[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Blended Authentication (AKA "Granular Access Control")
Thanks John. I am actually very familiar with the WS-Trust specification [1] (only mentioning my article so you can understand my background). WS-Trust involves parties exchanging security credentials that are based on existing mechanisms (X.509 cert, SAML assertion, Kerberos ticket, XrML license, etc.). All of these mechanisms are based on "single-component" claims - that is, a single user, a single resource, etc. The concepts I am presenting are based on "multiple-component" claims - that is, involving a user *and* a resource (such as a Web service), or even more finely grained such as a user and a resource and an Operation (in WSDL sense) on that resource. Kind Regards, Joe Chiusano Booz | Allen | Hamilton [1] http://www.developer.com/services/article.php/2171031 "Cavnar-Johnson, John" wrote: > > > > > > > -----Original Message----- > > From: Chiusano Joseph [mailto:chiusano_joseph@b...] > > Sent: Wednesday, May 07, 2003 10:06 AM > > To: Rich Salz > > Cc: xml-dev@l... > > > > <Quote> > > User1 authenticates to A and "delegates" its rights so that A > > can present its rights, and the delegated User1 rights to B. > > </Quote> > > > > That works well from the perspective of A (the sender side) > > because it asserts that A has the proper claims to access B > > (this appears to me to be more of a "push" method). But what > > if B does not consider A to be a valid user? How can B enforce this? > > > > Also, what about a more granular level, such as at a WSDL > > Operation or Message level? > > Take a look at the WS-Security specs from IBM, Microsoft, et.al. I believe > they cover your scenario fairly well. In particular, look at the WS-Trust > spec: > http://msdn.microsoft.com/webservices/default.aspx?pull=/library/en-us/dnglo > bspec/html/ws-trust.asp > > ----------------------------------------------------------------- > The xml-dev list is sponsored by XML.org <http://www.xml.org>, an > initiative of OASIS <http://www.oasis-open.org> > > The list archives are at http://lists.xml.org/archives/xml-dev/ > > To subscribe or unsubscribe from this list use the subscription > manager: <http://lists.xml.org/ob/adm.pl> begin:vcard n:Chiusano;Joseph tel;work:(703) 902-6923 x-mozilla-html:FALSE url:www.bah.com org:Booz | Allen | Hamilton;IT Digital Strategies Team adr:;;8283 Greensboro Drive;McLean;VA;22012; version:2.1 email;internet:chiusano_joseph@b... title:Senior Consultant fn:Joseph M. Chiusano end:vcard
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|