Argus: PEP Java Client: Programming Interface

PEP Java Client API

The Argus PEP Java client library is use to communicate with the Argus PEP daemon. It authorizes request and receives response back from Argus.


Javadoc for the PEP Java client API:

PEP XACML Object Model

The PEP client XACML object model implemented in the package org.glite.authz.common.model follow this schema:


Basic Example

This is a very simplified example, omitting all the error handling, on how to create a PEP client, a request, and then authorize the request and process the response.

1. Create a PEP client configuration and initialize it:

PEPClientConfiguration config= new PEPClientConfiguration();
// trust and key material for the HTTPS connection with client authentication
config.setKeyMaterial("/etc/grid-security/hostcert.pem", "/etc/grid-security/hostkey.pem", "keystore_password");

2. Create the PEP client based on the config:

PEPClient pep=  new PEPClient(config);

At this point you have a multi-threaded PEP client that can be reuse to submit many authorization requests to the PEP server.

3. Create an authorization request for a user proxy certificate, based on a profile:

// read the user proxy
PEMFileReader reader= new PEMFileReader();
X509Certificate[] userproxy= reader.readCertificates("/tmp/x509up_u959");
// create the request for a given profile
AuthorizationProfile profile= GridWNAuthorizationProfile.getInstance();
Request request= profile.createRequest(userproxy,

4. Authorize the request with the Argus PEP daemon:

Response response= pep.authorize(request);

5. Extract the user mapping information from the response:

// will throw an exception if the authorization response is not *Permit*, or if the obligation is not present
Obligation posixMappingObligation= profile.getObligationPosixMapping(response);
String userId= profile.getAttributeAssignmentUserId(posixMappingObligation);
String groupId= profile.getAttributeAssignmentPrimaryGroupId(posixMappingObligation);
List<String> groupIds= profile.getAttributeAssignmentGroupIds(posixMappingObligation);

Processing Authorization Decision

The PEP client MUST abide by the authorization decision as described in here:

  • If the decision is Permit, then the PEP client SHALL permit access. If obligations accompany the decision, then the PEP client SHALL permit access only if it understands and it can and will enforce those obligations.
  • If the decision is Deny, then the PEP client SHALL deny access.
  • If the decision is NotApplicable, meaning that no policy apply, then the PEP client SHALL deny access.
  • If the decision is Inderterminate, then the PEP client SHALL deny access. The decision status message and status code should be used to produce an error message.


There is also a Java-based GUI available for sending requests to a PEPd. Just click on the following image which will download the application to your desktop and start it. Once you've downloaded it you can restart it by double-clicking the Argus-PEP-Client.jnlp file.


Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatjnlp Argus-Pep-Client.jnlp r4 r3 r2 r1 manage 1.1 K 2011-06-06 - 14:12 UnknownUser Argus PEP Client Gui - Java Web Start
PNGpng Argus_PEP_ObjectModel.png r1 manage 343.2 K 2010-11-19 - 18:03 ValeryTschoppExCern PEP XACML Object Model
Edit | Attach | Watch | Print version | History: r22 < r21 < r20 < r19 < r18 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r22 - 2016-07-05 - MaartenLitmaath
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EGEE All webs login

This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright & by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback