OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   Re: [xml-dev] Blended Authentication (AKA "Granular Access Control")

[ Lists Home | Date Index | Thread Index ]

>
>
>That works well from the perspective of A (the sender side) because it
>asserts that A has the proper claims to access B (this appears to me to
>be more of a "push" method). But what if B does not consider A to be a
>valid user? How can B enforce this?
>  
>
In delegation, the invoker credentials become a *chain of delegation*, 
so that B sees A's rights, and User1's rights.  B gets enough 
information to know that A is operating on behalf of User1.  (Again, the 
degenerate case is impersonation, where B only "sees" User1)

B could enforce that A never appear in the delegation chain, although 
from a security perspective this probably doesn't make sense.

>Also, what about a more granular level, such as at a WSDL Operation or
>Message level?
>
I don't think XACML (e.g.) has defined WSDL extensions to allow you to 
specify "require rights" on an operation.  There's currently some 
tension between XACML and WS-something-or-other as to whether or not 
XACML should be "the" access control language. ...

    /r$






 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS