[security-dev] Entitlements Concept

Pedro Igor Silva psilva at redhat.com
Wed Feb 5 08:50:59 EST 2014

>From a server perspective, you can perform additional checks in order to make sure the client is able to perform a specific operation or retrieve data.

>From a mobile perspective, I think depends how the mobile app is storing sensitive data by using secure/encrypted storage. I think Aerogear is addressing this ...

----- Original Message -----
From: "Peter Skopek" <pskopek at redhat.com>
To: "Anil Saldhana" <Anil.Saldhana at redhat.com>, security-dev at lists.jboss.org
Sent: Wednesday, February 5, 2014 11:04:07 AM
Subject: Re: [security-dev] Entitlements Concept

Am I right assuming that mobile application will pick one entitlement from collection of entitlements in hand and use it in request
getting a resource/data from service provider?
In case mobile app already has the data and using entitlements locally, what prevent anybody of modifying the mobile app and render
whatever he wants from the local data?
Or I am wrong and mobile app will download entitlements and then based on them will ask for data which are covered by entitlements
in hand.


On 01/31/2014 04:43 PM, Anil Saldhana wrote:
> The idea is if rather than make 100 enforcement (Access Checks), you 
> make one call and download
> the entitlements and then do local authorization checks.
> As an example, there is a mobile phone that has a rich native app. It 
> connects to a server and downloads
> the entitlements on the fly. That way it can make local decisions as to 
> what the permissions are, rather than
> make individual server access checks.  Useful in environments such as 
> financial apps.
> On 01/31/2014 09:40 AM, Anil Saldhana wrote:
>> Hi All,
>>      any objections to getting the Entitlements Manager concept into
>> PicketLink Authorization?  That way we cover all based with both Fine
>> Grained Authorization (Permissions API/Implementation) as well as
>> download of entitlements.
>> My previous prototype:
>> https://docs.jboss.org/author/display/SECURITY/EntitlementsManager
>> (there are bugs in the test case which I will fix)
>> While the FGA is what I call the Enforcement Model, the
>> EntitlementsManager concept is what I call the Entitlement Model.
>> I am currently writing a specification at OASIS for this:
>> https://www.oasis-open.org/committees/document.php?document_id=52098&wg_abbrev=cloudauthz
>> Regards,
>> Anil
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
security-dev mailing list
security-dev at lists.jboss.org

More information about the security-dev mailing list