Now that recent maven problems may be behind me (once I switch to maven 2.0.4, not yet tried), I'd appreciate some feedback from others who may be following a similar path, and whether what I'm interested in is actually possible.
I'm a member of the GIGlite project (http://giglite.org) which is trying to build a boxed/tested ESB for use by DOD, govt in general, and perhaps even more broadly. This differs from me-too-ESBs in that the solution must comply with govt security policy and pass govt (stringent) information assurance/interoperability tests. In practice, this means SSL alone is not sufficient. In addition to SSL for session-level security, the ESB must also provide message-level security, and the service must (if it chooses) also provide field-level security. The whole nine yards; authentication, authorization, confidentiality, nonrepudiation and integrity. At first glance we're planning on using TAB (Trusted Authentication Broker) and TAPE (Trusted Authorization Policy Engine) as the identity providers. TAB evolved from NESSO (Navy Enterprise Single Sign On), and TAPE from the Soutei policy engine (written in Haskel), which is an extension to research engines at Microsoft, etc. Both are (or soon will be) in the GIGlite Subversion along with full documentation. The way I'm imagining this will work (those more knowledgeable about acegi, please correct me here. Also pointers to the specific questions in parentheses would be very helpful since I've just started exploring what this project can do). 1) XML arrives as a string on the wire (where what "wire" means is pluggable with various transport mechanisms, ideally already provided by this project (HTTPS, IIOP, XMMS, SIP, but actually unbounded over time). 2) XML is converted to some object model like JDOM (question: does acegi have a recommended object model like Axis2's Axiom?) 3) XML tree is transformed in-place by a succession of security modulues o Encryption o Signing o Integrity (question: does acegi provide these or must we code them ourselves?) --- The ESB to Service API lies about here --- 4) XML tree arives at the application (service) in cleartext that the program can operate on directly. 5) If field-level security is required, the service does that. The ESB's role is messsage- and session-level security. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer