
<tuscany:password>mypassword</tuscany:password>
</tuscany:wsBasicAuthentication>
<tuscany:wsAxisOption>
<propertySetter name="org.apache.tuscany.sca.binding.ws.axis2.policy.authentication.basic.WSBasicAuthenticationReferencePolicyAxisOptions"/>
<property name="_NTLM_DIGEST_BASIC_AUTHENTICATION_"/>
<authenticator>
<authScheme>Basic</authScheme>
<premtiveAuthentication>true</premtiveAuthentication>
</authenticator>
</property>
</tuscany:wsAxisOption>
</sca:policySet>
<sca:policySet name="WSBasicAuthenticationPolicySet"
provides="authentication"
appliesTo="sca:service/sca:binding.ws">
<tuscany:wsBasicAuthentication>
<tuscany:userName>myname</tuscany:userName>
<tuscany:password>mypassword</tuscany:password>
</tuscany:wsBasicAuthentication>
</sca:policySet>
|
Reference side interceptor:
| Code Block |
|---|
public class WSBasicAuthenticationReferencePolicyInterceptor implements Interceptor {
public static final QName policySetQName = new QName(Constants.SCA10_TUSCANY_NS, "wsBasicAuthentication");
private Invoker next;
private Operation operation;
private PolicySet policySet = null;
private String context;
private WSBasicAuthenticationPolicy policy;
public WSBasicAuthenticationReferencePolicyInterceptor(String context, Operation operation, PolicySet policySet) {
super();
this.operation = operation;
this.policySet = policySet;
this.context = context;
init();
}
private void init() {
if (policySet != null) {
for (Object policyObject : policySet.getPolicies()){
if (policyObject instanceof WSBasicAuthenticationPolicy){
policy = (WSBasicAuthenticationPolicy)policyObject;
break;
}
}
}
}
public Message invoke(Message msg) {
// could call out here to some 3rd part system to get credentials
msg.getQoSContext().put(WSBasicAuthenticationPolicy.WS_BASIC_AUTHENTICATION_USERNAME,
policy.getUserName());
msg.getQoSContext().put(WSBasicAuthenticationPolicy.WS_BASIC_AUTHENTICATION_PASSWORD,
policy.getPassword());
return getNext().invoke(msg);
}
public Invoker getNext() {
return next;
}
public void setNext(Invoker next) {
this.next = next;
}
}
|
Service side interceptor
| Code Block |
|---|
public class WSBasicAuthenticationServicePolicyInterceptor implements Interceptor {
public static final QName policySetQName = new QName(Constants.SCA10_TUSCANY_NS, "wsBasicAuthentication");
private Invoker next;
private Operation operation;
private PolicySet policySet = null;
private String context;
private WSBasicAuthenticationPolicy policy;
public WSBasicAuthenticationServicePolicyInterceptor(String context, Operation operation, PolicySet policySet) {
super();
this.operation = operation;
this.policySet = policySet;
this.context = context;
init();
}
private void init() {
if (policySet != null) {
for (Object policyObject : policySet.getPolicies()){
if (policyObject instanceof WSBasicAuthenticationPolicy){
policy = (WSBasicAuthenticationPolicy)policyObject;
break;
}
}
}
}
public Message invoke(Message msg) {
Object[] header = msg.getHeader();
Map httpHeaderProperties = (Map)Object[0];
String basicAuthString = (String)httpHeaderProperties.get("Authorization");
String decodedBasicAuthString = null;
String username = null;
String password = null;
if (basicAuthString != null) {
basicAuthString = basicAuthString.trim();
if (basicAuthString.startsWith("Basic ")) {
decodedBasicAuthString = new String(Base64.decode(basicAuthString.substring(6)));
}
int collonIndex = decodedBasicAuthString.indexOf(':');
if (collonIndex == -1){
username = decodedBasicAuthString;
} else {
username = decodedBasicAuthString.substring(0, collonIndex);
password = decodedBasicAuthString.substring(collonIndex + 1);
}
// could call out here to some 3rd part system to do whatever you
// need to turn credentials into a principal
msg.getQoSContext().put(Message.QOS_CTX_SECURITY_PRINCIPAL, username);
}
return getNext().invoke(msg);
}
public Invoker getNext() {
return next;
}
public void setNext(Invoker next) {
this.next = next;
}
}
|
| Code Block |
|---|
public class WSBasicAuthenticationReferencePolicyAxisOptions {
public WSBasicAuthenticationReferencePolicyAxisOptions(){
}
public void setServiceOptions(ServiceClient serviceClient) {
}
public void setOperationOptions(OperationClient operationClient, Message msg) {
// get security context
String securityPrincipal = (String)msg.getQoSContext().get(Message.QOS_CTX_SECURITY_PRINCIPAL);
String username = null;
String password = null;
// could use the security principal to look up basic auth credentials
if ( securityPrincipal != null ) {
// look up usename and password based on security principal
} else {
// take the message username and password
username = (String)msg.getQoSContext().get(WSBasicAuthenticationPolicy.WS_BASIC_AUTHENTICATION_USERNAME);
password = (String)msg.getQoSContext().get(WSBasicAuthenticationPolicy.WS_BASIC_AUTHENTICATION_PASSWORD);
}
if (username == null || password == null ){
throw new ServiceRuntimeException("Basic authenication username or password is null");
}
HttpTransportProperties.Authenticator authenticator = new HttpTransportProperties.Authenticator();
List<String> auth = new ArrayList<String>();
auth.add(Authenticator.BASIC);
authenticator.setAuthSchemes(auth);
authenticator.setPreemptiveAuthentication(true);
authenticator.setUsername(username);
authenticator.setPassword(password);
operationClient.getOptions().setProperty(HTTPConstants.AUTHENTICATE,
authenticator);
}
public void setMessageOptions(MessageContext messageContext) {
}
}
|
Confidentiality - WS Security
...