[higgins-dev] [IdAS] authN/authZ issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[higgins-dev] [IdAS] authN/authZ issues

From: Greg Byrd <gbyrd@xxxxxxxx>
Date: Wed, 09 Aug 2006 15:57:01 -0400
Delivered-to: higgins-dev@xxxxxxxxxxx
List-archive: <http://eclipse.org/pipermail/higgins-dev>
List-help: <mailto:higgins-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Thunderbird 1.5.0.4 (Windows/20060516)

[If you don't want to read the following long message, here's thespoiler: I think that Object is the correct type for the identityparameter in Context.open.]

My action item from the last phone meeting was to investigate theauthentication and authorization mechanisms for providing Context datato a consuming service (which we will call the "client"). Note thatthis client is likely to be an ISS or an STS, rather than a human user.The main subject of debate is the "identity" parameter for theContext.open call -- is there a better type than "Object", or can we atleast provide guidance to the client about what types are likely to besupported?

First, let me emphasize that any code dealing with this issue will bewritten by the Context Provider (CP), who installs code that implementsIContextFactory and IContext interfaces. This means that the IdAS APIshould be neutral in terms of the authN/authZ mechanisms for gainingaccess to the Context.

Second, I want to identify the four entities involved in deliveringattribute data to the client -- the IdASRegistry service, theContextFactory, the Context, and the DataSource. My expectation is thatclients will access the IdASRegistry first, in order to locate a Factorythat can service a particular Context. Let's use the term "DataSource"to denote the actual source of attribute information. The job of theContext is to mediate between one or more DataSources and the client.(A DataSource could, in fact, be another Context or another IdASservice, etc., but we'll simply the discussion by assuming that theDataSource is an LDAP directory, file, or database.)

As Raj pointed out, there are two scenarios (passthrough and delegate)that describe the authN/authZ relationship between the client and theDataSource.


PASSTHROUGH SCENARIO

In the "passthrough" scenario, the client is directly authorized to theDataSource. In other words, the client must provide identitycredentials to satisfy the policy of the DataSource, and IdAS stays outof the way. The CP's job is to collect this policy information andconvey it to the client via Context.getPolicy.Note that different Contexts created by a single Factory may havedifferent policies and different types of credentials required. In thefully dynamic case, the CP will not know ahead of time what type ofidentity will be required. In other cases, the policy and identity typewill be hard-wired into the code.



DELEGATE SCENARIO

In the "delegate" scenario, the client will be authorized by the IdASservice itself, which will then take responsibility for anyauthorization needed to access the DataSource. This could be donethrough a "connector" that knows how to map client credentials to thoseneeded by the DataSource, or it could enlist the aid of an STS totransform client credentials into DataSource credentials.

In this case, the policy is provided by the Factory, as it will be thesame for every Context. (Should the client use ContextFactory.getPolicyfor this? I propose that we instead have Context.getPolicy return theright thing, whether it is imposed by the Factory or the DataSource.The client has one place to go, and it doesn't really care where thepolicy comes from.)



CLIENT-SIDE CODE

So what is client code supposed to do, given such flexibility?

In current practice, the mechanisms are hard-wired (or configurable), sothe client already knows what authN/authZ mechanisms aresupported/required. We can presume that this will be the cases in manyinstances in the near future. In this case it's the client'sresponsibility to create the right type of object to pass intoContext.open. If it passes something that can't be handled, the Contextwill throw an exception.

In a more dynamic case, the client would getPolicy, parse the supportedtoken types, and then create one (probably with the help of an STS).I don't think we want to pass in a javax.security.auth.Subject, becauseit's JAAS-specific and doesn't always translate to J2EE. I don't thinkwe want to create an interface or abstract class of our own, because alldifferent kinds of tokens could implement this, so there's no realinformation provided to the client that would help it decide which ofthese types to instantiate. We could have a Context.getIdentityClassmethod, but how is that different than getPolicy? The client stillneeds to know how to instantiate the class properly, and there might bemultiple acceptable token types.This leads me to conclude that Object is the best we can do, in order toremain neutral about the underlying mechanisms.

Follow-Ups:
- Re: [higgins-dev] [IdAS] authN/authZ issues
  - From: Jim Sermersheim

Prev by Date: Re: [higgins-dev] Nomination of Maxim Kopeyka as Higgins committer
Next by Date: [higgins-dev] [IdAS] Context open/close semantics
Previous by thread: [higgins-dev] Higgins project tracking
Next by thread: Re: [higgins-dev] [IdAS] authN/authZ issues
Index(es):
- Date
- Thread

Breadcrumbs