[security-dev] Entitlement versus Enforcement Model
Anil.Saldhana at redhat.com
Wed Nov 7 15:47:04 EST 2012
On 11/07/2012 10:28 AM, Jason Porter wrote:
> This is something I've been thinking about actually. A small side
> project I'm working on during the late hours of the evening is going
> to be doing something like this. My current line of thinking is to
> authenticate once and pass back a token then double check the token
> and IP address with each request and have a server side timeout for
> their authorized session. I know it's not the same as what you're
> talking about, but I couldn't come up with anything good to stop
> spoofing a valid token and also enforcing a time limit to a secure
Jason - good thinking. What you are trying to do maps perfectly into a
SAML rich structure but exceeds the JSON Web Token work (JWT
http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-05) that is
going on in IETF. Toward this, I have been thinking that we definitely
need a JSON Token representation of the SAML XML structure (that can
capture identity, authentication, attribute, authorization decisions
etc). Basically a literal translation of the SAML XML structures into JSON.
> On Wed, Nov 7, 2012 at 8:53 AM, Anil Saldhana
> <Anil.Saldhana at redhat.com <mailto:Anil.Saldhana at redhat.com>> wrote:
> Hi All,
> this is an issue I see more at a client (in the classic
> paradigm) that the computing industry is moving toward.
> With the increasing push towards mobility, cloud and REST
> architectures, I think access control decisions may have to be made
> where a decision is needed. So instead of making 100 authorization
> calls to the server, we need a model where one call is made to the
> server (given user, context etc) and we get back a set of entitlements
> (or permissions) that need to be applied at the client side.
> Examples include a mobile client (such as banking) that needs to
> out what aspects of the mobile screen the user is entitled to see and
> what operations he is capable of performing.
> The industry has put too much emphasis on the enforcement model
> (meaning, make 100 authorization calls to the glorified server). There
> has been almost no models for the entitlement approach.
> I have prototyped something here:
> The entitlements should be sent in a JSON response.
> Also, trying to get this standardized in the industry via the OASIS
> Cloud Authorization TC.
> I have a hunch that projects such as Aerogear, Drools, Errai and
> Infinispan may need this model.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the security-dev