GUMS Flow (diagram should be added)

  • server-config.wsdd: This is the main web services configuration file for tomcat. It defines the service GUMSAuthorizationServicePort, and within this the class name of the class handling the server requests, which is It also defines the wsdl port type org.opensciencegrid.authz.stubs.SAMLRequestPortType, allows all methods within that class, which in SAMLRequestPortType is one function, 'org.opensciencegrid.authz.stubs.SAMLResponseType SAMLRequest(org.opensciencegrid.authz.stubs.SAMLRequestType samlRequest)', where SAMLResponseType and SAMLRequestType are also defined in this configuration file.
  • web.xml: This is the main web app configuration file for tomcat. A filter for obtaining certificate information is defined within this file of type, which implements javax.servlet.Filter.
  • This is the main GUMS web service class that extends org.opensciencegrid.authz.stubs.AuthorizationServiceBindingSkeleton (in privilege jar), which implements org.apache.axis.wsdl.Skeleton interface, which extends AuthorizationServiceBindingSkeleton has a constructor where the port type object, org.opensciencegrid.authz.stubs.SAMLRequestPortType, that is defined in the server configuration file, is passed in. GUMSAuthZService evokes its superclass constructor with org.opensciencegrid.authz.service.BasicMappingAuthZService as the port type parameter.
  • org.opensciencegrid.authz.service.BasicMappingAuthZService: This is the port type class, which extends SAMLAuthZServiceBase, which implements org.opensciencegrid.authz.stubs.SAMLRequestPortType, which extends java.rmi.Remote. BasicMappingAuthZService has a constructor where the map service object, org.opensciencegrid.authz.service.GRIDIdentityMappingService, is passed in. For this GUMS uses the class that implements GRIDIdentityMappingService. Also, SAMLAuthZServiceBase implements the function defined in the interface, SAMLRequestType, and further adds an abstract function, 'AuthzDecision authorize(SAMLSubject subject, String resource, Iterator actions, Iterator evidence)', that is called within the SAMLRequest function. Then, BasicMappingAuthZService implements the authorize function, which makes a call on the GRIDIdentityMappingService object passed in its constructor.
  • This is the map service class which extends org.opensciencegrid.authz.service.BasicMappingAuthZService, which defines one function, 'org.opensciencegrid.authz.common.LocalId mapCredentials(org.opensciencegrid.authz.common.GridId)'. The GridId object passed to this function is created within BasicMappingAuthZService's 'authorize' function from information contained in authorize's parameters (it basically repackages the information). BasicMappingAuthZService has a member variable of type GUMSAPI that provides the core mapping functionality.
  • This is the GUMS API, one of it's many functions being 'String mapUser(String hostname, String userDN, String fqan)'. It is implemented by
  • This is the main GUMS API implementation class that implements mapUser. It and all public functions check that the requesting user (obtained through the class) is allowed to access this call. More detail about how user privilege is decided can be seen in the functions, hasReadAllAccess, hasReadSelfAccess, and hasWriteAccess. GUMSAPIImpl has a member variable of type on which the function, getCoreLogic, is called to get an object of type, on which the function, map, is called to do the mapping work.
  • This is the main GUMS class. Key functions are 'CoreLogic getCoreLogic()' and 'Configuration getConfiguration()'. getConfiguration checks to see if the configuration in memory needs to be updated, and if so it reloads the configuration before returning, or if not just returns the configuration object in memory
  • This is the core mapping logic class. It provides the function 'String map(String hostname, user)' amongst other core functions. The GridUser object passed to this function is assembled in GUMSAPIImpl's mapUser function from information provided in its parameters. The CoreLogic class has a member variable of type GUMS on which getConfiguration is called to get the current Configuration object. From this configuration object, the various configuration elements can be obtained such as elements of type,,,,, and The first defined HostToGroupMapping that matches the hostname parameter, is obtained from the Configuration object. From this, a list GroupToAccountMapping objects is obtained. The GroupToAccountMapping object contains a list of UserGroups and AccountMappers. Each GroupToAccountMapping object is queried to find out if the user DN belongs to a UserGroup and if so, can be mapped to an account. The first that succeeds is used for the final mapping. Some configuration elements require a PersistenceFactory member variable, which is used to store and retrieve user group and mapping information.