Ruchith Fernando wrote:
Hi Devs,
Nandana and I had a discussion about improving the security policy
configuration in WSAS and we came up with the following ideas. These are
based on Paul's suggestions posted earlier in the list.
First, we can ask the users to select one of the following high level
security features they need to apply on their service.
- Authentication Only
- Confidentiality Only
- Confidentiality & Integrity
- Confidentiality & Authentication
- Confidentiality & Integrity & Authentication
- Integrity only
- Non-repudiation
Then based on the response we ask the user whether the clients use their
key pairs (or whether they use user name and password pairs in the auth
cases).
Finally we let the user decide whether the web service has a multiple
message exchange with the user, based on which we decide whether to use
WS-SecureConversation or not.
This proposal can be implemented in a couple ways.
- We can reuse the existing WSAS admin service for security policy
configuration and come up with a static approach where we have one
wizard with the set of known fixed policies. (Simply ... hard code the
wizard). The users will simply follow the wizard to figure out what
policy they need to apply, at the end of the wizard that policy will be
selected and the user will provide other config properties (keystores,
users, roles) required later (the same way we do now).
- Update the backend configuration to capture the security requirements
and different options and then implement the wizard without using a
fixed set of policies. This way we can always simply add a new *policy*
that supports a particular set of security requirements into this wizard.
Sounds good.
Any thoughts on this proposal? How possible is it to get this into the
WSAS 2.2 release?
-1 for getting it into the next release. Its too late to get this into
WSAS 2.2.
Also we think this functionality can be made available as a separate
tool even if we cannot get this into 2.2.
+1 if we can find the time to do this after the WSAS 2.2 release. We may
have this as a hosted tool on OT.
Thanks,
Ruchith
------------------------------------------------------------------------
_______________________________________________
Wsas-java-dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/wsas-java-dev
_______________________________________________
Wsas-java-dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/wsas-java-dev
