ebxml-msg message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Pull, MPC, authorization
- From: "Pim van der Eijk" <pvde@sonnenglanz.net>
- To: <ebxml-msg@lists.oasis-open.org>
- Date: Tue, 30 Jul 2013 14:12:45 +0200
Some comments on
Pull, MPC, authorization
In ebMS 3.0 there
are two situations where messages can be pulled:
1) As
defined in the ebMS 3.0 Core specification from a sending MSH, for
messages where the PMode specifies a "Pull" transport channel
binding. The sending MSH is configured using deployed
processing modes.
2) As
defined in the ebMS 3.0 Part 2 advanced features, for intermediaries
acting in forwarding roles that can (and are configured to) store
messages, leaving the initiative for a next hop transmission to the next
MSH. Configuration of these intermediaries does not require a full
PMode set.
In a general Web
server context, some Web servers use HTTP authentication to map an HTTP
get request to a dynamically selected resource. E.g. a GET request
to http://example.com/users could map
Alice to her home directory on that server and Bob to his.
Section 3.4.1 of the Core Spec
defines the MPC concept as a way of partitioning message sets in specific sets
with named identifiers. It does not mention the concept of associating messages
within an MPC with a particular user. In fact, it specifically
suggests any filtering of messaging on criteria other than MPC identifier is out
of scope for the Core Specification (we slightly enhanced this in Part 2).
An ebMS 3.0 Pull request is posted to a
particular URI_1 and contains a reference to an MPC
URI_2. Here, URI_1 is like http://example.com/users and the
request specifies a particular MPC URI_2 to access. If there were a
dynamic resource selection based on requesting user, then it would not be
necessary to specify a particular MPC in the request. The server could assign
messages to users and map pull requests to user-based partitions.
There is no
mentioning of mapping any additional mapping to a subset of messages in MPC
URI_2 in this section.
Chapter 7.10 of the
Core Specification states:
"Since any
resource a message may claim access to is identified by the P-Mode associated
with the message, this is equivalent to authorizing the association of the
message with the P-Mode"
But if two PModes use the same MPC value and both have
a Pull transport channel binding, then a Pull request can be ambiguous between
two PModes.
It also states:
"This Pull
signal can effect message delivery from MPC "http://msh.example.com/mpc123"
only if its credentials match the authorization parameters of at least one
P-Mode associated with pulling messages on this MPC"
One approach
apparently taken in one implementation is to classify messages within an MPC
with the authorization username/password (or other token) specified in the PMode
they were submitted with, and map requests to subsets based on username.
This solution is
problematic in the multi-hop situation, intermediaries may not know which
PMode a message was assigned to (the pmode message attribute is optional) by the
original sender and there is no association of a message with any "user"
specified in the original PMode. If messages are forwarded from MSH1
to intermediary MSH2, then the further partitioning in user subsets is
lost. Only
the MPC identifier is part of the message and as such carried along with the
message in the I-Cloud.
It would much simpler for a
product to have support two separate configurations: PModes (which
may specify "pull" and name a particular MPC) and pull MPCs for
a particular URI (which specify MPC identifier and authorization
information). Since the Core Spec defines the authorization information as
PMode parameters, the authorization parameters for distinct PModes with the same
MPC and a "pull" channel binding should then be the same.
Pim
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]