xml-dev - Re: [xml-dev] Blended Authentication (AKA "Granular Access Control")

Re: [xml-dev] Blended Authentication (AKA "Granular Access Control")

[ Lists Home | Date Index | Thread Index ]

To: "Cavnar-Johnson John" <JCavnar-Johnson@sark.com>
Subject: Re: [xml-dev] Blended Authentication (AKA "Granular Access Control")
From: "Chiusano Joseph" <chiusano_joseph@bah.com>
Date: Wed, 07 May 2003 11:30:42 -0400
Cc: xml-dev@lists.xml.org
Organization: BAH
References: <200305071521.h47FLA6x014157@extser-2.bah.com>

Thanks John. I am actually very familiar with the WS-Trust specification
[1] (only mentioning my article so you can understand my background).
WS-Trust involves parties exchanging security credentials that are based
on existing mechanisms (X.509 cert, SAML assertion, Kerberos ticket,
XrML license, etc.). All of these mechanisms are based on
"single-component" claims - that is, a single user, a single resource,
etc. The concepts I am presenting are based on "multiple-component"
claims - that is, involving a user *and* a resource (such as a Web
service), or even more finely grained such as a user and a resource and
an Operation (in WSDL sense) on that resource.

Kind Regards,
Joe Chiusano
Booz | Allen | Hamilton

[1] http://www.developer.com/services/article.php/2171031

"Cavnar-Johnson, John" wrote:
> 
> 
> 
> >
> > -----Original Message-----
> > From: Chiusano Joseph [mailto:chiusano_joseph@bah.com]
> > Sent: Wednesday, May 07, 2003 10:06 AM
> > To: Rich Salz
> > Cc: xml-dev@lists.xml.org
> >
> > <Quote>
> > User1 authenticates to A and "delegates" its rights so that A
> > can present its rights, and the delegated User1 rights to B.
> > </Quote>
> >
> > That works well from the perspective of A (the sender side)
> > because it asserts that A has the proper claims to access B
> > (this appears to me to be more of a "push" method). But what
> > if B does not consider A to be a valid user? How can B enforce this?
> >
> > Also, what about a more granular level, such as at a WSDL
> > Operation or Message level?
> 
> Take a look at the WS-Security specs from IBM, Microsoft, et.al.  I believe
> they cover your scenario fairly well.  In particular, look at the WS-Trust
> spec:
> http://msdn.microsoft.com/webservices/default.aspx?pull=/library/en-us/dnglo
> bspec/html/ws-trust.asp
> 
> -----------------------------------------------------------------
> The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
> initiative of OASIS <http://www.oasis-open.org>
> 
> The list archives are at http://lists.xml.org/archives/xml-dev/
> 
> To subscribe or unsubscribe from this list use the subscription
> manager: <http://lists.xml.org/ob/adm.pl>

begin:vcard 
n:Chiusano;Joseph
tel;work:(703) 902-6923
x-mozilla-html:FALSE
url:www.bah.com
org:Booz | Allen | Hamilton;IT Digital Strategies Team
adr:;;8283 Greensboro Drive;McLean;VA;22012;
version:2.1
email;internet:chiusano_joseph@bah.com
title:Senior Consultant
fn:Joseph M. Chiusano
end:vcard

Follow-Ups:
- RE: [xml-dev] Blended Authentication (AKA "Granular Access Control")
  - From: "Cavnar-Johnson, John" <JCavnar-Johnson@sark.com>

Prev by Date: Re: [xml-dev] Blended Authentication (AKA "Granular Access Control")
Next by Date: Re: [xml-dev] Ten new XQuery, XSLT 2.0 and XPath 2.0 Working Drafts
Previous by thread: Re: [xml-dev] Blended Authentication (AKA "Granular Access Control")
Next by thread: RE: [xml-dev] Blended Authentication (AKA "Granular Access Control")
Index(es):
- Date
- Thread