[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Blended Authentication (AKA "Granular Access Control")
Sorry to combine both concepts. I intended to focus strictly on the authentication aspect, not on access control. Here is an updated scenario: I have a question regarding security, particularly authentication. My objective is to present a concept, and find out if this concept is currently being implemented in any XML-based open standards. The standards that I am familiar with (without listing them) do not, according to my understanding, take into account this concept. The concept is this: authentication of not only a user for access control to a system, but a combination of the user *and* the system fro which they came - i.e. "blended authentication". For example, suppose that we have the following very simple scenario of 2 users (USER1 and USER2) accessing a system (SYSTEM A) that further accesses another system (SYSTEM B). It is assumed that all access would be through Web services: ----------- ----------- | | | | USER1---->| |-------->| | | SYSTEM | | SYSTEM | | A | | B | USER2---->| | | | | | | | ----------- ----------- The above scenario indicates that both USER1 and USER2 are successfully authenticated by SYSTEM A. However, when it is required that SYSTEM A accesses SYSTEM B (perhaps for a database lookup), only USER1 is authenticated to SYSTEM B. This is because the authentication by SYSTEM B took into account not only USER1's credentials (X.509 cert, Kerberos ticket, SAML assertion, etc.), but the fact that USER1 was accessing SYSTEM B from SYSTEM A. So, USER2 may very well be authenticated to access SYSTEM B from some other system - just not from SYSTEM A. It can be assumed that once a user is authenticated to a system, any access control to resources within that system (ex: file systems, files, etc.) is outside the scope of this scenario and is controlled by whatever access control means that system uses. [Getting into implementation for a second] It appears that this type of authentication could be enforced through some sort of security-related extensions to WSDL, so that it can be controlled at a Service level. Taking that one step further, such authentication could even be enforced at the Operation level, Message level, etc. Any thoughts/comments on this would be greatly welcome and appreciated. Kind Regards, Joe Chiusano Booz | Allen | Hamilton "Cavnar-Johnson, John" wrote: > > > > > -----Original Message----- > > From: Chiusano Joseph [mailto:chiusano_joseph@b...] > > Sent: Wednesday, May 07, 2003 8:05 AM > > To: xml-dev@l... > > > > I have a question regarding security, particularly > > authentication and access control. My objective is to present > > a concept, and find out if this concept is currently being > > implemented in any XML-based open standards. The standards > > that I am familiar with (without listing them) do not, > > according to my understanding, take into account this concept. > > Can you restate this example, clearly delineating when you mean > authentication (the process of identifying the user) and when you mean > authorization (determining the user's rights and privileges)? You appear to > be using authentication to cover both concepts and that makes it impossible > to answer your question. > > ----------------------------------------------------------------- > The xml-dev list is sponsored by XML.org <http://www.xml.org>, an > initiative of OASIS <http://www.oasis-open.org> > > The list archives are at http://lists.xml.org/archives/xml-dev/ > > To subscribe or unsubscribe from this list use the subscription > manager: <http://lists.xml.org/ob/adm.pl> begin:vcard n:Chiusano;Joseph tel;work:(703) 902-6923 x-mozilla-html:FALSE url:www.bah.com org:Booz | Allen | Hamilton;IT Digital Strategies Team adr:;;8283 Greensboro Drive;McLean;VA;22012; version:2.1 email;internet:chiusano_joseph@b... title:Senior Consultant fn:Joseph M. Chiusano end:vcard
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|