Abstract
Science Gateways are playing an important role in scientific research performed using e-Infrastructures and their relevance will further increase with the development of more sophisticated user interfaces and easier access mechanism. Through the highly collaborative environment of a Science Gateway, users spread around the world and belonging to various Virtual Research Communities can easily cooperate to reach common goals and exploit all the resources of the cyber-infrastructure they are entitled to use.
One of the major tasks of a Science Gateway is to supervise the user access to the available services, denying the use to those people who are not authorised. This activity has to comply with the role of users inside the VRC.
Users operating in a Science Gateway can belong to different organisations having their own security policies and the Virtual Research Community has to comply with them. As a result, the security chain inside the Science Gateway has to allow each organisation to keep the control of their users hiding, at the same time, the complexity of the security mechanisms underneath the portal.
In this work we present a general framework to build Science Gateways [1][2] and the customisations made to meet the requirements of a couple of use cases coming from different scientific communities: those of the European Union funded DECIDE (www.eu-decide.eu) and INDICATE (www.indicate-project.eu) projects.
The goal of DECIDE project is to design, implement, and validate a Science Gateway for the computer-aided extraction of diagnostic markers from medical images for the early diagnosis of Alzheimer Disease and other forms of dementia. Using the same platform neurologists, physicians and scientists can store their images and data on grid and perform analysis and comparisons with a huge set of reference cases available on grid. The INDICATE project aims instead at demonstrating, with real-life examples, the advantages of the adoption of e-Infrastructures in the digital cultural heritage domain. The plugin developed enables INDICATE Science Gateway, and its digital cultural heritage community, to access two different e-Infrastructure repositories in an easy way with a friendly user interface but keeping the digital resources safe and the transactions private.
The framework defined to support the above use cases is an extension of Liferay portal framework, which provides a whole set of web 2.0 tools and services for the development of generic portals. These have been integrated with a more flexible security workflow and a new set of portlets to access the Grid services. The final architecture of a Science Gateway consists of two part: a front-end building the graphical user interface, and a back-end providing the access to the grid services implemented.
A major extension to Liferay is the security system. The new developed security system merges three different security mechanisms in a single workflow allowing users to access Grid resources based on the credentials provided by the organisations they belong to. The idea behind was to combine Shibboleth2 identities in the front-end with X.509 proxies generated by robot certificates in the back-end. The former enables the federation of organisations having different authentication policies while the latter allows users to access Grid resources, without needing any personal certificates whose request and management procedure is very often judged quite cumbersome by non-experts. The "glue" between the two layers is an LDAP server running in the back-end that implements a mechanism to map authorised users on Grid resources. Services managing user and grid credentials are not integrated in Liferay Portal but run in different hosts, in order to increase the reliability and security of the Science Gateway.
Once the user is authenticated, the portlets developed provide the functionalities to manage the Grid credentials in order to access the e-Infrastructure behind. The portlet-based interface to Grid is built on the OGF-standard SAGA Java API and it is not bound to any particular middleware.
Besides the interaction with the computational services of an e-Infrastructure, the proposed framework includes the possibility to easily build and manage data repositories interacting with the gLibrary framework [3] and to encrypt/decrypt sensible data with the Secure Storage System [4].
