Cart
|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Blended Authentication (AKA "Granular Access Control")
 The latter. Your approach makes total sense to me - I just needed to stretch my thinking on this topic a bit further with respect to the capabilities of WS-Trust and the policy-related GXA specifications (you have helped me do that). So it sounds like the requirements in the original scenario can be satisfied by WS-Trust and these policy-related GXA specifications, along with mechanisms such as X.509 certs, SAML, Kerberos tickets, etc. Thanks for your insight. Joe Chiusano Booz | Allen | Hamilton "Cavnar-Johnson, John" wrote: > > > > > > > -----Original Message----- > > From: Chiusano Joseph [mailto:chiusano_joseph@b...] > > Sent: Wednesday, May 07, 2003 2:52 PM > > To: Cavnar-Johnson, John > > Cc: xml-dev@l... > > > > <Quote1> > > According to the WS-Trust spec, "a web service can require > > that an incoming message prove a set of claims." These claims > > are not limited merely to identity, but can include the > > user's principal (or security > > context) > > </Quote1> > > > > Can you take this one step further and explain how this would > > apply to the presented scenario? In other words, how would > > the identity of SYSTEM A be brought into the picture > > (allowing SYSTEM A to really be considered a "user")? And how > > does it relate to the possibility of more granular security > > at (for example) the WSDL Operation level? > > > > Do you want SYSTEM A to authenticate the user, or do you want the request to > actually come from SYSTEM A? If the former, then this is exactly the > brokered trust scenario. If the latter, then you add a requirement to your > policy that states the request must include a certificate from SYSTEM A as > well as credentials for the user. > > ----------------------------------------------------------------- > The xml-dev list is sponsored by XML.org <http://www.xml.org>, an > initiative of OASIS <http://www.oasis-open.org> > > The list archives are at http://lists.xml.org/archives/xml-dev/ > > To subscribe or unsubscribe from this list use the subscription > manager: <http://lists.xml.org/ob/adm.pl> begin:vcard n:Chiusano;Joseph tel;work:(703) 902-6923 x-mozilla-html:FALSE url:www.bah.com org:Booz | Allen | Hamilton;IT Digital Strategies Team adr:;;8283 Greensboro Drive;McLean;VA;22012; version:2.1 email;internet:chiusano_joseph@b... title:Senior Consultant fn:Joseph M. Chiusano end:vcard 
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||
