You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Vincent Tence <vt...@videotron.ca> on 2003/12/03 00:27:38 UTC
Introducing myself
Hi all,
Let me take a few moments of your time to introduce myself.
Alex and I have been in communication for several weeks discussing
Authentication, Authorization, and Accounting (AAA) concerns. I have
been working on a AAA framework for containers at sf.net and we saw an
opportunity to consolidate our effotrs, by both using the directory
server as a backend to the AAA framework and using the AAA framework as
the basis to the directory server's security subsystem.
I have been working recently on finding the best way to make the AAA
framework both Avalon and PicoContainer compatible (Alex says I'm a Pico
junky now) and I understood it's also a concern of Eve to run with as
many IoC containers as possible to broaden its acceptation.
I hope we can join forces in working towards building the security
infrastructure of Eve and making Eve compatible with other IoC
containers variations.
Cheers,
Vincent
[AAA] Was: Re: Introducing myself
Posted by Phil Steitz <ph...@steitz.com>.
Vincent Tence wrote:
>>Hi Vincent,
>>
>>Welcome aboard! I am also interested in these things. I lost
>>the earlier
>>sf thread on AAA and I would like to come up to speed on this framework.
>>Can you post some links describing both the technical structure and the
>>integration model / philosophy.
>
>
> This framework is based on the work done by the aaa4avalon projet at sf.
> The guys at aaa4avalon are all a bit busy and they can't find the time
> to work on the project anymore. So after talking wih them, we decided it
> would be better easier for me to start a new project and hopefully merge
> back at some point. I have attached a diagram from the original project
> that shows the general idea.
>
>
>>Is this framework compatible with XACML,
>>SAML and/or Liberty?
>
>
> Not XACML or SAML compatible at that point. The initial idea is to have a
> set
> of reusable components for AAA and then provide integration layers to
> existing
> standards. I'm not quite there yet ;-)
The architecture and separation of concerns looks similar to XACML. Cf,
for example,
http://www.oasis-open.org/committees/download.php/2406/oasis-xacml-1.0.pdf
(see the data flow diagram on p. 19) with the "container" playing the
role of both the policy enforcement point and the policy decision point.
Having these things separated and defining a (ideally open) protocol
to connect them provides deployment flexibility (PDPs can be remoted),
container independence and scalability benefits (the PDPs can cache
authorizations and provide HA services for multiple containers). One
thing to consider would be to at least use XACML policly language to
represent authorization rules and policies.
Phil
>
> <snip/>
>
>>I think that it is important that
>>whatever we implement, we try to keep it standards-based and, as much as
>>possible, platform and language independent. Could be we are talking
>>about different things here. On the other hand, it could be that we can
>>find one solution that meets both needs (external, standards-based,
>>platform-independent identity/authentication/authorization service +
>>Avalon/J2EE container embedded provider). Kind of like Eve is doing for
>>ldap ;-)
>
>
> That's the holy grail I'm looking for as well.
>
> - Vincent
>
>
> ------------------------------------------------------------------------
>
RE: Introducing myself
Posted by Vincent Tence <vt...@videotron.ca>.
On Thu, 2003-12-04 at 05:58, Noel J. Bergman wrote:
> Vincent Tence wrote:
>
> > This framework is based on the work done by the aaa4avalon projet at sf.
> > The guys at aaa4avalon are all a bit busy and they can't find the time
> > to work on the project anymore. So after talking wih them, we decided it
> > would be better easier for me to start a new project and hopefully merge
> > back at some point. I have attached a diagram from the original project
> > that shows the general idea.
>
> Welcome. :-)
Thanks :)
> It is my understanding from Alex that you are interested to bring your
> project here, perhaps initially as a part of the Directory project. Is that
> correct?
Yes, we discussed of bringing the AAA project to the Directory project.
> Does your AAA code (http://sourceforge.net/projects/aaaframework/) include
> any of their code (http://sourceforge.net/projects/aaa4avalon)?
As I said, the aaaframework code is based on the aaa4avalon code. Some
of the original code will stay, some has still to be reworked, and other
bits will eventually disappear.
> I see that both projects are under the Apache Software License.Do we also need anything
> from the AAA4Avalon project?
Not anymore.
- Vincent
Re: Introducing myself
Posted by Nicola Ken Barozzi <ni...@apache.org>.
Noel J. Bergman wrote:
...
> [Nicola Ken: if an outside project is already under the Apache Software
> License, what does that imply in terms of our requirement to get a software
> grant?]
IANAL, so I'm asking licensing.
AFAIK a project should not use the original ASF license, as the code is
not in Apache CVS and is not of Apache. Where did that code originate?
--
Nicola Ken Barozzi nicolaken@apache.org
- verba volant, scripta manent -
(discussions get forgotten, just code remains)
---------------------------------------------------------------------
RE: Introducing myself
Posted by "Noel J. Bergman" <no...@devtech.com>.
Vincent Tence wrote:
> This framework is based on the work done by the aaa4avalon projet at sf.
> The guys at aaa4avalon are all a bit busy and they can't find the time
> to work on the project anymore. So after talking wih them, we decided it
> would be better easier for me to start a new project and hopefully merge
> back at some point. I have attached a diagram from the original project
> that shows the general idea.
Welcome. :-)
It is my understanding from Alex that you are interested to bring your
project here, perhaps initially as a part of the Directory project. Is that
correct?
Does your AAA code (http://sourceforge.net/projects/aaaframework/) include
any of their code (http://sourceforge.net/projects/aaa4avalon)? I see that
both projects are under the Apache Software License.Do we also need anything
from the AAA4Avalon project?
[Nicola Ken: if an outside project is already under the Apache Software
License, what does that imply in terms of our requirement to get a software
grant?]
--- Noel
RE: Introducing myself
Posted by Vincent Tence <vt...@pyxis-tech.com>.
> Hi Vincent,
>
> Welcome aboard! I am also interested in these things. I lost
> the earlier
> sf thread on AAA and I would like to come up to speed on this framework.
> Can you post some links describing both the technical structure and the
> integration model / philosophy.
This framework is based on the work done by the aaa4avalon projet at sf.
The guys at aaa4avalon are all a bit busy and they can't find the time
to work on the project anymore. So after talking wih them, we decided it
would be better easier for me to start a new project and hopefully merge
back at some point. I have attached a diagram from the original project
that shows the general idea.
> Is this framework compatible with XACML,
> SAML and/or Liberty?
Not XACML or SAML compatible at that point. The initial idea is to have a
set
of reusable components for AAA and then provide integration layers to
existing
standards. I'm not quite there yet ;-)
<snip/>
> I think that it is important that
> whatever we implement, we try to keep it standards-based and, as much as
> possible, platform and language independent. Could be we are talking
> about different things here. On the other hand, it could be that we can
> find one solution that meets both needs (external, standards-based,
> platform-independent identity/authentication/authorization service +
> Avalon/J2EE container embedded provider). Kind of like Eve is doing for
> ldap ;-)
That's the holy grail I'm looking for as well.
- Vincent
Re: Introducing myself
Posted by Phil Steitz <ph...@steitz.com>.
Vincent Tence wrote:
> Hi all,
>
> Let me take a few moments of your time to introduce myself.
>
>
> Alex and I have been in communication for several weeks discussing
> Authentication, Authorization, and Accounting (AAA) concerns. I have
> been working on a AAA framework for containers at sf.net and we saw an
> opportunity to consolidate our effotrs, by both using the directory
> server as a backend to the AAA framework and using the AAA framework as
> the basis to the directory server's security subsystem.
>
> I have been working recently on finding the best way to make the AAA
> framework both Avalon and PicoContainer compatible (Alex says I'm a Pico
> junky now) and I understood it's also a concern of Eve to run with as
> many IoC containers as possible to broaden its acceptation.
>
> I hope we can join forces in working towards building the security
> infrastructure of Eve and making Eve compatible with other IoC
> containers variations.
>
> Cheers,
> Vincent
>
Hi Vincent,
Welcome aboard! I am also interested in these things. I lost the earlier
sf thread on AAA and I would like to come up to speed on this framework.
Can you post some links describing both the technical structure and the
integration model / philosophy. Is this framework compatible with XACML,
SAML and/or Liberty? Sun has put an OSS XACML implementation of SF and I
have been toying with the idea of integrating something like that into
this project (using directory instances as both identity providers and
policy stores, probably clean-rooming the XACML implementation, but taking
some ideas from the Sun stuff). I think that it is important that
whatever we implement, we try to keep it standards-based and, as much as
possible, platform and language independent. Could be we are talking
about different things here. On the other hand, it could be that we can
find one solution that meets both needs (external, standards-based,
platform-independent identity/authentication/authorization service +
Avalon/J2EE container embedded provider). Kind of like Eve is doing for
ldap ;-)
Phil
RE: Introducing myself
Posted by Vincent Tencé <vt...@pyxis-tech.com>.
<snip/>
> In the meantime - are you
> connected at all with the Turbine guys - they are currently working on
> a authentication framework in Fulcrum using Merlin. Seems to me that
> there could be some synergy here.
I was not aware of that, I'll take a look. Thanks.
- Vincent
Re: Introducing myself
Posted by Stephen McConnell <mc...@apache.org>.
Hi Vincent:
Welcome abord! There are more than a couple of people over in Avalon
land that have been thinking about your AAA content. There have been
some discussions as to how much of this belongs in the container and
what should be exposed to the client. I've a bunch of my own ideas on
this but would be keen to hear your own! In the meantime - are you
connected at all with the Turbine guys - they are currently working on
a authentication framework in Fulcrum using Merlin. Seems to me that
there could be some synergy here.
On the Merlin side of things ... looks like we should be able to cut
a new release before the end of the year. The new release will
include a bunch of stuff that will make like easier for the Eve
product by generally improving/optimising the overall embedding
strategy. If you have any pressing requirements make sure you post
something to dev@avalon.
Cheers, Steve.
Vincent Tence wrote:
>Hi all,
>
>Let me take a few moments of your time to introduce myself.
>
>
>Alex and I have been in communication for several weeks discussing
>Authentication, Authorization, and Accounting (AAA) concerns. I have
>been working on a AAA framework for containers at sf.net and we saw an
>opportunity to consolidate our effotrs, by both using the directory
>server as a backend to the AAA framework and using the AAA framework as
>the basis to the directory server's security subsystem.
>
>I have been working recently on finding the best way to make the AAA
>framework both Avalon and PicoContainer compatible (Alex says I'm a Pico
>junky now) and I understood it's also a concern of Eve to run with as
>many IoC containers as possible to broaden its acceptation.
>
>I hope we can join forces in working towards building the security
>infrastructure of Eve and making Eve compatible with other IoC
>containers variations.
>
>Cheers,
>Vincent
>
>
>
>
--
Stephen J. McConnell
mailto:mcconnell@apache.org
|------------------------------------------------|
| Magic by Merlin |
| Production by Avalon |
| |
| http://avalon.apache.org/merlin |
| http://dpml.net/ |
|------------------------------------------------|