Hi, The authorization framework as released with GT 4.2.x and described here http://www.globus.org/toolkit/docs/latest-stable/security/wsaajava/gtJavaAut hzEngine.pdf, is a pure Java framework without any dependencies on web services layer in Globus. It contains interfaces for PDPs, PIPs and an authorization engine that can be configured with a combining algorithm (the logic that determines how policies are combined to get a single decision). A PEP will be specific to the application that uses the authorization engine. For example, in GT web services world, we have a Authorization Handler in the web services stack, that uses the java authorization framework to process the policies, and get a decision from the authorization engine. (permit, deny, not applicable or indeterminate). The handler then enforces that decision, that is decides whether the call to the web service can be allowed or not. http://www.globus.org/toolkit/docs/latest-stable/security/wsaajava/developer /#id2483303 describes this in some more detail. You approach looks correct to me - PIPs for attributes and PDPs for policies. You can also plug your own combining algorithm (GT ships with deny override, first applicable and permit override), that determines how to invoke these PIPs and PDPs and how to combine the decision. But the PEP will be in the application that uses your callouts and the engine. Hope this helps, Rachana
_____ From: [email protected] [mailto:[email protected]] On Behalf Of Jan Muhammad Sent: Thursday, April 23, 2009 6:27 AM To: [email protected] Subject: [gt-user] Query on PEP in Globus Toolkit Java AuthorizationFramework! Hi, I have read a technical report by Globus Team titled "Globus Toolkit Java Authorization Framework(2007)". I have a query regarding Policy Enforcement Points(PEPs); as mentioned in the earlier document "Authorization processing for Globus Toolkit Java Web Services (2005)". In the later document the 'Authorization Engine' had included PEP along with the Master PDP; but in the current document(2007) I don't see any mention of PEP. Can you please refer to me any document or example code(paper etc) and/or explain about the policy enforcement task (PEP) is either done (inbuilt) in the PIPs or somewhere else? For example I have several entities having multiple policies, involved in decision making process; there are chain of PDPs for authorization and there are several PIPs (Policy Information Points) containing attributes for resources, subject etc for example those PDPs are implemented by calling out PDPs in XACML, PERMIS, VOMS. Regards ________________________ Jan Muhammad
