Include certificate delegation inside Metacat
Like the d1_portal, we want to be able to have users authenticate with their preferred Identity Provider via the browser and let the webapp handle their certificate. Any future requests coming from that session will have their client certificate attached to the request before Metacat processes it (for access control considerations, etc).
I think we can base this on the current d1_portal project and then build in the lightweight delegation servlet in Metacat. This will give us control over the UI for authenticating users and allow Metacat to transparently use certificate-based authentication without requiring users to directly handle certificate objects themselves.
#1 Updated by ben leinfelder about 6 years ago
Here's the documentation for MyProxy that I was using to set this all up: http://grid.ncsa.illinois.edu/myproxy/oauth/client/
#2 Updated by ben leinfelder almost 6 years ago
There's now the package "edu.ucsb.nceas.metacat.portal" that does the authentication delegation. You start a request and then are routed back to the success servlet when authentication is complete. At that point, your client certificate is available in the asset store for use in subsequent calls.
#3 Updated by ben leinfelder almost 6 years ago
- Status changed from New to In Progress
- Tracker changed from Bug to Feature
Aside from making the myProxy configuration easier, this is done. It does require a bit of administration from registering the server with CILogon, generating a pk8 key and configuring it in the xml config file, but that is unavoidable.
It would be good to pull in another release of d1-portal once that project starts utilizing the 1.7.x MyProxy libraries (soon to be released). That's a two-hop dependency issue!