[security-dev] Entitlement versus Enforcement Model

Jason Porter lightguard.jp at gmail.com
Wed Nov 7 11:28:53 EST 2012

This is something I've been thinking about actually. A small side project
I'm working on during the late hours of the evening is going to be doing
something like this. My current line of thinking is to authenticate once
and pass back a token then double check the token and IP address with each
request and have a server side timeout for their authorized session. I know
it's not the same as what you're talking about, but I couldn't come up with
anything good to stop spoofing a valid token and also enforcing a time
limit to a secure session.

On Wed, Nov 7, 2012 at 8:53 AM, Anil Saldhana <Anil.Saldhana at redhat.com>wrote:

> Hi All,
>    this is an issue I see more at a client (in the classic client/server
> paradigm) that the computing industry is moving toward.
> With the increasing push towards mobility, cloud and REST
> architectures,  I think access control decisions may have to be made
> where a decision is needed.  So instead of making 100 authorization
> calls to the server, we need a model where one call is made to the
> server (given user, context etc) and we get back a set of entitlements
> (or permissions) that need to be applied at the client side.
> Examples include a mobile client (such as banking) that needs to figure
> out what aspects of the mobile screen the user is entitled to see and
> what operations he is capable of performing.
> The industry has put too much emphasis on the enforcement model
> (meaning, make 100 authorization calls to the glorified server). There
> has been almost no models for the entitlement approach.
> I have prototyped something here:
> https://docs.jboss.org/author/display/SECURITY/EntitlementsManager
> The entitlements should be sent in a JSON response.
> Also, trying to get this standardized in the industry via the OASIS
> Cloud Authorization TC.
> https://lists.oasis-open.org/archives/oasis-charter-discuss/201210/msg00003.html
> I have a hunch that projects such as Aerogear, Drools, Errai and
> Infinispan may need this model.
> Thoughts?
> Regards,
> Anil
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev

Jason Porter

Software Engineer
Open Source Advocate

PGP key id: 926CCFF5
PGP key available at: keyserver.net, pgp.mit.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20121107/013c1448/attachment-0001.html 

More information about the security-dev mailing list