JAAS is a Java API for doing authentication and authorization. Compare API with protocol is like oranges and apples.
Rgds, Ricky
At 09:23 AM 3/17/2003 +0530, Nisha Menon wrote:
Ricky,
Being new to all of this, it's been great help so far already! I've been trying to evaluate the available standards to see what I need to work with on this module. And from what I've been reading over the last month or so, I'd narrowed down to SAML and WS-Security on the basis that they work well together and they're very popular. It'd just been a week since I'd heard about XACML (duh!) and I must admit it had me all confused! :-) thx for helpin me out there! Ok so you've told me about what SAML does (and I guess I can use OpenSAML APIs for development there) but what about WS-Security? Does embedding SAML assertions into the SOAP Security Header within the <wsse:Security> tag complete the picture? Also, how does JAAS compare to all of these standards in authorization? Where would it fit in?
Lotsa questions there! :-(
Regards, Nisha
-----Original Message----- From: Ricky Ho [mailto:[EMAIL PROTECTED] Sent: Sunday, March 16, 2003 10:08 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Authorization using WS security and SAML
SAML is about specifying the XML format of your authorization decision outcome (authorization assertion). It also defines a protocol how to request the assertion. SAML doesn't describe how the decision should be
made. XACML is attempting to standardize how such decision rules should be specified. So it is completely solving an orthogonal problem.
I'm not sure how important to standardize decision making rules because there is NO "inter-operability" requirement for that. There is NO need to communicating how I made my decision to my business partners. The value of XACML is "portability" of my decision criteria across multiple vendor products. However, "portability" has never been a goal for any XML standard. It is arguable how important XACML will be.
Best regards, ricky
At 06:38 PM 3/16/2003 +0530, Nisha Menon wrote: >hi, > >i am trying to create an authorization module for web services that is >independant of the application and to authorize i've chosen to use >WS-Security and SAML. >would anyone on this list be familiar with similar implementation? or have >any references for the same? >also, how does XACML compare to SAML? > >thank you, > >nisha > >**************************Disclaimer*********************************** >* > >Information contained in this E-MAIL being proprietary to Wipro Limited
>is 'privileged' and 'confidential' and intended for use only by the >individual > or entity to which it is addressed. You are notified that any use, copying >or dissemination of the information contained in the E-MAIL in any manner >whatsoever is strictly prohibited. > >*********************************************************************** >****
