[security-dev] Entitlement versus Enforcement Model

Bill Burke bburke at redhat.com
Wed Nov 7 16:26:22 EST 2012

On 11/7/2012 4:09 PM, Anil Saldhana wrote:
> On 11/07/2012 03:05 PM, Bill Burke wrote:
>> I committed some preliminary work a few months ago to prototype
>> Openstack's Keystone service and protocol.  I want to ditch this work
>> though in favor of developing my own protocol as it seems Keystone is
>> very much in flux and they aren't sure of their own direction.  It as a
>> good exercise though as I learned how AS7 and login-modules can fit
>> together and how you can dynamically set roles/identity *per-request*.
>> I also wrote a little utility that allows you to delegate authentication
>> to your security domain. (login-module-authenticator)
>> https://github.com/resteasy/Resteasy/tree/master/jaxrs/security/skeleton-key-idm
>> I just started on my new (well really long time brewing) ideas this week
>> as Resteasy 3.0 beta 1 is now out.  I plan on using JSON Web Token and
>> JSON Web Signatures.  After evaluating these specs, they look very tight
>> and simple enough to build upon.
> Bill, last time I mentioned JWT and JWE, you chewed me. Yeah, pretty
> lightweight stuff and applicable to REST style services.
> It is possible that JWT lacks the richness that may be desired in a
> token, for certain usecases. I have not come across those use cases yet
> apart from serving SAML users over a REST style interface with JSON binding.

Yup, I was wrong about JWS and JWE.  When I chewed you, i was thinking 
more about HTTP message bodies, and not thinking about URLs and header 
strings.  Keystone uses application/pks7-signature, which is a 
possibility too, but I don't know how viable it is within javascript. 
JWS/JWE already has code here.


Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list