[
Lists Home |
Date Index |
Thread Index
]
>
> -----Original Message-----
> From: Chiusano Joseph [mailto:chiusano_joseph@bah.com]
> Sent: Wednesday, May 07, 2003 2:52 PM
> To: Cavnar-Johnson, John
> Cc: xml-dev@lists.xml.org
>
> <Quote1>
> According to the WS-Trust spec, "a web service can require
> that an incoming message prove a set of claims." These claims
> are not limited merely to identity, but can include the
> user's principal (or security
> context)
> </Quote1>
>
> Can you take this one step further and explain how this would
> apply to the presented scenario? In other words, how would
> the identity of SYSTEM A be brought into the picture
> (allowing SYSTEM A to really be considered a "user")? And how
> does it relate to the possibility of more granular security
> at (for example) the WSDL Operation level?
>
Do you want SYSTEM A to authenticate the user, or do you want the request to
actually come from SYSTEM A? If the former, then this is exactly the
brokered trust scenario. If the latter, then you add a requirement to your
policy that states the request must include a certificate from SYSTEM A as
well as credentials for the user.
|