OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   RE: [xml-dev] Blended Authentication (AKA "Granular Access Control")

[ Lists Home | Date Index | Thread Index ]

 

> 
> -----Original Message-----
> From: Chiusano Joseph [mailto:chiusano_joseph@bah.com] 
> Sent: Wednesday, May 07, 2003 2:52 PM
> To: Cavnar-Johnson, John
> Cc: xml-dev@lists.xml.org
> 
> <Quote1>
> According to the WS-Trust spec, "a web service can require 
> that an incoming message prove a set of claims." These claims 
> are not limited merely to identity, but can include the 
> user's principal (or security
> context)
> </Quote1>
> 
> Can you take this one step further and explain how this would 
> apply to the presented scenario? In other words, how would 
> the identity of SYSTEM A be brought into the picture 
> (allowing SYSTEM A to really be considered a "user")? And how 
> does it relate to the possibility of more granular security 
> at (for example) the WSDL Operation level?
> 

Do you want SYSTEM A to authenticate the user, or do you want the request to
actually come from SYSTEM A? If the former, then this is exactly the
brokered trust scenario.  If the latter, then you add a requirement to your
policy that states the request must include a certificate from SYSTEM A as
well as credentials for the user.






 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS