Hi Luciano
Good to hear you thinking along these lines. Taking the scenario motivated
approach will help improve policy support generally I think. I've put
comments that come immediately to mind in line.
Once you think we have a good handle on the initial scenarios we could start
making some itests to explore them.
Simon
On Wed, Sep 17, 2008 at 12:27 AM, Luciano Resende <[EMAIL PROTECTED]>wrote:
> I have started some research around using Policy to enable some
> security capabilities to Tuscany Web 2.0 extensions, and have
> identified some initial scenarios as listed below:
>
> Scenarios:
>
> Web 2.0 application requires that a user get authenticated before it
> can access the application.
Intent: authentication
This is the reference side right?
What sort of technologies are you thinking about here.
authentication.message, authentication.transport? We should look at the
various strategies we would expect to experience talking to real world
services. This may incude things like cookie handling.
These Web2.0 applications use a number of different protocols, e.g. Atom,
Jsonrpc, RSS, but are mostly based on HTTP so I'd be interested in how we
provide some commonality across these bindings. I am, for example, keen to
work with you to extend org.apache.tuscany.sca.policy.authentication.basic
to these bindings.
(I guess more generally It would be interesting to see if there is common
HTTP binding function across these Web2.0 bindings but that's a different
subject)
>
>
> Web 2.0 application requires that all communication between
> client/server be done using SSL.
Intent: authentication.transport?
confidentiality?
integrity?
>
>
> A given service, exposed using a web 2.0 binding requires user
> authentication.
>
> A given operation, exposed using a web 2.0 binding requires user
> authentication.
The other thing that comes to mind is looking at the difference between
container based security configuration and the way that this interacts with
the binding and policy configuration. So two scenarios
A given service, exposed using a web 2.0 binding requires user
authentication and is deployed into a container where security is configured
A given service, exposed using a web 2.0 binding requires user
authentication and is deployed into a container where security is not
configured
Are there any Web2.0 protocol specific security semantics that we need to be
aware of?
>
>
> Please let me know if you have other scenarios in mind.
>
> --
> Luciano Resende
> Apache Tuscany Committer
> http://people.apache.org/~lresende <http://people.apache.org/%7Elresende>
> http://lresende.blogspot.com/
>
