skip to main content
10.1145/2110486.2110489acmconferencesArticle/Chapter ViewAbstractPublication PagesscConference Proceedingsconference-collections
research-article

Distributed web security for science gateways

Published: 18 November 2011 Publication History

Abstract

Science gateways broaden and simplify access to cyberinfrastructure (CI) by providing advanced interfaces to collaboration, analysis, data management, and other tools for students and researchers. As these science gateway interfaces to cyberinfrastructure grow in popularity, web portal developers adopt ad hoc approaches to the security challenges of authentication, authorization, and delegation. Science gateways integrate cyberinfrastructure resources on the researcher's behalf, i.e., accessing data, compute cycles, instruments, and other valuable resources. Resource access often requires use of the researcher's security credentials, in some cases exposing the researcher's long-lived password to potential compromise at the science gateway. There is no standard approach for a researcher to control and limit a science gateway's access to his or her resources. Thus, researchers are required to accept unnecessary risks when using science gateways.
The "Distributed Web Security for Science Gateways" project is addressing these risks by providing authorization and delegation software for science gateways that complies with the Internet Engineering Task Force's standard OAuth protocol. The project is developing an OAuth server implementation and a set of client libraries and authentication modules to enable out of the box integration with common Web platforms, in coordination with gateways and cyberinfrastructure providers. In this paper, we introduce the project, including our planned software architecture.

References

[1]
J. McGee, V. Welch, G. Almes (eds). National Science Foundation Advisory Committee for Cyberinfrastructure Campus Bridging Task Force Report: Workshop on Software and Services. http://pti.iu.edu/campusbridging
[2]
M. Miller, W. Pfeiffer and T. Schwartz, "Creating the CIPRES Science Gateway for Inference of Large Phylogenetic Trees", Gateway Computing Environments Workshop (GCE10), New Orleans, LA, November 2010.
[3]
CILogon Service. http://www.cilogon.org/service
[4]
K. Price, "Restricted Community Accounts", TeraGrid Conference, June 2006.
[5]
E. Hammer-Lahav, "OAuth 2.0 (without Signatures) is Bad for the Web" http://hueniverse.com/2010/09/oauth-2-0-without-signatures-is-bad-for-the-web/ (September 2010).
[6]
G. Fox, M. Pierce, "Grids challenged by a Web 2.0 and multicore sandwich", Concurrency and Computation: Practice and Experience 21(3): 265--280 (2009).
[7]
Proceedings of the 5th Grid Computing Environments Workshop, http://portal.acm.org/citation.cfm?id=1658260
[8]
Gateway Computing Environments 2010 (GCE10) Workshop, http://www.collab-ogce.org/gce10/
[9]
Papers and Publications by GridChem Users, https://www.gridchem.org/papers/.
[10]
J. Basney, "MyProxy Protocol", Global Grid Forum Experimental Document GFD-E.54, November 26, 2005.
[11]
I. Foster, "Globus Toolkit Version 4: Software for Service-Oriented Systems", IFIP International Conference on Network and Parallel Computing, Springer-Verlag LNCS 3779, pp 2--13, 2006.
[12]
R. Butler et al., "A National-Scale Authentication Infrastructure", IEEE Computer 33(12): 60--66 (2000).
[13]
V. Welch et al., "Security for Grid Services", Twelfth International Symposium on High Performance Distributed Computing (HPDC-12), IEEE Press, June 2003.
[14]
T. Scavo and V. Welch, "A Grid Authorization Model for Science Gateways", International Workshop on Grid Computing Environments, 2007.
[15]
TeraGrid Gateway Security Summit, San Diego, January 28--30, 2008.
[16]
V. Hazlewood and M. Woitaszek, "Securing Science Gateways", TeraGrid Conference, July 2011.
[17]
IRODS: Data Grids, Digital Libraries, Persistent Archives, and Real-Time Data Systems, https://www.irods.org.
[18]
International Workshop on Science Gateways, http://agenda.ct.infn.it/conferenceDisplay.py?confId=347
[19]
J. Kupsch and B. Miller, "Manual vs. Automated Vulnerability Assessment: A Case Study", First International Workshop on Managing Insider Security Threats, West Lafayette, IN, June 2009.
[20]
J. Kupsch, B. Miller, E. César, and E. Heymann, "First Principles Vulnerability Assessment", 2010 ACM Cloud Computing Security Workshop (CCSW), Chicago, IL, October 2010.
[21]
M. Hanlon et al., "My-Plant.org: A Phylogenetically Structured Social Network", Gateway Computing Environments Workshop (GCE10), New Orleans, LA, November 14, 2010.
[22]
J. Novotny, S. Tuecke, and V. Welch, "An Online Credential Repository for the Grid: MyProxy", Tenth International Symposium on High Performance Distributed Computing (HPDC-10), IEEE Press, August 2001, pages 104--111.
[23]
J. Basney, M. Humphrey, and V. Welch, "The MyProxy Online Credential Repository", Software: Practice and Experience, Volume 35, Issue 9, July 2005, pages 801--816.
[24]
S. Cholia, D. Skinner and J. Boverhof, "NEWT: A RESTful Service to Build Web Applications for High Performance Computing", Gateway Computing Environments Workshop (GCE10), New Orleans, LA, November 14, 2010.
[25]
E. Hammer-Lahav (ed), D. Recordon and D. Hardt, "The OAuth 2.0 Authorization Protocol", September 22, 2011. https://tools.ietf.org/html/draft-ietf-oauth-v2
[26]
H. Tschofenig and B. Cook, "Thoughts about Digital Signatures for the Open Web Authentication (OAuth) Protocol", October 18, 2010, https://tools.ietf.org/html/draft-tschofenig-oauth-signature-thoughts
[27]
C. Ruby, M. Green and S. Miller, "Orbiter Commander: A Flexible Application Framework for Service-Based Scientific Computing Environments", Gateway Computing Environments Workshop (GCE10), New Orleans, LA, November 14, 2010.
[28]
M. Pierce, S. Marru, R. Singh, A. Kulshrestha, and K. Muthuraman, "Open Grid Computing Environments: Advanced Gateway Support Activities", TeraGrid Conference, Pittsburgh, PA, August 2--5, 2010.
[29]
OpenID Specifications, http://openid.net/developers/specs/
[30]
R. Fielding, R. Taylor, "Principled design of the modern Web architecture", ACM Transactions on Internet Technology, 2(2), p. 115--150, 2002.
[31]
S. Tuecke et al., "Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile", IETF RFC 3820 (Standards Track), June 2004.
[32]
E. Hammer-Lahav (ed.), "The OAuth 1.0 Protocol", IETF RFC 5849 (Informational), April 2010.
[33]
D. Kouril and J. Basney, "A Credential Renewal Service for Long-Running Jobs", 6th IEEE/ACM International Workshop on Grid Computing (Grid 2005), Seattle, WA, November 13--14, 2005.
[34]
XSEDE Science Gateways, https://www.xsede.org/gateways
[35]
W. Wu, T. Uram, M. Wilde, M. Hereld and M. Papka, "Accelerating science gateway development with Web 2.0 and Swift", TeraGrid Conference (TG '10), ACM, New York, NY, USA, Article 23, 7 pages.
[36]
J. Basney, T. Fleury and V. Welch, "Federated Login to TeraGrid", 9th Symposium on Identity and Trust on the Internet (IDtrust 2010), Gaithersburg, MD, April 2010.
[37]
V. Welch, J. Barlow, J. Basney, D. Marcusiu, N. Wilkins-Diehr, "A AAAA model to support science gateways with community accounts", Concurrency and Computation: Practice and Experience, Volume 19, Issue 6, March 2007.
[38]
J. Basney, V. Welch and N. Wilkins-Diehr, "TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned", TeraGrid Conference, August 2--5, 2010, Pittsburgh, PA.
[39]
J. Basney and J. Gaynor, "An OAuth Service for Issuing Certificates to Science Gateways for TeraGrid Users", TeraGrid Conference, July 18--21, 2011, Salt Lake City, UT.
[40]
L. Liming et al., "TeraGrid's integrated information service", 5th Grid Computing Environments (GCE) Workshop, 2009.
[41]
J. Basney, S. Martin, JP Navarro, M. Pierce, T. Scavo, L. Strand, T. Uram, N. Wilkins-Diehr, W. Wu and C. Youn, "The Problem Solving Environments of TeraGrid, Science Gateways, and the Intersection of the Two", Fourth IEEE International Conference on eScience, December 2008.
[42]
N. Wilkins-Diehr, D. Gannon, G. Klimeck, S. Oster, S. Pamidighantam, "TeraGrid Science Gateways and Their Impact on Science", IEEE Computer 41(11), 2008.
[43]
R. Paul, "Compromising Twitter's OAuth security system", http://arstechnica.com/security/guides/2010/09/twitter-a-case-study-on-how-to-do-oauth-wrong.ars (September 2, 2010).
[44]
B. Demeler, "UltraScan A Comprehensive Data Analysis Software Package for Analytical Ultracentrifugation Experiments", Modern Analytical Ultracentrifugation: Techniques and Methods, D. J. Scott, S.E. Harding and A.J. Rowe. Eds., Royal Society of Chemistry (UK), 2005.
[45]
UltraScan Reference and Application Database, http://www.ultrascan.uthscsa.edu/search-refs.html.
[46]
XML Metadata Concept Catalog (XMC Cat), http://pti.iu.edu/d2i/xmccat

Cited By

View all
  • (2020)Investigating Root Causes of Authentication Failures Using a SAML and OIDC Observatory2020 IEEE 6th International Conference on Dependability in Sensor, Cloud and Big Data Systems and Application (DependSys)10.1109/DependSys51298.2020.00026(119-126)Online publication date: Dec-2020
  • (2016)Apache Airavata security manager: Authentication and authorization implementations for a multi-tenant escience framework2016 IEEE 12th International Conference on e-Science (e-Science)10.1109/eScience.2016.7870911(287-292)Online publication date: Oct-2016
  • (2014)A Hybrid SaaS/Grid Architecture for Diffusion MRI in Brain Imaging FieldInternational Journal of Organizational and Collective Intelligence10.4018/ijoci.20141001024:4(24-58)Online publication date: Oct-2014
  • Show More Cited By

Index Terms

  1. Distributed web security for science gateways

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    GCE '11: Proceedings of the 2011 ACM workshop on Gateway computing environments
    November 2011
    80 pages
    ISBN:9781450311236
    DOI:10.1145/2110486
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 18 November 2011

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. OAuth
    2. science gateways

    Qualifiers

    • Research-article

    Conference

    SC '11
    Sponsor:

    Upcoming Conference

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)2
    • Downloads (Last 6 weeks)1
    Reflects downloads up to 20 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2020)Investigating Root Causes of Authentication Failures Using a SAML and OIDC Observatory2020 IEEE 6th International Conference on Dependability in Sensor, Cloud and Big Data Systems and Application (DependSys)10.1109/DependSys51298.2020.00026(119-126)Online publication date: Dec-2020
    • (2016)Apache Airavata security manager: Authentication and authorization implementations for a multi-tenant escience framework2016 IEEE 12th International Conference on e-Science (e-Science)10.1109/eScience.2016.7870911(287-292)Online publication date: Oct-2016
    • (2014)A Hybrid SaaS/Grid Architecture for Diffusion MRI in Brain Imaging FieldInternational Journal of Organizational and Collective Intelligence10.4018/ijoci.20141001024:4(24-58)Online publication date: Oct-2014
    • (2014)The MyProxy GatewayProceedings of the 2014 6th International Workshop on Science Gateways10.1109/IWSG.2014.8(6-11)Online publication date: 3-Jun-2014
    • (2014)CILogon: A federated X.509 certification authority for cyberinfrastructure logonConcurrency and Computation: Practice and Experience10.1002/cpe.326526:13(2225-2239)Online publication date: 4-Apr-2014
    • (2013)CILogonProceedings of the Conference on Extreme Science and Engineering Discovery Environment: Gateway to Discovery10.1145/2484762.2484791(1-7)Online publication date: 22-Jul-2013
    • (2012)Security for science gateways and campus bridgingProceedings of the 1st Conference of the Extreme Science and Engineering Discovery Environment: Bridging from the eXtreme to the campus and beyond10.1145/2335755.2335863(1-1)Online publication date: 16-Jul-2012

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media