From pskopek at redhat.com  Wed Feb  5 08:04:07 2014
From: pskopek at redhat.com (Peter Skopek)
Date: Wed, 05 Feb 2014 14:04:07 +0100
Subject: [security-dev] Entitlements Concept
In-Reply-To: <52EBC48D.8000706@redhat.com>
References: <52EBC3E6.9040508@redhat.com> <52EBC48D.8000706@redhat.com>
Message-ID: <52F236C7.9090706@redhat.com>

Am I right assuming that mobile application will pick one entitlement from collection of entitlements in hand and use it in request
getting a resource/data from service provider?
In case mobile app already has the data and using entitlements locally, what prevent anybody of modifying the mobile app and render
whatever he wants from the local data?
Or I am wrong and mobile app will download entitlements and then based on them will ask for data which are covered by entitlements
in hand.

Peter

On 01/31/2014 04:43 PM, Anil Saldhana wrote:
> The idea is if rather than make 100 enforcement (Access Checks), you 
> make one call and download
> the entitlements and then do local authorization checks.
> 
> As an example, there is a mobile phone that has a rich native app. It 
> connects to a server and downloads
> the entitlements on the fly. That way it can make local decisions as to 
> what the permissions are, rather than
> make individual server access checks.  Useful in environments such as 
> financial apps.
> 
> On 01/31/2014 09:40 AM, Anil Saldhana wrote:
>> Hi All,
>>      any objections to getting the Entitlements Manager concept into
>> PicketLink Authorization?  That way we cover all based with both Fine
>> Grained Authorization (Permissions API/Implementation) as well as
>> download of entitlements.
>> My previous prototype:
>> https://docs.jboss.org/author/display/SECURITY/EntitlementsManager
>> (there are bugs in the test case which I will fix)
>>
>> While the FGA is what I call the Enforcement Model, the
>> EntitlementsManager concept is what I call the Entitlement Model.
>>
>> I am currently writing a specification at OASIS for this:
>> https://www.oasis-open.org/committees/document.php?document_id=52098&wg_abbrev=cloudauthz
>>
>> Regards,
>> Anil
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
> 

From psilva at redhat.com  Wed Feb  5 08:50:59 2014
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 5 Feb 2014 08:50:59 -0500 (EST)
Subject: [security-dev] Entitlements Concept
In-Reply-To: <52F236C7.9090706@redhat.com>
References: <52EBC3E6.9040508@redhat.com> <52EBC48D.8000706@redhat.com>
	<52F236C7.9090706@redhat.com>
Message-ID: <820652710.16972989.1391608259546.JavaMail.root@redhat.com>

>From a server perspective, you can perform additional checks in order to make sure the client is able to perform a specific operation or retrieve data.

>From a mobile perspective, I think depends how the mobile app is storing sensitive data by using secure/encrypted storage. I think Aerogear is addressing this ...

----- Original Message -----
From: "Peter Skopek" <pskopek at redhat.com>
To: "Anil Saldhana" <Anil.Saldhana at redhat.com>, security-dev at lists.jboss.org
Sent: Wednesday, February 5, 2014 11:04:07 AM
Subject: Re: [security-dev] Entitlements Concept

Am I right assuming that mobile application will pick one entitlement from collection of entitlements in hand and use it in request
getting a resource/data from service provider?
In case mobile app already has the data and using entitlements locally, what prevent anybody of modifying the mobile app and render
whatever he wants from the local data?
Or I am wrong and mobile app will download entitlements and then based on them will ask for data which are covered by entitlements
in hand.

Peter

On 01/31/2014 04:43 PM, Anil Saldhana wrote:
> The idea is if rather than make 100 enforcement (Access Checks), you 
> make one call and download
> the entitlements and then do local authorization checks.
> 
> As an example, there is a mobile phone that has a rich native app. It 
> connects to a server and downloads
> the entitlements on the fly. That way it can make local decisions as to 
> what the permissions are, rather than
> make individual server access checks.  Useful in environments such as 
> financial apps.
> 
> On 01/31/2014 09:40 AM, Anil Saldhana wrote:
>> Hi All,
>>      any objections to getting the Entitlements Manager concept into
>> PicketLink Authorization?  That way we cover all based with both Fine
>> Grained Authorization (Permissions API/Implementation) as well as
>> download of entitlements.
>> My previous prototype:
>> https://docs.jboss.org/author/display/SECURITY/EntitlementsManager
>> (there are bugs in the test case which I will fix)
>>
>> While the FGA is what I call the Enforcement Model, the
>> EntitlementsManager concept is what I call the Entitlement Model.
>>
>> I am currently writing a specification at OASIS for this:
>> https://www.oasis-open.org/committees/document.php?document_id=52098&wg_abbrev=cloudauthz
>>
>> Regards,
>> Anil
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
> 
_______________________________________________
security-dev mailing list
security-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev

From Anil.Saldhana at redhat.com  Thu Feb  6 12:56:57 2014
From: Anil.Saldhana at redhat.com (Anil Saldhana)
Date: Thu, 06 Feb 2014 11:56:57 -0600
Subject: [security-dev] Entitlements Concept
In-Reply-To: <52F236C7.9090706@redhat.com>
References: <52EBC3E6.9040508@redhat.com> <52EBC48D.8000706@redhat.com>
	<52F236C7.9090706@redhat.com>
Message-ID: <52F3CCE9.2030400@redhat.com>


Imagine a mobile app with many potential functions:
a) Withdraw money
b) Transfer money
c) Trade stocks
d) Deposit money

At a particular instant of time, you can turn on/off these features at 
the app level based on the downloaded permission set, rather than check 
whether the user has permission for each.  The feature set can grow 
exponentially and may not be very cost effective from bandwidth/resource 
perspective.

Somebody at the server side would have configured the permissions.

On 02/05/2014 07:04 AM, Peter Skopek wrote:
> Am I right assuming that mobile application will pick one entitlement from collection of entitlements in hand and use it in request
> getting a resource/data from service provider?
> In case mobile app already has the data and using entitlements locally, what prevent anybody of modifying the mobile app and render
> whatever he wants from the local data?
> Or I am wrong and mobile app will download entitlements and then based on them will ask for data which are covered by entitlements
> in hand.
>
> Peter
>
> On 01/31/2014 04:43 PM, Anil Saldhana wrote:
>> The idea is if rather than make 100 enforcement (Access Checks), you
>> make one call and download
>> the entitlements and then do local authorization checks.
>>
>> As an example, there is a mobile phone that has a rich native app. It
>> connects to a server and downloads
>> the entitlements on the fly. That way it can make local decisions as to
>> what the permissions are, rather than
>> make individual server access checks.  Useful in environments such as
>> financial apps.
>>
>> On 01/31/2014 09:40 AM, Anil Saldhana wrote:
>>> Hi All,
>>>       any objections to getting the Entitlements Manager concept into
>>> PicketLink Authorization?  That way we cover all based with both Fine
>>> Grained Authorization (Permissions API/Implementation) as well as
>>> download of entitlements.
>>> My previous prototype:
>>> https://docs.jboss.org/author/display/SECURITY/EntitlementsManager
>>> (there are bugs in the test case which I will fix)
>>>
>>> While the FGA is what I call the Enforcement Model, the
>>> EntitlementsManager concept is what I call the Entitlement Model.
>>>
>>> I am currently writing a specification at OASIS for this:
>>> https://www.oasis-open.org/committees/document.php?document_id=52098&wg_abbrev=cloudauthz
>>>
>>> Regards,
>>> Anil
>>>   


From claudio at claudius.com.br  Thu Feb  6 13:07:35 2014
From: claudio at claudius.com.br (Claudio Miranda)
Date: Thu, 6 Feb 2014 16:07:35 -0200
Subject: [security-dev] PL console for HAL 2
Message-ID: <CALbD--qKCycxJ71P1f8u0-eCkC_0Dus03mnxhoKi29AOHDh5fA@mail.gmail.com>

Hi, I worked PL console [1] and make it work with HAL 2.0.6.

I talked with Pedro and he suggested to open a branch in PL console
related to HAL 2, then I can PR the changed there.

However, HAL 2 has RBAC support, therefore I think PL-console and PL
subsystem must have some work to support RBAC, what do you think ?

Also, what is the roadmap (short and long term) for PL console ?

1. https://github.com/picketlink2/picketlink-console

Regards
-- 
  Claudio Miranda

claudio at claudius.com.br
http://www.claudius.com.br

From Anil.Saldhana at redhat.com  Thu Feb  6 13:28:13 2014
From: Anil.Saldhana at redhat.com (Anil Saldhana)
Date: Thu, 06 Feb 2014 12:28:13 -0600
Subject: [security-dev] PL console for HAL 2
In-Reply-To: <CALbD--qKCycxJ71P1f8u0-eCkC_0Dus03mnxhoKi29AOHDh5fA@mail.gmail.com>
References: <CALbD--qKCycxJ71P1f8u0-eCkC_0Dus03mnxhoKi29AOHDh5fA@mail.gmail.com>
Message-ID: <52F3D43D.9020006@redhat.com>

On 02/06/2014 12:07 PM, Claudio Miranda wrote:
> Hi, I worked PL console [1] and make it work with HAL 2.0.6.
Fantastic.
> I talked with Pedro and he suggested to open a branch in PL console
> related to HAL 2, then I can PR the changed there.
Agreed.

> However, HAL 2 has RBAC support, therefore I think PL-console and PL
> subsystem must have some work to support RBAC, what do you think ?
Basically the console based on HAL needs to use whatever the WildFly/EAP
recommend. Since it is just a plugin into the App Server admin console.

> Also, what is the roadmap (short and long term) for PL console ?
>
> 1. https://github.com/picketlink2/picketlink-console
We try to keep the console in sync with the PL App Server subsystem as much
as possible. But with HAL2, we got delayed with the console changes.
Thankfully, you have come forward to help us close that gap. :)
>
> Regards


From psilva at redhat.com  Thu Feb  6 15:05:54 2014
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 6 Feb 2014 15:05:54 -0500 (EST)
Subject: [security-dev] PL console for HAL 2
In-Reply-To: <CALbD--qKCycxJ71P1f8u0-eCkC_0Dus03mnxhoKi29AOHDh5fA@mail.gmail.com>
References: <CALbD--qKCycxJ71P1f8u0-eCkC_0Dus03mnxhoKi29AOHDh5fA@mail.gmail.com>
Message-ID: <1168805116.18374176.1391717154336.JavaMail.root@redhat.com>

Fantastic Claudio ! I've opened a JIRA to track this.

https://issues.jboss.org/browse/PLINK-358

Thanks.

----- Original Message -----
From: "Claudio Miranda" <claudio at claudius.com.br>
To: security-dev at lists.jboss.org
Sent: Thursday, February 6, 2014 4:07:35 PM
Subject: [security-dev] PL console for HAL 2

Hi, I worked PL console [1] and make it work with HAL 2.0.6.

I talked with Pedro and he suggested to open a branch in PL console
related to HAL 2, then I can PR the changed there.

However, HAL 2 has RBAC support, therefore I think PL-console and PL
subsystem must have some work to support RBAC, what do you think ?

Also, what is the roadmap (short and long term) for PL console ?

1. https://github.com/picketlink2/picketlink-console

Regards
-- 
  Claudio Miranda

claudio at claudius.com.br
http://www.claudius.com.br
_______________________________________________
security-dev mailing list
security-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev

From claudio at claudius.com.br  Thu Feb  6 16:31:28 2014
From: claudio at claudius.com.br (Claudio Miranda)
Date: Thu, 6 Feb 2014 19:31:28 -0200
Subject: [security-dev] PL console for HAL 2
In-Reply-To: <52F3D43D.9020006@redhat.com>
References: <CALbD--qKCycxJ71P1f8u0-eCkC_0Dus03mnxhoKi29AOHDh5fA@mail.gmail.com>
	<52F3D43D.9020006@redhat.com>
Message-ID: <CALbD--o1ApdkHKgoo8xxVNchqeAaR=r=L_O9C0EyjOfx2pZZCA@mail.gmail.com>

On Thu, Feb 6, 2014 at 3:28 PM, Anil Saldhana <Anil.Saldhana at redhat.com> wrote:
> On 02/06/2014 12:07 PM, Claudio Miranda wrote:
>> Hi, I worked PL console [1] and make it work with HAL 2.0.6.
> Fantastic.

I updated to 1.0.4-SNAPSHOT.
The current HAL version is 2.2.0-SNAPSHOT, PL console should depend on
HAL 2.0.6 or 2.2.0-SNAPSHOT ?

>> However, HAL 2 has RBAC support, therefore I think PL-console and PL
>> subsystem must have some work to support RBAC, what do you think ?
> Basically the console based on HAL needs to use whatever the WildFly/EAP
> recommend. Since it is just a plugin into the App Server admin console.

I will review the RBAC definitions and how it applies to PL
console/subsystem and propose the changes.

-- 
  Claudio Miranda

claudio at claudius.com.br
http://www.claudius.com.br

From psilva at redhat.com  Thu Feb  6 19:07:05 2014
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 6 Feb 2014 19:07:05 -0500 (EST)
Subject: [security-dev] PL console for HAL 2
In-Reply-To: <CALbD--o1ApdkHKgoo8xxVNchqeAaR=r=L_O9C0EyjOfx2pZZCA@mail.gmail.com>
References: <CALbD--qKCycxJ71P1f8u0-eCkC_0Dus03mnxhoKi29AOHDh5fA@mail.gmail.com>
	<52F3D43D.9020006@redhat.com>
	<CALbD--o1ApdkHKgoo8xxVNchqeAaR=r=L_O9C0EyjOfx2pZZCA@mail.gmail.com>
Message-ID: <916569625.18593950.1391731625654.JavaMail.root@redhat.com>

----- Original Message -----
> From: "Claudio Miranda" <claudio at claudius.com.br>
> To: "Anil Saldhana" <Anil.Saldhana at redhat.com>
> Cc: security-dev at lists.jboss.org
> Sent: Thursday, February 6, 2014 7:31:28 PM
> Subject: Re: [security-dev] PL console for HAL 2
> 
> On Thu, Feb 6, 2014 at 3:28 PM, Anil Saldhana <Anil.Saldhana at redhat.com>
> wrote:
> > On 02/06/2014 12:07 PM, Claudio Miranda wrote:
> >> Hi, I worked PL console [1] and make it work with HAL 2.0.6.
> > Fantastic.
> 
> I updated to 1.0.4-SNAPSHOT.
> The current HAL version is 2.2.0-SNAPSHOT, PL console should depend on
> HAL 2.0.6 or 2.2.0-SNAPSHOT ?

Better rely on the latest released version. I think it is 2.1.1.Final. We can confirm with Harald if is safe to rely on the latest, targeting EAP 6.3.

> >> However, HAL 2 has RBAC support, therefore I think PL-console and PL
> >> subsystem must have some work to support RBAC, what do you think ?
> > Basically the console based on HAL needs to use whatever the WildFly/EAP
> > recommend. Since it is just a plugin into the App Server admin console.
> 
> I will review the RBAC definitions and how it applies to PL
> console/subsystem and propose the changes.
> 
> --
>   Claudio Miranda
> 
> claudio at claudius.com.br
> http://www.claudius.com.br
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
> 

From Anil.Saldhana at redhat.com  Fri Feb  7 10:39:31 2014
From: Anil.Saldhana at redhat.com (Anil Saldhana)
Date: Fri, 07 Feb 2014 09:39:31 -0600
Subject: [security-dev] Next beta release in 3-4 days
Message-ID: <52F4FE33.4080901@redhat.com>

Hi All,
   next beta release in 3-4 days.
Now is a good time to finish the docs for the features you want 
advertised in this beta release.

Regards,
Anil

From jcacek at redhat.com  Wed Feb 12 07:48:13 2014
From: jcacek at redhat.com (Josef Cacek)
Date: Wed, 12 Feb 2014 07:48:13 -0500 (EST)
Subject: [security-dev] PicketLink 2.1.10 and 2.5.3.Beta2 issues
In-Reply-To: <1023017947.3924527.1392191152254.JavaMail.zimbra@redhat.com>
Message-ID: <598878055.4188654.1392209293132.JavaMail.zimbra@redhat.com>

Message deleted as requested by ticket 278545

From psilva at redhat.com  Thu Feb 13 08:56:27 2014
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 13 Feb 2014 08:56:27 -0500 (EST)
Subject: [security-dev] PicketLink 2.6.0.Beta3 Released
In-Reply-To: <1113106320.3864088.1392299023681.JavaMail.zimbra@redhat.com>
Message-ID: <1270314583.3874794.1392299787912.JavaMail.zimbra@redhat.com>

Hi All,

    Today we released PicketLink 2.6.0.Beta3.

    For more information, please visit our site: 

        http://www.picketlink.org
        https://community.jboss.org/message/857504

    Documentation can be obtained from:

        http://docs.jboss.org/picketlink/2/latest    

Regards.
Pedro Igor

From Anil.Saldhana at redhat.com  Thu Feb 13 09:12:53 2014
From: Anil.Saldhana at redhat.com (Anil Saldhana)
Date: Thu, 13 Feb 2014 08:12:53 -0600
Subject: [security-dev] PicketLink 2.6.0.Beta3 Released
In-Reply-To: <1270314583.3874794.1392299787912.JavaMail.zimbra@redhat.com>
References: <1270314583.3874794.1392299787912.JavaMail.zimbra@redhat.com>
Message-ID: <52FCD2E5.7030705@redhat.com>

Hi Pedro,
    important beta release.

Now onto CR1 and then Final. :)

Regards,
Anil

On 02/13/2014 07:56 AM, Pedro Igor Silva wrote:
> Hi All,
>
>      Today we released PicketLink 2.6.0.Beta3.
>
>      For more information, please visit our site:
>
>          http://www.picketlink.org
>          https://community.jboss.org/message/857504
>
>      Documentation can be obtained from:
>
>          http://docs.jboss.org/picketlink/2/latest
>
> Regards.
> Pedro Igor

From psilva at redhat.com  Thu Feb 13 10:46:58 2014
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 13 Feb 2014 10:46:58 -0500 (EST)
Subject: [security-dev] PicketLink 2.6.0.Beta3 Released
In-Reply-To: <52FCD2E5.7030705@redhat.com>
References: <1270314583.3874794.1392299787912.JavaMail.zimbra@redhat.com>
	<52FCD2E5.7030705@redhat.com>
Message-ID: <981455445.3981871.1392306418588.JavaMail.zimbra@redhat.com>

Yeah, last beta for 2.6.0.

----- Original Message -----
From: "Anil Saldhana" <Anil.Saldhana at redhat.com>
To: security-dev at lists.jboss.org
Sent: Thursday, February 13, 2014 12:12:53 PM
Subject: Re: [security-dev] PicketLink 2.6.0.Beta3 Released

Hi Pedro,
    important beta release.

Now onto CR1 and then Final. :)

Regards,
Anil

On 02/13/2014 07:56 AM, Pedro Igor Silva wrote:
> Hi All,
>
>      Today we released PicketLink 2.6.0.Beta3.
>
>      For more information, please visit our site:
>
>          http://www.picketlink.org
>          https://community.jboss.org/message/857504
>
>      Documentation can be obtained from:
>
>          http://docs.jboss.org/picketlink/2/latest
>
> Regards.
> Pedro Igor
_______________________________________________
security-dev mailing list
security-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev

From jcacek at redhat.com  Mon Feb 17 06:44:57 2014
From: jcacek at redhat.com (Josef Cacek)
Date: Mon, 17 Feb 2014 06:44:57 -0500 (EST)
Subject: [security-dev] PicketLink 2.1.10 and 2.5.3.Beta2 issues
In-Reply-To: <598878055.4188654.1392209293132.JavaMail.zimbra@redhat.com>
References: <598878055.4188654.1392209293132.JavaMail.zimbra@redhat.com>
Message-ID: <1397597122.7940063.1392637497978.JavaMail.zimbra@redhat.com>

Message deleted as requested by ticket 278545

From asaldhan at redhat.com  Mon Feb 17 11:00:40 2014
From: asaldhan at redhat.com (Anil Saldhana)
Date: Mon, 17 Feb 2014 11:00:40 -0500 (EST)
Subject: [security-dev] PicketLink 2.1.10 and 2.5.3.Beta2 issues
In-Reply-To: <1397597122.7940063.1392637497978.JavaMail.zimbra@redhat.com>
References: <598878055.4188654.1392209293132.JavaMail.zimbra@redhat.com>
	<1397597122.7940063.1392637497978.JavaMail.zimbra@redhat.com>
Message-ID: <FEC491FB-C195-4616-9918-17B33E2EC17A@redhat.com>

Message deleted as requested by ticket 278545


From asaldhan at redhat.com  Wed Feb 19 16:51:16 2014
From: asaldhan at redhat.com (Anil Saldhana)
Date: Wed, 19 Feb 2014 16:51:16 -0500 (EST)
Subject: [security-dev] Mozilla Persona project is done
Message-ID: <DCABD8ED-6956-4A03-AD04-583791B8CA18@redhat.com>

groups.google.com/forum/m#!topic/mozilla.dev.identity/Qnxt8lmOEeo 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20140219/48a4e929/attachment.html