Re: [security-dev] Entitlement versus Enforcement Model
On 11/07/2012 10:28 AM, Jason Porter wrote:
This is something I've been thinking about actually. A small side
project I'm working on during the late hours of the evening is going
to be doing something like this. My current line of thinking is to
authenticate once and pass back a token then double check the token
and IP address with each request and have a server side timeout for
their authorized session. I know it's not the same as what you're
talking about, but I couldn't come up with anything good to stop
spoofing a valid token and also enforcing a time limit to a secure
session.
Jason - good thinking. What you are trying to do maps perfectly into a
SAML rich structure but exceeds the JSON Web Token work (JWT
http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-05) that is
going on in IETF. Toward this, I have been thinking that we definitely
need a JSON Token representation of the SAML XML structure (that can
capture identity, authentication, attribute, authorization decisions
etc). Basically a literal translation of the SAML XML structures into JSON.
On Wed, Nov 7, 2012 at 8:53 AM, Anil Saldhana
<Anil.Saldhana(a)redhat.com <mailto:Anil.Saldhana@redhat.com>> wrote:
Hi All,
this is an issue I see more at a client (in the classic
client/server
paradigm) that the computing industry is moving toward.
With the increasing push towards mobility, cloud and REST
architectures, I think access control decisions may have to be made
where a decision is needed. So instead of making 100 authorization
calls to the server, we need a model where one call is made to the
server (given user, context etc) and we get back a set of entitlements
(or permissions) that need to be applied at the client side.
Examples include a mobile client (such as banking) that needs to
figure
out what aspects of the mobile screen the user is entitled to see and
what operations he is capable of performing.
The industry has put too much emphasis on the enforcement model
(meaning, make 100 authorization calls to the glorified server). There
has been almost no models for the entitlement approach.
I have prototyped something here:
https://docs.jboss.org/author/display/SECURITY/EntitlementsManager
The entitlements should be sent in a JSON response.
Also, trying to get this standardized in the industry via the OASIS
Cloud Authorization TC.
https://lists.oasis-open.org/archives/oasis-charter-discuss/201210/msg000...
I have a hunch that projects such as Aerogear, Drools, Errai and
Infinispan may need this model.
Thoughts?
Regards,
Anil
Attachments:
- attachment.html (text/html — 4.5 KB)