Hi,
Continuing with the secure-bigbank demo, I have got the checkings account
webservice to pass the authenitcated principal to the java implementation
that inturn authorizes the principal. I have made changes to Message,
MessageImpl and the Axis2 binding for this (r607209). We can evolve or
change this as we mull over the goods and bads of this ;-).
Heres the story I have assumed...
- the checkings department has decided to put in authorization where it
would only allow the owners to access their accounts. Accordingly it has
come up with a 'access control mechanism' for this authorization.
- to plug in this authorization, the PolicyAdminstrator ....
- defines a policy handler from which authorization calls can me made
out to this 'access control mechanism'
- defines an intent and a matching policyset that would be able to
affect this particular mechanism for authorization i.e. call out this
defined handler.
- the composite assembler marks the CheckingAccountService component's
implementation as 'requires=ck:authorization'.
Issues / Points to ponder
------------------------------------
1) Here we expect applications to be defining their own policyhandlers.
Since policy handlers are defined in a services configuration file, here the
checkings application contributes to one such file. Though I have been able
to run the sample in eclipse and mvn, the 'ant' driven one does not work. I
suspect this is due to some classloader issues related to the loading of the
services configuration file defined by the application
2) Since applications define their policy handlers, I've had to include the
'core' as a dependency since these handlers have to work with the 'Message'
class.
Thoughts / suggestions :) ?
Thanks
- Venkat
On Dec 27, 2007 3:37 PM, Venkata Krishnan <[EMAIL PROTECTED]> wrote:
> Hi,
>
> Going further with the Bigbank scenario I have now split up the three
> different accounts - Savings, Stock and Checkings into individual
> composites.
>
> The checkingAccount service is exposed as a webservice and is enabled for
> authentication. Now I am trying to incorporate authorization into the
> checkingsAccount implementation i.e. allow access of account information
> only to its owners.
>
> The authentication of users happens at the wsBinding and the authenticated
> principal must now be used for authorization by the checkingsAccount java
> implementation.
>
> I spent a bit of time exploring how I could fit in a JAAS into this
> scenario and just could not figure out a neat fit. JAAS authorization seems
> to be good when we are treating things as just java resources. But over
> here it seems to me that we are doing things at the application layer. So
> for now I plan to resort to a more higher level authorization where I plan
> to maintain a access control list that will provide a list of which user
> owns which account.
>
> With this, I am figuring out how the authenticated principal could be
> passed over from the wsBinding to the javaImplementation. Obviously the
> Message object seems to be the only viable carrier and am trying somethings
> around that. Will post next on what actually works at the end of all this.
> Meanwhile, thoughts / suggestions ?
>
> Thanks
>
> - Venkat
>
