Administration
Programmatically Delegating a Credential
Identity Delegation Policy
[ CDS: Administrators Guide | Design | Developers Guide | Users Guide | caGrid: Documentation Guides ]
The example source code below illustrates how to delegate a credential to the Credential Delegation Service (CDS) using an Identity Delegation Policy. In the example below the credential of the user whom is currently logged in or the default credential is delegated to the CDS for a period of four hours. The delegation policy specified in the example only allows the user, /O=caBIG/OU=caGrid/OU=Training/OU=Dorian/CN=jdoe to get a credential. If the user, /O=caBIG/OU=caGrid/OU=Training/OU=Dorian/CN=jdoerequests a credential, the CDS will issue them a credential for a time period of 1 hour. If needed the user may request additional credentials until the 4 hour delegation lifetime expires. Each additional credential will be valid for 1 hour or the time period left in the four hour delegation lifetime if that is less than 1 hour. Since the delegation path length of issued credentials is 0, the user, /O=caBIG/OU=caGrid/OU=Training/OU=Dorian/CN=jdoe will not be allowed to delegate the credential to another party.import gov.nih.nci.cagrid.common.security.ProxyUtil; import java.util.ArrayList; import java.util.List; import org.cagrid.gaards.cds.client.ClientConstants; import org.cagrid.gaards.cds.client.DelegationUserClient; import org.cagrid.gaards.cds.common.IdentityDelegationPolicy; import org.cagrid.gaards.cds.common.ProxyLifetime; import org.cagrid.gaards.cds.common.Utils; import org.cagrid.gaards.cds.delegated.stubs.types.DelegatedCredentialReference; import org.globus.gsi.GlobusCredential; public class DelegationExample { public static DelegatedCredentialReference delegateCredential(String cdsURL) throws Exception { // The default credential or the user that is currently logged in. GlobusCredential credential = ProxyUtil.getDefaultProxy(); // Specifies how long the delegation service can delegated this // credential to other parties. ProxyLifetime delegationLifetime = new ProxyLifetime(); delegationLifetime.setHours(4); delegationLifetime.setMinutes(0); delegationLifetime.setSeconds(0); // Specifies the path length of the credential being delegate the // minumum is 1. int delegationPathLength = 1; // Specifies the how long credentials issued to allowed parties will // be // valid for. ProxyLifetime issuedCredentialLifetime = new ProxyLifetime(); issuedCredentialLifetime.setHours(1); issuedCredentialLifetime.setMinutes(0); issuedCredentialLifetime.setSeconds(0); // Specifies the path length of the credentials issued to allowed // parties. A path length of 0 means that // the requesting party cannot further delegate the credential. int issuedCredentialPathLength = 0; // Specifies the key length of the delegated credential int keySize = ClientConstants.DEFAULT_KEY_SIZE; // The policy stating which parties will be allowed to obtain a // delegated credential. The CDS will only // issue credentials to parties listed in this policy. List<String> parties = new ArrayList<String>(); parties.add("/O=caBIG/OU=caGrid/OU=Training/OU=Dorian/CN=jdoe"); IdentityDelegationPolicy policy = Utils.createIdentityDelegationPolicy(parties); // Create an instance of the delegation client, specifies the CDS // Service URL and the credential // to be delegated. DelegationUserClient client = new DelegationUserClient(cdsURL, credential); // Delegates the credential and returns a reference which can later // be // used by allowed parties to // obtain a credential. DelegatedCredentialReference ref = client.delegateCredential(delegationLifetime, delegationPathLength, policy, issuedCredentialLifetime, issuedCredentialPathLength, keySize); return ref; } }