[security-dev] Entitlement versus Enforcement Model

Bill Burke bburke at redhat.com
Thu Nov 8 19:21:52 EST 2012



On 11/8/2012 4:27 PM, Anil Saldhana wrote:
> On 11/07/2012 05:37 PM, Bill Burke wrote:
>>
>> On 11/7/2012 4:34 PM, Anil Saldhana wrote:
>>> On 11/07/2012 03:26 PM, Bill Burke wrote:
>>>> On 11/7/2012 4:09 PM, Anil Saldhana wrote:
>>>>> On 11/07/2012 03:05 PM, Bill Burke wrote:
>>>>>> I committed some preliminary work a few months ago to prototype
>>>>>> Openstack's Keystone service and protocol.  I want to ditch this work
>>>>>> though in favor of developing my own protocol as it seems Keystone is
>>>>>> very much in flux and they aren't sure of their own direction.  It as a
>>>>>> good exercise though as I learned how AS7 and login-modules can fit
>>>>>> together and how you can dynamically set roles/identity *per-request*.
>>>>>> I also wrote a little utility that allows you to delegate authentication
>>>>>> to your security domain. (login-module-authenticator)
>>>>>>
>>>>>> https://github.com/resteasy/Resteasy/tree/master/jaxrs/security/skeleton-key-idm
>>>>>>
>>>>>> I just started on my new (well really long time brewing) ideas this week
>>>>>> as Resteasy 3.0 beta 1 is now out.  I plan on using JSON Web Token and
>>>>>> JSON Web Signatures.  After evaluating these specs, they look very tight
>>>>>> and simple enough to build upon.
>>>>> Bill, last time I mentioned JWT and JWE, you chewed me. Yeah, pretty
>>>>> lightweight stuff and applicable to REST style services.
>>>>> It is possible that JWT lacks the richness that may be desired in a
>>>>> token, for certain usecases. I have not come across those use cases yet
>>>>> apart from serving SAML users over a REST style interface with JSON binding.
>>>>>
>>>> Yup, I was wrong about JWS and JWE.  When I chewed you, i was thinking
>>>> more about HTTP message bodies, and not thinking about URLs and header
>>>> strings.  Keystone uses application/pks7-signature, which is a
>>>> possibility too, but I don't know how viable it is within javascript.
>>>> JWS/JWE already has code here.
>>>>
>>>> Bill
>>>>
>>> Bill, dont write any JWS/JWE implementation because this Duetsche
>>> Telecom researcher has done implementation of the latest drafts of these
>>> specs. https://code.google.com/p/jsoncrypto/
>>> The challenge I have with this project is that the code is not indented
>>> properly and not readable. Build is not mavenized. It is BSD licensed. I
>>> was supposed to help him with the project code organization, maven etc.
>>>
>>> I only implemented the bare minimum JWE/JWS algorithms we require with
>>> the intent of integrating jsoncrypto.
>>> https://docs.jboss.org/author/display/SECURITY/JSON+Security
>>>
>> There's this too:
>>
>> https://bitbucket.org/nimbusds/nimbus-jose-jwt/wiki/Home
> Bill, the positive about jsoncrypto is all the advanced JWS/JWE
> algorithms are implemented as per draft.  This Nimbus and my
> implementation just does the common/minimum ones.
>

Does all the signature ones mentioned here:

http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-07

Doesn't seem to implement JWE though.

FYI, I'm rewriting it based on Jackson and to make it JAX-RS friendly 
(Resteasy integration).  Already have JWS done with the 10 signature 
algorithsm.  JWE will be easy enough too, but I don't need it at the moment.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the security-dev mailing list