Programmatically Delegating a Credential

Group Delegation Policy

[ CDS: Administrators Guide | Design | Developers Guide | Users Guide | caGrid: Documentation Guides ]

The example source code below illustrates how to delegate a credential to the Credential Delegation Service (CDS) with a Group Delegation Policy. In the example below the credential of the user whom is currently logged in or the default credential is delegated to the CDS for a period of four hours. The delegation policy specified in the example allows members of the Training:Trainees, managed by the Grid Grouper, to get a credential. If a user that is a member of the Training:Trainees requests a credential, the CDS will issue them a credential for a time period of 1 hour. If needed the user may request additional credentials until the 4 hour delegation lifetime expires. Each additional credential will be valid for 1 hour or the time period left in the four hour delegation lifetime if that is less than 1 hour. Since the delegation path length of issued credentials is 0, any user whom are issued a credential will not be permitted to delegate the credential to another party.

import gov.nih.nci.cagrid.common.security.ProxyUtil;

import org.cagrid.gaards.cds.client.ClientConstants;
import org.cagrid.gaards.cds.client.DelegationUserClient;
import org.cagrid.gaards.cds.common.GroupDelegationPolicy;
import org.cagrid.gaards.cds.common.ProxyLifetime;
import org.cagrid.gaards.cds.delegated.stubs.types.DelegatedCredentialReference;
import org.globus.gsi.GlobusCredential;


public class DelegationExample {

    public static DelegatedCredentialReference delegateCredential(String cdsURL) throws Exception {

        // The default credential or the user that is currently logged in.

        GlobusCredential credential = ProxyUtil.getDefaultProxy();

        // Specifies how long the delegation service can delegated this
        // credential to other parties.

        ProxyLifetime delegationLifetime = new ProxyLifetime();
        delegationLifetime.setHours(4);
        delegationLifetime.setMinutes(0);
        delegationLifetime.setSeconds(0);

        // Specifies the path length of the credential being delegate the
        // minumum is 1.

        int delegationPathLength = 1;

        // Specifies the how long credentials issued to allowed parties will
        // be
        // valid for.

        ProxyLifetime issuedCredentialLifetime = new ProxyLifetime();
        issuedCredentialLifetime.setHours(1);
        issuedCredentialLifetime.setMinutes(0);
        issuedCredentialLifetime.setSeconds(0);

        // Specifies the path length of the credentials issued to allowed
        // parties. A path length of 0 means that
        // the requesting party cannot further delegate the credential.

        int issuedCredentialPathLength = 0;

        // Specifies the key length of the delegated credential

        int keySize = ClientConstants.DEFAULT_KEY_SIZE;
        
      //The policy stating which parties will be allowed to obtain a delegated credential. 
      //The CDS will only issue credentials to parties that are members of the group 
      //specified below.

        GroupDelegationPolicy policy = new GroupDelegationPolicy();
        policy.setGridGrouperServiceURL("https://training03.cagrid.org:6443/wsrf/services/cagrid/GridGrouper");
        policy.setGroupName("Training:Trainees");


        // Create an instance of the delegation client, specifies the CDS
        // Service URL and the credential
        // to be delegated.

        DelegationUserClient client = new DelegationUserClient(cdsURL, credential);

        // Delegates the credential and returns a reference which can later
        // be
        // used by allowed parties to
        // obtain a credential.

        DelegatedCredentialReference ref = client.delegateCredential(delegationLifetime, delegationPathLength, policy, issuedCredentialLifetime, issuedCredentialPathLength, keySize);
        return ref;
    }

}