Re: [security-dev] Entitlement versus Enforcement Model

On 11/07/2012 05:37 PM, Bill Burke wrote: > > On 11/7/2012 4:34 PM, Anil Saldhana wrote: >> On 11/07/2012 03:26 PM, Bill Burke wrote: >>> On 11/7/2012 4:09 PM, Anil Saldhana wrote: >>>> On 11/07/2012 03:05 PM, Bill Burke wrote: >>>>> I committed some preliminary work a few months ago to prototype >>>>> Openstack's Keystone service and protocol. I want to ditch this work >>>>> though in favor of developing my own protocol as it seems Keystone is >>>>> very much in flux and they aren't sure of their own direction. It as a >>>>> good exercise though as I learned how AS7 and login-modules can fit >>>>> together and how you can dynamically set roles/identity *per-request*. >>>>> I also wrote a little utility that allows you to delegate authentication >>>>> to your security domain. (login-module-authenticator) >>>>> >>>>> https://github.com/resteasy/Resteasy/tree/master/jaxrs/security/skeleton-... >>>>> >>>>> I just started on my new (well really long time brewing) ideas this week >>>>> as Resteasy 3.0 beta 1 is now out. I plan on using JSON Web Token and >>>>> JSON Web Signatures. After evaluating these specs, they look very tight >>>>> and simple enough to build upon. >>>> Bill, last time I mentioned JWT and JWE, you chewed me. Yeah, pretty >>>> lightweight stuff and applicable to REST style services. >>>> It is possible that JWT lacks the richness that may be desired in a >>>> token, for certain usecases. I have not come across those use cases yet >>>> apart from serving SAML users over a REST style interface with JSON binding. >>>> >>> Yup, I was wrong about JWS and JWE. When I chewed you, i was thinking >>> more about HTTP message bodies, and not thinking about URLs and header >>> strings. Keystone uses application/pks7-signature, which is a >>> possibility too, but I don't know how viable it is within javascript. >>> JWS/JWE already has code here. >>> >>> Bill >>> >> Bill, dont write any JWS/JWE implementation because this Duetsche >> Telecom researcher has done implementation of the latest drafts of these >> specs. https://code.google.com/p/jsoncrypto/ >> The challenge I have with this project is that the code is not indented >> properly and not readable. Build is not mavenized. It is BSD licensed. I >> was supposed to help him with the project code organization, maven etc. >> >> I only implemented the bare minimum JWE/JWS algorithms we require with >> the intent of integrating jsoncrypto. >> https://docs.jboss.org/author/display/SECURITY/JSON+Security >> > There's this too: > > https://bitbucket.org/nimbusds/nimbus-jose-jwt/wiki/Home Bill, the positive about jsoncrypto is all the advanced JWS/JWE algorithms are implemented as per draft. This Nimbus and my implementation just does the common/minimum ones.