On Wed, Sep 17, 2008 at 1:26 AM, Simon Laws <[EMAIL PROTECTED]> wrote: > Hi Luciano > > Good to hear you thinking along these lines. Taking the scenario motivated > approach will help improve policy support generally I think. I've put > comments that come immediately to mind in line. > > Once you think we have a good handle on the initial scenarios we could start > making some itests to explore them. > > Simon > > On Wed, Sep 17, 2008 at 12:27 AM, Luciano Resende <[EMAIL PROTECTED]> > wrote: >> >> I have started some research around using Policy to enable some >> security capabilities to Tuscany Web 2.0 extensions, and have >> identified some initial scenarios as listed below: >> >> Scenarios: >> >> Web 2.0 application requires that a user get authenticated before it >> can access the application. > > Intent: authentication > > This is the reference side right? > > What sort of technologies are you thinking about here. > authentication.message, authentication.transport? We should look at the > various strategies we would expect to experience talking to real world > services. This may incude things like cookie handling. > > These Web2.0 applications use a number of different protocols, e.g. Atom, > Jsonrpc, RSS, but are mostly based on HTTP so I'd be interested in how we > provide some commonality across these bindings. I am, for example, keen to > work with you to extend org.apache.tuscany.sca.policy.authentication.basic > to these bindings.
We can evaluate this once I have it implemented it further. Once difference I noticed is that you were doing a lot of work on the Binding Servlet Listner, and after starting using this approach, I'm investigating the possibility to move the code from the binding servlet to a interceptor and share this with all the web 2.0 bindings. > > (I guess more generally It would be interesting to see if there is common > HTTP binding function across these Web2.0 bindings but that's a different > subject) After starting some changes on the Binding Servlet Listener, I realized there are indeed lots of communality between all these, and I'm investigating now using a interceptor to handle this in a common way across all web 2.0 bindings. >> >> >> Web 2.0 application requires that all communication between >> client/server be done using SSL. > > Intent: authentication.transport? > confidentiality? > integrity? Good question, confidentiality sounds good, compared to what I had in my local changes (Intent: ssl) >> >> >> A given service, exposed using a web 2.0 binding requires user >> authentication. >> >> A given operation, exposed using a web 2.0 binding requires user >> authentication. > > The other thing that comes to mind is looking at the difference between > container based security configuration and the way that this interacts with > the binding and policy configuration. So two scenarios > > A given service, exposed using a web 2.0 binding requires user > authentication and is deployed into a container where security is configured > A given service, exposed using a web 2.0 binding requires user > authentication and is deployed into a container where security is not > configured > I'm focusing on the second scenario, as this seems to be the way our web 2.0 applications are mostly used. But the design, that is described in more details in [1] should cover both scenarios. [1] http://tuscany.apache.org/sca-java-bindinghttp.html > Are there any Web2.0 protocol specific security semantics that we need to be > aware of? > The different Web 2.0 Protocols rely on HTTP for security, except maybe by the Google GData Binding that would have some specific APIs to handle Google authentication and SSO. >> >> >> >> Please let me know if you have other scenarios in mind. >> >> -- >> Luciano Resende >> Apache Tuscany Committer >> http://people.apache.org/~lresende >> http://lresende.blogspot.com/ > > -- Luciano Resende Apache Tuscany, Apache PhotArk http://people.apache.org/~lresende http://lresende.blogspot.com/