Hi Devs, Nandana and I had a discussion about improving the security policy configuration in WSAS and we came up with the following ideas. These are based on Paul's suggestions posted earlier in the list.
First, we can ask the users to select one of the following high level security features they need to apply on their service. - Authentication Only - Confidentiality Only - Confidentiality & Integrity - Confidentiality & Authentication - Confidentiality & Integrity & Authentication - Integrity only - Non-repudiation Then based on the response we ask the user whether the clients use their key pairs (or whether they use user name and password pairs in the auth cases). Finally we let the user decide whether the web service has a multiple message exchange with the user, based on which we decide whether to use WS-SecureConversation or not. This proposal can be implemented in a couple ways. - We can reuse the existing WSAS admin service for security policy configuration and come up with a static approach where we have one wizard with the set of known fixed policies. (Simply ... hard code the wizard). The users will simply follow the wizard to figure out what policy they need to apply, at the end of the wizard that policy will be selected and the user will provide other config properties (keystores, users, roles) required later (the same way we do now). - Update the backend configuration to capture the security requirements and different options and then implement the wizard without using a fixed set of policies. This way we can always simply add a new *policy* that supports a particular set of security requirements into this wizard. Any thoughts on this proposal? How possible is it to get this into the WSAS 2.2 release? Also we think this functionality can be made available as a separate tool even if we cannot get this into 2.2. Thanks, Ruchith
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Wsas-java-dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/wsas-java-dev
