Security requirements

WSRP Security Requirements

Trust relationship between portal and portlet:

It should be possible to use a secure transport for portal/portlet communication
There should be means for the portlet to authenticate the portal when a service request is made

There should be a means of describing in the portlet’s metadata whether a secure transport is required and what the authentication method is
There should be a key exchange mechanism for signed documents

Future consideration.

Should be a lighter weight mechanism, such as initial unauthenticated connection, obtain token for use in subsequent requests.

End user identity and personal data-related:

Portlet should be able to require that the portal authenticate the end user
It should be possible for the portlet to describe the level of end-user authentication required
It should be possible for the portal to communicate how it authenticated the end user to the portlet
It should be possible for the portal to pass end user profile data to the portlet in a secure manner.
It should be possible to pass instance parameter data between portal and portlet in a secure manner.
It should be possible for the portlet to describe in its metadata which parameters are to be passed in a secure manner
The portlet should have a means of describing in it’s metadata how it wants instance parameter data to be secured

Secure Transmission of data:

It should be possible to use a secure transport for portal/portlet communication
It should be possible to use document encryption to secure data exchange between portal and portlet
It should be possible for the portlet to require secure transport to be employed between portal and end-user browser.

Access Control:

It should be possible for a portlet to define roles that describe levels of service access associated with the role.
There should be a mechanism for the portal to assert a role with a service request