Author: sohil.shah(a)jboss.com
Date: 2009-10-06 17:03:10 -0400 (Tue, 06 Oct 2009)
New Revision: 819
Modified:
authz/trunk/documentation/reference-guide/en/modules/introduction.xml
Log:
introduction chapter
Modified: authz/trunk/documentation/reference-guide/en/modules/introduction.xml
===================================================================
--- authz/trunk/documentation/reference-guide/en/modules/introduction.xml 2009-10-06
19:18:36 UTC (rev 818)
+++ authz/trunk/documentation/reference-guide/en/modules/introduction.xml 2009-10-06
21:03:10 UTC (rev 819)
@@ -26,25 +26,32 @@
<sect2>
<title>Clean Separation between Security Logic and Application
Logic</title>
<para>
-
+ <emphasis>Security Enforcement</emphasis> should be considered a cross
cutting concern just like container managed Transactions. This allows easy customization
+ of an application's security policy without having to modify the core
application codebase. This framework allows decoupling of both <emphasis>security
logic</emphasis>
+ and <emphasis>security data/metadata</emphasis> from the core
application.
</para>
</sect2>
<sect2>
<title>Flexibility to apply Security Logic to arbitrary Runtime
information</title>
<para>
-
+ A good security framework takes into account arbitrary runtime state of an
application while trying to make an access control decision. Most frameworks are
satisfied
+ with merely associating roles/group/membership to protected resources. A security
framework allows decision making based on other runtime state of the system like,
"current time of the day",
+ "allowed range of ip addresses", "the user's age", etc.
This framework uses a <ulink
url="http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacm...
specification</ulink> based rule engine to enable <emphasis>Rule based Access
Control</emphasis>.
</para>
</sect2>
<sect2>
<title>Runtime Management of Security Policy</title>
<para>
-
+ Besides access control, policy provisioning is the other aspect of a security
framework. Security policies should be provisioned dynamically without requiring system
+ restarts. It should also provide a consistent API to build provisioning tools to
manage these policies. Depending upon the requirements of the application the tools can
be
+ xml configuration based, GUI based, and/or integrated into central monitoring
tools like JOPR and JON.
</para>
</sect2>
<sect2>
<title>A user friendly Developer API</title>
<para>
-
+ The framework exposes an easy to use component oriented developer API for
portability of the security layer across multiple applications and/or multiple
infrastructure layers of
+ the same application.
</para>
</sect2>
</sect1>