[security-dev] Entitlement versus Enforcement Model

Anil Saldhana Anil.Saldhana at redhat.com
Wed Nov 7 16:34:19 EST 2012

On 11/07/2012 03:26 PM, Bill Burke wrote:
> On 11/7/2012 4:09 PM, Anil Saldhana wrote:
>> On 11/07/2012 03:05 PM, Bill Burke wrote:
>>> I committed some preliminary work a few months ago to prototype
>>> Openstack's Keystone service and protocol.  I want to ditch this work
>>> though in favor of developing my own protocol as it seems Keystone is
>>> very much in flux and they aren't sure of their own direction.  It as a
>>> good exercise though as I learned how AS7 and login-modules can fit
>>> together and how you can dynamically set roles/identity *per-request*.
>>> I also wrote a little utility that allows you to delegate authentication
>>> to your security domain. (login-module-authenticator)
>>> https://github.com/resteasy/Resteasy/tree/master/jaxrs/security/skeleton-key-idm
>>> I just started on my new (well really long time brewing) ideas this week
>>> as Resteasy 3.0 beta 1 is now out.  I plan on using JSON Web Token and
>>> JSON Web Signatures.  After evaluating these specs, they look very tight
>>> and simple enough to build upon.
>> Bill, last time I mentioned JWT and JWE, you chewed me. Yeah, pretty
>> lightweight stuff and applicable to REST style services.
>> It is possible that JWT lacks the richness that may be desired in a
>> token, for certain usecases. I have not come across those use cases yet
>> apart from serving SAML users over a REST style interface with JSON binding.
> Yup, I was wrong about JWS and JWE.  When I chewed you, i was thinking
> more about HTTP message bodies, and not thinking about URLs and header
> strings.  Keystone uses application/pks7-signature, which is a
> possibility too, but I don't know how viable it is within javascript.
> JWS/JWE already has code here.
> Bill
Bill, dont write any JWS/JWE implementation because this Duetsche 
Telecom researcher has done implementation of the latest drafts of these 
specs. https://code.google.com/p/jsoncrypto/
The challenge I have with this project is that the code is not indented 
properly and not readable. Build is not mavenized. It is BSD licensed. I 
was supposed to help him with the project code organization, maven etc.

I only implemented the bare minimum JWE/JWS algorithms we require with 
the intent of integrating jsoncrypto.

More information about the security-dev mailing list