Cart
|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Blended Authentication (AKA "Granular Access Control")
I have a question regarding security, particularly authentication and
access control. My objective is to present a concept, and find out if
this concept is currently being implemented in any XML-based open
standards. The standards that I am familiar with (without listing them)
do not, according to my understanding, take into account this concept.
The concept is this: authentication of not only a user for access
control to a resource, but a combination of the user *and* a resource -
i.e. "blended authentication". For example, suppose that we have the
following very simple scenario of 2 users (USER1 and USER2) accessing a
system (SYSTEM A) that further accesses another system (SYSTEM B). It is
assumed that all access would be through Web services:
----------- -----------
| | | |
USER1---->| |-------->| |
| SYSTEM | | SYSTEM |
| A | | B |
USER2---->| | | |
| | | |
----------- -----------
The above scenario indicates that both USER1 and USER2 are successfully
authenticated by SYSTEM A. However, when it is required that SYSTEM A
accesses SYSTEM B (perhaps for a database lookup), only USER1 is
authenticated to SYSTEM B. This is because the authentication by SYSTEM
B took into account not only USER1's credentials (X.509 cert, Kerberos
ticket, SAML assertion, etc.), but the fact that USER1 was accessing
SYSTEM B from SYSTEM A. So, USER2 may very well be authenticated to
access SYSTEM B from some other system - just not from SYSTEM A.
[Getting into implementation for a second] It appears that this type of
authentication could be enforced through some sort of security-related
extensions to WSDL, so that it can be controlled at a Service level.
Taking that one step further, such authentication could even be enforced
at the Operation level, Message level, etc.
Any thoughts/comments on this would be greatly welcome and appreciated.
Kind Regards,
Joe Chiusano
Booz | Allen | Hamilton
begin:vcard n:Chiusano;Joseph tel;work:(703) 902-6923 x-mozilla-html:FALSE url:www.bah.com org:Booz | Allen | Hamilton;IT Digital Strategies Team adr:;;8283 Greensboro Drive;McLean;VA;22012; version:2.1 email;internet:chiusano_joseph@b... title:Senior Consultant fn:Joseph M. Chiusano end:vcard 
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||
