Re: [security-dev] Entitlement versus Enforcement Model

On 11/7/2012 4:34 PM, Anil Saldhana wrote: > On 11/07/2012 03:26 PM, Bill Burke wrote: >> On 11/7/2012 4:09 PM, Anil Saldhana wrote: >>> On 11/07/2012 03:05 PM, Bill Burke wrote: >>>> I committed some preliminary work a few months ago to prototype >>>> Openstack's Keystone service and protocol. I want to ditch this work >>>> though in favor of developing my own protocol as it seems Keystone is >>>> very much in flux and they aren't sure of their own direction. It as a >>>> good exercise though as I learned how AS7 and login-modules can fit >>>> together and how you can dynamically set roles/identity *per-request*. >>>> I also wrote a little utility that allows you to delegate authentication >>>> to your security domain. (login-module-authenticator) >>>> >>>> https://github.com/resteasy/Resteasy/tree/master/jaxrs/security/skeleton-... >>>> >>>> I just started on my new (well really long time brewing) ideas this week >>>> as Resteasy 3.0 beta 1 is now out. I plan on using JSON Web Token and >>>> JSON Web Signatures. After evaluating these specs, they look very tight >>>> and simple enough to build upon. >>> Bill, last time I mentioned JWT and JWE, you chewed me. Yeah, pretty >>> lightweight stuff and applicable to REST style services. >>> It is possible that JWT lacks the richness that may be desired in a >>> token, for certain usecases. I have not come across those use cases yet >>> apart from serving SAML users over a REST style interface with JSON binding. >>> >> Yup, I was wrong about JWS and JWE. When I chewed you, i was thinking >> more about HTTP message bodies, and not thinking about URLs and header >> strings. Keystone uses application/pks7-signature, which is a >> possibility too, but I don't know how viable it is within javascript. >> JWS/JWE already has code here. >> >> Bill >> > Bill, dont write any JWS/JWE implementation because this Duetsche > Telecom researcher has done implementation of the latest drafts of these > specs. https://code.google.com/p/jsoncrypto/ > The challenge I have with this project is that the code is not indented > properly and not readable. Build is not mavenized. It is BSD licensed. I > was supposed to help him with the project code organization, maven etc. > > I only implemented the bare minimum JWE/JWS algorithms we require with > the intent of integrating jsoncrypto. > https://docs.jboss.org/author/display/SECURITY/JSON+Security > There's this too: https://bitbucket.org/nimbusds/nimbus-jose-jwt/wiki/Home