[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [no subject]
Open Question: How realistic is the authentication scenario? How/Does a
system like J2EE allow the application to authenticate a user when its the
application that provides the credentials vs. the user itself?
2. Consumer uses WS-Security to pass the Username to a Producer that
runs in a shared user domain. Note, we are merely passing the username. We
are neither passing the password or the authentication credentials. For
this scenario, though there is no standard indicating what a WebService
stack should do with this information its my understanding that many web
stack providers [BEA, IBM, Oracle] have/are planning implementations that
allows a [producer] service to be configured in a way that indicates its
running in a trusted environment and to accept WSS Username tokens as "user
credentials". I.e. the web stack, in such a configuration, will use the
username to establish the security context for the running environment.
Thus both the application [producer] and the system itself sees this user as
the current user with whatever roles are granted. Open question: what I
don't know is how far this reaches. As the Producer/system doesn't have a
copy of the authentication token that results from the authentication
process the producer/system may not be able to communicate with certain
external systems [that require some proof of authentication]. For example,
can I get profile data? Can I even get role information? Am I able to
login/runas this user when access a database?Depending on these answers,
this scenario may add little to the producer's capabilities over (1).
One difference between (1) and (2) is in the management of trust. This
scenario seemingly must run in a homogeneous environment where all consumers
in that environment are trusted to send correct identities and they all
share the user space with the producer. I.e. its an Admin choice to
configure the producer/service this way. In (1) because its done at the
application level the producer decides if/why it trusts the consumer to
assert the user context key. It can vary its behavior on a per consumer
basis.
3. Consumer uses WS-Security to pass the Username and password to a
Producer that runs in a shared user domain. In this scenario the web
service stack receives (presumably) enough information to authenticate the
user. Like (1) I assume there is a progammatic mechanism where this can be
done. So in the end the web service stack would (presumably) authenticate
the user, if successful set up the security context, and also attach the
authentication key/token (whatever?) in the response (as what, a cookie?) so
on subsequent requests from the consumer can use this key/token to bypass
the authentication step.
The basic difference between (2) and (3) is that producer environment has
the actual proof of authentication vs merely an identity. That is if/where
ever there were limitations in (2), this scenario presumably doesn't have
them. So the value of (3) depends on the limitations of (2). If there are
little to know limitations in (2) then (3) may not be useful.
Note: I haven't yet determined if web stack providers behave as described
in this scenario. Though I presume this is the standard WSS use
case/scenario.
Open Question: How do web stacks/application servers work from the client
side? Do they allow the client application (consumer) to programmtically
set how to pass identity information or is this a per client stub
configuration? I.e. do current implementations limit a consumer to interact
with all producers in the same way because its set up declaratively/though
configuration? I am assuming, of course, that there is no "policy"
mechanism that the client uses to determine the servers security needs but
rather this information is being set up/communicated out of band. [This is
my understanding of the curernt state of the standards/web stack
implementations].
4. Consumer uses WS-Security to pass the Username and Password to a
Producer that runs in a different user domain. In this scenario, the
consumer provides a credential storing/mapping service to the producer. The
consumer (utilizes a service to) stores producer username/passwords keyed by
consumer user identity. When the consumer calls the producer, the mapped
producer username and password are sent using the same WS-Security tokens as
(3). From this point on everything on the producer side is jsut like (3).
The key question here above those inherited from (3) is whether any
application servers/web stacks support this from the client side? I.e.
Though I can imagine a web service stack supporting a way to propagate the
current user identity do any support this mapping/credential store facility
directly or at a minimum expose APIs that allow the client to set the
username/password directly?
------_=_NextPart_001_01C48A7A.2079CEEA
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" =
name=3D"PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:sans-serif;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:navy;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dnavy>
<div class=3DSection1>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>5 (using SAML assertions of =
identity) can
be viewed either as falling under (2) or (3) if single-sign-on is =
interpreted as
mediating a "credential" but opens up lots of specific questions of
its own so I would tend towards separating it out. 5 "Enabling simple =
identity
Federation"?<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>=
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Regards,<o:p></o:p></span></font></=
p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Andre<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>=
<div>
<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>
<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>
</span></font></div>
<p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
size=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> Rich =
Thompson
[mailto:richt2@us.ibm.com] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> 24 August 2004 =
17:50<br>
<b><span style=3D'font-weight:bold'>To:</span></b> interfaces<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> RE: =
[wsrp-interfaces]
Security: mapping identity use cases to =
propogationtechniques</span></font><o:p></o:p></p>
</div>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><font size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'><br>
</span></font><font size=3D2 face=3Dsans-serif><span =
style=3D'font-size:10.0pt;
font-family:sans-serif'>I would suggest these be organized first =
functionally
as that will drive much of the value/limitations discussion. I would =
group
these as:</span></font> <br>
<font size=3D2 face=3Dsans-serif><span =
style=3D'font-size:10.0pt;font-family:sans-serif'>1.
<u>Leverage v1 spec data</u>: Key point here is that v1 defines some =
data that
might have value to leverage.</span></font> <br>
<font size=3D2 face=3Dsans-serif><span =
style=3D'font-size:10.0pt;font-family:sans-serif'>2.
<u>Asserted user identity</u>: How the producer determines it is able =
to trust
this assertion and make any use of it are a couple of interesting =
questions.</span></font>
<br>
<font size=3D2 face=3Dsans-serif><span =
style=3D'font-size:10.0pt;font-family:sans-serif'>3.
<u>Base user credentials</u>: Consumer is passing credentials for use =
in
authenticating the user.</span></font> <br>
<font size=3D2 face=3Dsans-serif><span =
style=3D'font-size:10.0pt;font-family:sans-serif'>4.
This is a variant (i.e. subitem) of #3 that distinguishes where the =
Consumer
gets the credentials it passes. Not sure this is actually within our =
domain,
but am willing to discuss it.</span></font> <br>
<font size=3D2 face=3Dsans-serif><span =
style=3D'font-size:10.0pt;font-family:sans-serif'>5.
Andre, would you say this is also a subitem of #3 or does it offer =
enough
additional functionality that a separate category is =
appropriate?</span></font>
<br>
<font size=3D2 face=3Dsans-serif><span =
style=3D'font-size:10.0pt;font-family:sans-serif'><br>
Rich</span></font> <br>
<br>
<o:p></o:p></p>
<table class=3DMsoNormalTable border=3D0 cellpadding=3D0 width=3D"100%"
style=3D'width:100.0%'>
<tr>
<td width=3D"40%" valign=3Dtop style=3D'width:40.0%;padding:.75pt =
.75pt .75pt .75pt'>
<p class=3DMsoNormal><st1:PersonName w:st=3D"on"><b><font size=3D1 =
face=3Dsans-serif><span
=
style=3D'font-size:7.5pt;font-family:sans-serif;font-weight:bold'>Andre =
Kramer</span></font></b></st1:PersonName><b><font
size=3D1 face=3Dsans-serif><span =
style=3D'font-size:7.5pt;font-family:sans-serif;
font-weight:bold'> =
<andre.kramer@eu.citrix.com></span></font></b><font
size=3D1 face=3Dsans-serif><span =
style=3D'font-size:7.5pt;font-family:sans-serif'> =
</span></font><o:p></o:p></p>
<p><font size=3D1 face=3Dsans-serif><span =
style=3D'font-size:7.5pt;font-family:
sans-serif'>08/18/2004 03:42 AM</span></font> <o:p></o:p></p>
</td>
<td width=3D"59%" valign=3Dtop style=3D'width:59.0%;padding:.75pt =
.75pt .75pt .75pt'>
<table class=3DMsoNormalTable border=3D0 cellpadding=3D0 =
width=3D"100%"
style=3D'width:100.0%'>
<tr>
<td style=3D'padding:.75pt .75pt .75pt .75pt'>
<p class=3DMsoNormal align=3Dright style=3D'text-align:right'><font =
size=3D1
face=3Dsans-serif><span =
style=3D'font-size:7.5pt;font-family:sans-serif'>To</span></font><o:p></=
o:p></p>
</td>
<td valign=3Dtop style=3D'padding:.75pt .75pt .75pt .75pt'>
<p class=3DMsoNormal><font size=3D1 face=3Dsans-serif><span =
style=3D'font-size:
7.5pt;font-family:sans-serif'>"'Michael Freedman'"
<Michael.Freedman@oracle.com>, interfaces
<wsrp-interfaces@lists.oasis-open.org></span></font> =
<o:p></o:p></p>
</td>
</tr>
<tr>
<td style=3D'padding:.75pt .75pt .75pt .75pt'>
<p class=3DMsoNormal align=3Dright style=3D'text-align:right'><font =
size=3D1
face=3Dsans-serif><span =
style=3D'font-size:7.5pt;font-family:sans-serif'>cc</span></font><o:p></=
o:p></p>
</td>
<td valign=3Dtop style=3D'padding:.75pt .75pt .75pt .75pt'>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'><o:p> </o:p></span></font></p>
</td>
</tr>
<tr>
<td style=3D'padding:.75pt .75pt .75pt .75pt'>
<p class=3DMsoNormal align=3Dright style=3D'text-align:right'><font =
size=3D1
face=3Dsans-serif><span =
style=3D'font-size:7.5pt;font-family:sans-serif'>Subject</span></font><o=
:p></o:p></p>
</td>
<td valign=3Dtop style=3D'padding:.75pt .75pt .75pt .75pt'>
<p class=3DMsoNormal><font size=3D1 face=3Dsans-serif><span =
style=3D'font-size:
7.5pt;font-family:sans-serif'>RE: [wsrp-interfaces] Security: =
mapping
identity use cases to pr opogation =
techniques</span></font><o:p></o:p></p>
</td>
</tr>
</table>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'><o:p> </o:p></span></font></p>
<table class=3DMsoNormalTable border=3D0 cellpadding=3D0>
<tr>
<td valign=3Dtop style=3D'padding:.75pt .75pt .75pt .75pt'>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'><o:p> </o:p></span></font></p>
</td>
<td valign=3Dtop style=3D'padding:.75pt .75pt .75pt .75pt'>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'><o:p> </o:p></span></font></p>
</td>
</tr>
</table>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'><o:p></o:p></span></font></p>
</td>
</tr>
</table>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><br>
<br>
<br>
</span></font><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial;color:navy'>For 3 & 4, the password could be =
either a
clear text password or a hashed representation of the clear text =
password. Both
are valid proof of possession but can mean different levels of ability =
to use
back end systems.</span></font> <br>
<font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:navy'> </span></font> <br>
<font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:navy'>Also, we have a 5, where the consumer passes a =
SAML
assertion. Here we need to decide if the assertion is passed by =
reference (via
an artifact) or included in the protocol and (optionally) signed, or if =
we use
the (complicated) draft SAML profile of WS Security. The version of =
SAML
(1.0/1.1 or draft 2.0) used and the contents of the assertion need to =
be profiled.</span></font>
<br>
<font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:navy'> </span></font> <br>
<font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:navy'>In addition, we require a way to assert roles to =
allow a
consumer to specify a mapping for an asserted subject. As a fall back, =
we could
just manage user roles out of band, as seems to be suggested by 1-4, =
but if the
model is "trust the consumer" then the only scalable solution =
is to
have the consumer assert both the user identity and her =
roles.</span></font> <br>
<font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:navy'> </span></font> <br>
<font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:navy'>Regards,</span></font> <br>
<font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:navy'>Andre</span></font> <br>
<font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:navy'> </span></font> <o:p></o:p></p>
<p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'><o:p> </o:p></span></font></p>
<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>
<hr size=3D2 width=3D"100%" align=3Dcenter>
</span></font></div>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><br>
</span></font><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
size=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> =
Michael Freedman
[mailto:Michael.Freedman@oracle.com] <b><span =
style=3D'font-weight:bold'><br>
Sent:</span></b> 18 August 2004 00:10<b><span =
style=3D'font-weight:bold'><br>
To:</span></b> interfaces<b><span style=3D'font-weight:bold'><br>
Subject:</span></b> [wsrp-interfaces] Security: mapping identity use =
cases to
propogation techniques</span></font> <br>
<br>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]