Re: [sunxacml-discuss] XACML: Access Control for Web Services
Brought to you by:
farrukh_najmi,
sethp
Menu
▾
▴
Re: [sunxacml-discuss] XACML: Access Control for Web Services
|
From: Seth P. <set...@su...> - 2003-10-06 14:56:43
|
Hi Joe. > I have a need to list an example of XACML used with Web Services, > particulary for access control (the most recent XACML Profile for Web > Services does not have one for access control). Can someone please offer > an example if they have one of: I think what you're asking for is an example of how to use XACML as an access control system for arbitrary web services (ie, an authorization system that the web services use internally to determine access). Is that about right? > (1) XACML used in conjunction with an X.509 cert, or When you say "used in conjunction with" do you mean that you want to use an X.509 PKC as input to a policy, or are you trying to do some initial authentication using certificates? Or are you trying to do something else? Just trying to figure out the scope of your question, since PKCs could be used in many ways that touch on XACML. For now I'll assume you're asking about using X.509 certs within a policy. Please correct me if I'm wrong :) XACML doesn't define a standard way to handle X.509 certificates. It does have a standard way to use x500 names, but that's it. It would be fairly easy, however, to define a new datatype for X.509 certs, and then define some new functions to access particular fields. If you're interested in going into this example in detail, let me know and I'll walk you throughit. > (2) XACML used in conjunction with a SAML assertion Again, I'm not entirely sure what scope you're asking about. SAML can be used to convey attribute data, it could be used to publish signed policies, or, as is being considered for version 2.0, SAML could be used to issue XACML Requests and handle XACML Responses. If you're asking about conveying attribute data or authentication credentials, then there's no standard way to provide the SAML info to XACML, but it's certainly doable, and it's fairly straightforward. I know several people have done this. Again, I'm happy to provide examples if this is what you're asking. > preferably with the X.509 or SAML assertion specified in a WS-Security > header. This is just an extra layer of wrapping that needs to be handled by the XACML system. In this open source project it's not too hard, but I don't know of anyone who has done it. Let me know if you want more info, or if I missed the point. :) seth |
