25 Apr 2005NVO Team Meeting - Tucson1 VOStore: a Java implementation Matthew J. Graham CACR/Caltech...

25 Apr 2005NVO Team Meeting - Tucson 1

VOStore: a Java implementation

Matthew J. GrahamCACR/Caltech

THE US NATIONAL VIRTUAL OBSERVATORY


Overview

• Java webapp: – $TOMCAT_HOME/webapps/vostore

• Embedded AXIS to handle WS:– $TOMCAT_HOME/webapps/vostore/services

• Embedded Sleepycat Berkeley DB (JE)• Embedded Jakarta Slide to handle

WebDAV:– $TOMCAT_HOME/webapps/vostore/webdav

• WCK to handle relational db stores• WSS4J to handle WS-Security


WSDL specification

• revisions• getAvailability• formats: FILE, CSV• transports: SOAP-ATTACHMENT, WEBDAV• put(id, format, transport) VOStoreResponse• get(id, format, transport) VOStoreResponse• listAll VOStoreDescriptor[]• list VOStoreDescriptor[]• rename• delete


StoreDescriptor

• identifier• creationDate• modificationDate• owner: DN

• format: – FILE, CSV, WEBDAV-FOLDER, WEBDAV-RESOURCE

• location• parent• children• isFolder• isStored

}}VOStoreDescriptor


WebDAV

• A set of extensions to HTTP to support:– Locking – Collections– Properties – Access control– Namespace management – Versioning

• Verbs:– PROPFIND – PROPPATCH– MKCOL – DELETE– PUT – COPY– MOVE – LOCK– UNLOCK – OPTIONS– SEARCH


Identifier-location mapping

ivoa:// nvo.caltech / myData # 1

Format = FILE Format = CSV

http://localhost:8080/vostore/webdav

/files/abcdef12-abcdef12 /db/nvo_caltech_myData_1


Relational db stores

• http://…/db/nvo_caltech_myData_1– open JDBC connection to db– drop table nvo_caltech_myData_1– create table nvo_caltech_myData_1:

• #Names: col1, col2, …• #Formats: varchar(20)

– insert into nvo_caltech_myData_1 values (…)


Security (I)

• Certificate request:– Country – State – City – Organization – Unit – Name – Email

-----BEGIN CERTIFICATE REQUEST-----MIIBWTCCAQMCAQAwgZ0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhQYXNhZGVuYTEQMA4GA1UEChMHQ2FsdGVjaDEVMBMGA1UECxMMQXN0cm9waHlzaWNzMRcwFQYDVQQDEw5NYXR0aGV3IEdyYWhhbTEkMCIGCSqGSIb3DQEJARYVbWpnQGFzdHJvLmNhbHRlY2guZWR1MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANWUbVnZ+kbWycOcWiICvOZajKyhGFQhzOk5mbc9UcCYha9KkdzxZqtvYslt8+/m6xC2qvQ+nNSLo8TKc0aJvAECAwEAAaAAMA0GCSqGSIb3DQEBBAUAA0EArAHtlt0rLhSe0IPuft5h3dNrdASOqLCT49Lhdq+4In62NZFum8Ks3dEykMjhon92NjuQzQB6F3ipro+yCTpUOA==-----END CERTIFICATE REQUEST-----


Security (II)

• X.509 certificate (PEM):-----BEGIN CERTIFICATE-----MIICFDCCAb4CAQcwDQYJKoZIhvcNAQEEBQAwgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhQYXNhZGVuYTEQMA4GA1UEChMHQ2FsdGVjaDENMAsGA1UECxMEQ0FDUjEOMAwGA1UEAxMFQ2lyY2UxIzAhBgkqhkiG9w0BCQEWFG1qZ0BjYWNyLmNhbHRlY2guZWR1MB4XDTA1MDQyMTIxNTkyNVoXDTA1MDUyMTIxNTkyNVowgZ0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhQYXNhZGVuYTEQMA4GA1UEChMHQ2FsdGVjaDEVMBMGA1UECxMMQXN0cm9waHlzaWNzMRcwFQYDVQQDEw5NYXR0aGV3IEdyYWhhbTEkMCIGCSqGSIb3DQEJARYVbWpnQGFzdHJvLmNhbHRlY2guZWR1MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANWUbVnZ+kbWycOcWiICvOZajKyhGFQhzOk5mbc9UcCYha9KkdzxZqtvYslt8+/m6xC2qvQ+nNSLo8TKc0aJvAECAwEAATANBgkqhkiG9w0BAQQFAANBACwiM3r+07/iZfiIrF7YPEC1Eml+k+5esbbzObl/OyaSHrUSP0xYM12fuFiBSVMmwU9NlyLCNDHnM8dWnFTIDyI=-----END CERTIFICATE-----


Security (III)

• X.509 certificate (PEM) cont.:Owner: [email protected], CN=Matthew Graham,

OU=Astrophysics, O=Caltech, L=Pasadena, ST=California, C=USIssuer: [email protected], CN=Circe, OU=CACR,

O=Caltech, L=Pasadena, ST=California, C=USSerial number: 7Valid from: Thu Apr 21 14:59:25 PDT 2005 until: Sat May 21 14:59:25

PDT 2005Certificate fingerprints: MD5: C0:00:75:FC:D2:7A:BE:B1:35:2D:31:53:3B:27:9D:01 SHA1:

50:9C:96:4B:14:D3:0B:72:3F:49:CC:99:E2:3A:B7:45:FE:D5:F2:24

• X.509 certificate (PKCS12)


WS-Security (I)

• Digitally sign SOAP messages with X.509 certificate:

<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"

xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-

200401-wss-wssecurity-secext-1.0.xsd"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-3611893" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIICFDCCAb4CAQcwDQYJKoZIhvcNAQEEBQAwgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp

Zm9ybmlhMREwDwYDVQQHEwhQYXNhZGVuYTEQMA4GA1UEChMHQ2FsdGVjaDENMAsGA1UECxMEQ0FDUjEOMAwGA1UEAxMFQ2lyY2UxIzAhBgkqhkiG9w0BCQEWFG1qZ0BjYWNyLmNhbHRlY2guZWR1MB4XDTA1MDQyMTIxNTkyNVoXDTA1MDUyMTIxNTkyNVowgZ0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhQYXNhZGVuYTEQMA4GA1UEChMHQ2FsdGVjaDEVMBMGA1UECxMMQXN0cm9waHlzaWNzMRcwFQYDVQQDEw5NYXR0aGV3IEdyYWhhbTEkMCIGCSqGSIb3DQEJARYVbWpnQGFzdHJvLmNhbHRlY2guZWR1MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANWUbVnZ+kbWycOcWiICvOZajKyhGFQhzOk5mbc9UcCYha9KkdzxZqtvYslt8+/m6xC2qvQ+nNSLo8TKc0aJvAECAwEAATANBgkqhkiG9w0BAQQFAANBACwiM3r+07/iZfiIrF7YPEC1Eml+k+5esbbzObl/OyaSHrUSP0xYM12fuFiBSVMmwU9NlyLCNDHnM8dWnFTIDyI=</wsse:BinarySecurityToken><ds:Signature

xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo>


WS-Security (II):<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-

c14n#"><ec:InclusiveNamespaces PrefixList="soapenv xsd xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:CanonicalizationMethod>

<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-7927866"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces

PrefixList="xsd xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>/j0+BLme8mKuxVed9eXCNnSmZBU=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>m8z0ODW17ynpovU0tn13WD5byd41cePcoaFaTKzS+9z3RSB6vcE2Sjb50fhtO75Uuu+8JM9HUBmDAFWJ7Tz3zg==</ds:SignatureValue><ds:KeyInfo Id="KeyId-4798869"><wsse:SecurityTokenReference wsu:Id="STRId-3664555"

xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:Reference URI="#CertId-3611893"/></wsse:SecurityTokenReference>

</ds:KeyInfo></ds:Signature></wsse:Security></soapenv:Header><soapenv:Body wsu:Id="id-7927866"

xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Put xmlns="http://vospace.ivoa.net"><requestedIdentifier>ivoa://nvo.caltech/myData#1</requestedIdentifier>

<transport>WEBDAV</transport><format>CSV</format></Put></soapenv:Body></soapenv:Envelope>


WSS4J: Client

public VOStoreTestSecureClient() { EngineConfiguration config = new FileProvider("client_deploy.wsdd"); VOStoreLocator loc = new VOStoreLocator(config); Stub axisPort = (Stub) loc.getPort(VOStoreSoap.class); axisPort._setProperty(WSHandlerConstants.ACTION,

WSHandlerConstants.SIGNATURE); axisPort._setProperty(WSHandlerConstants.SIG_PROP_FILE,

"client_crypto.properties"); axisPort._setProperty(WSHandlerConstants.USER, "mjg-cert"); axisPort._setProperty(WSHandlerConstants.PW_CALLBACK_CLASS,

"net.ivoa.vospace.client.PWCallback"); axisPort._setProperty(WSHandlerConstants.SIG_KEY_ID,

"DirectReference"); service = (VOStoreSoapStub) axisPort;


WSS4J: Server

public String getUser() { MessageContext context = MessageContext.getCurrentContext();

Vector recvResults = (Vector) context.getProperty(WSHandlerConstants

.RECV_RESULTS);WSHandlerResult result = (WSHandlerResult) recvResults.get(0);Vector results = result.getResults();WSSecurityEngineResult wsseResult = (WSSecurityEngineResult) results

.get(0);String DN = wsseResult.getPrincipal().getName();String user = DN.substring(13, DN.indexOf(','));


Secure WebDAV

• Server:<Connector port=”8443" maxThreads="150" minSpareThreads="25"

maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https"

secure="true" clientAuth="true" sslProtocol="TLS" URIEncoding="UTF-8"/>

• Client:Protocol.registerProtocol("https", new Protocol("https", new

SSLCertSocketFactory("ca.pem", "client.p12"), 443));HttpURL hrl = new HttpsURL(“localhost", 8443, "/webdav");WebdavResource wdr = new WebdavResource(hrl);


Attachments: Client

• Put:DataHandler attachmentFile = new DataHandler(new

FileDataSource("test.fits"));service._setProperty(Call.ATTACHMENT_ENCAPSULATION_FORMAT,

Call.ATTACHMENT_ENCAPSULATION_FORMAT_DIME);service.addAttachment(attachmentFile);

• Get:Object[] messageAttachments = service.getAttachments();AttachmentPart attachment = (AttachmentPart)

messageAttachments[0];DataHandler dh = attachment.getDataHandler();InputStream is = dh.getInputStream();


Attachments: Server

• Adding:FileDataSource fds = new FileDataSource(tempFile);AttachmentPart replyAttachment = new AttachmentPart(new

DataHandler(fds));MessageContext context = MessageContext.getCurrentContext();Message respMsg = context.getResponseMessage();respMsg.getAttachmentsImpl().setSendType(Attachments.SEND_TYPE_

DIME);respMsg.addAttachmentPart(replyAttachment);

• Retrieving:MessageContext context = MessageContext.getCurrentContext(); Message reqMsg = context.getRequestMessage(); Attachments messageAttachments = reqMsg.getAttachmentsImpl();


Interoperability

• C#:– WSE 2.0– WSRF.Net

• Perl :– DIME-based attachments not yet fully functional in

SOAP::Lite– WS-Security will be supported by WSRF::Lite (but not yet)– HTTP::Webdav/PerlDAV

• Python:– ZSI– pyGridWare– Python DAV client library


What next?

• VOTable and FITS binary table parsers• SRB for bulk data transfers• SAML tokens

25 Apr 2005NVO Team Meeting - Tucson1 VOStore: a Java implementation Matthew J. Graham CACR/Caltech...

Documents

Transcript of 25 Apr 2005NVO Team Meeting - Tucson1 VOStore: a Java implementation Matthew J. Graham CACR/Caltech...