Hi David, In addition, xacml will provide policy combination and delegation of rights
Simon --- David Jencks wrote: >At ApacheCon several of us got together to discuss security in >Geronimo. These are my recollections, please expand/contradict/ >modify what I forgot or got wrong. > >People: Alan Cabrera, David Jencks, Kresten Krab Thorup, Hiram >Chirino, Simon Godik (Others ???) > >Problems with the current implementation: > >- Distinction between client-side and server-side login modules is >too hard to understand and too ad-hoc: security assertions are a >better, standard, and more comprehensible way of getting the same >functionality. > >- The LoginModule wrapping a set of login modules serves little purpose. > >Things we like and want to generalize somehow: > >- We'd like to extend the variety of approaches represented in the >CORBA csiv2 model to other transports and contexts beyond CORBA > >How we might get there: > >Simon gave us some hints about SAML and XACML and IIUC pointed out >that most of the basic ideas we need are worked out in detail in >these specs and that we can implement these ideas without necessarily >relying on the xml-centered implementation called for in the specs. >In particular SAML extensively discusses security assertions which >are a more powerful and systematic way of dealing with both the >client/server login module problems and the information dealt with by >csiv2. My current and very limited understanding is that SAML >indicates what kind of security assertions can be made and how to >transfer them between systems. XACML provides a framework in which >(among many many other things) these security assertions can have >effects on authentication and authorization decisions > > >Since ApacheCon I've started looking into XACML and SAML a tiny bit >and although I am not thrilled by the pointy brackets I think this is >an avenue we should investigate thoroughly. I think it can >definitely provide the flexibility we want in the security model: I >think the challenge will be making the configuration comprehensible >and the implementation fast. From my very brief study it looks like >XACML will provide a framework in which authorization rules that >include the request info provided by JACC can be evaluated. I'm not >?sure what else it will bring us :-) > > >Many thanks, >david jencks
