[security-dev] Entitlement versus Enforcement Model

Anil Saldhana Anil.Saldhana at redhat.com
Wed Nov 7 15:47:04 EST 2012

On 11/07/2012 10:28 AM, Jason Porter wrote:
> This is something I've been thinking about actually. A small side 
> project I'm working on during the late hours of the evening is going 
> to be doing something like this. My current line of thinking is to 
> authenticate once and pass back a token then double check the token 
> and IP address with each request and have a server side timeout for 
> their authorized session. I know it's not the same as what you're 
> talking about, but I couldn't come up with anything good to stop 
> spoofing a valid token and also enforcing a time limit to a secure 
> session.
Jason - good thinking.  What you are trying to do maps perfectly into a 
SAML rich structure but exceeds the JSON Web Token work (JWT 
http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-05) that is 
going on in IETF.  Toward this, I have been thinking that we definitely 
need a JSON Token representation of the SAML XML structure (that can 
capture identity, authentication, attribute, authorization decisions 
etc). Basically a literal translation of the SAML XML structures into JSON.

> On Wed, Nov 7, 2012 at 8:53 AM, Anil Saldhana 
> <Anil.Saldhana at redhat.com <mailto:Anil.Saldhana at redhat.com>> wrote:
>     Hi All,
>        this is an issue I see more at a client (in the classic
>     client/server
>     paradigm) that the computing industry is moving toward.
>     With the increasing push towards mobility, cloud and REST
>     architectures,  I think access control decisions may have to be made
>     where a decision is needed.  So instead of making 100 authorization
>     calls to the server, we need a model where one call is made to the
>     server (given user, context etc) and we get back a set of entitlements
>     (or permissions) that need to be applied at the client side.
>     Examples include a mobile client (such as banking) that needs to
>     figure
>     out what aspects of the mobile screen the user is entitled to see and
>     what operations he is capable of performing.
>     The industry has put too much emphasis on the enforcement model
>     (meaning, make 100 authorization calls to the glorified server). There
>     has been almost no models for the entitlement approach.
>     I have prototyped something here:
>     https://docs.jboss.org/author/display/SECURITY/EntitlementsManager
>     The entitlements should be sent in a JSON response.
>     Also, trying to get this standardized in the industry via the OASIS
>     Cloud Authorization TC.
>     https://lists.oasis-open.org/archives/oasis-charter-discuss/201210/msg00003.html
>     I have a hunch that projects such as Aerogear, Drools, Errai and
>     Infinispan may need this model.
>     Thoughts?
>     Regards,
>     Anil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20121107/12064a19/attachment.html 

More information about the security-dev mailing list