Introducing myself

[Vincent Tence <vt...@videotron.ca>]

Hi all,

Let me take a few moments of your time to introduce myself. 


Alex and I have been in communication for several weeks discussing
Authentication, Authorization, and Accounting (AAA) concerns. I have
been working on a AAA framework for containers at sf.net and we saw an
opportunity to consolidate our effotrs, by both using the directory
server as a backend to the AAA framework and using the AAA framework as
the basis to the directory server's security subsystem.

I have been working recently on finding the best way to make the AAA
framework both Avalon and PicoContainer compatible (Alex says I'm a Pico
junky now) and I understood it's also a concern of Eve to run with as
many IoC containers as possible to broaden its acceptation.

I hope we can join forces in working towards building the security
infrastructure of Eve and making Eve compatible with other IoC
containers variations.

Cheers,
Vincent

[AAA] Was: Re: Introducing myself

[Phil Steitz <ph...@steitz.com>]

Vincent Tence wrote:
>>Hi Vincent,
>>
>>Welcome aboard!  I am also interested in these things.  I lost
>>the earlier
>>sf thread on AAA and I would like to come up to speed on this framework.
>>Can you post some links describing both the technical structure and the
>>integration model / philosophy.
> 
> 
> This framework is based on the work done by the aaa4avalon projet at sf.
> The guys at aaa4avalon are all a bit busy and they can't find the time
> to work on the project anymore. So after talking wih them, we decided it
> would be better easier for me to start a new project and hopefully merge
> back at some point. I have attached a diagram from the original project
> that shows the general idea.
> 
> 
>>Is this framework compatible with XACML,
>>SAML and/or Liberty?
> 
> 
> Not XACML or SAML compatible at that point. The initial idea is to have a
> set
> of reusable components for AAA and then provide integration layers to
> existing
> standards. I'm not quite there yet ;-)

The architecture and separation of concerns looks similar to XACML.  Cf, 
for example, 
http://www.oasis-open.org/committees/download.php/2406/oasis-xacml-1.0.pdf 
(see the data flow diagram on p. 19) with the "container" playing the 
role of both the policy enforcement point and the policy decision point. 
  Having these things separated and defining a (ideally open) protocol 
to connect them provides deployment flexibility (PDPs can be remoted), 
container independence and scalability benefits (the PDPs can cache 
authorizations and provide HA services for multiple containers).   One 
thing to consider would be to at least use XACML policly language to 
represent authorization rules and policies.

Phil


> 
> <snip/>
> 
>>I think that it is important that
>>whatever we implement, we try to keep it standards-based and, as much as
>>possible, platform and language independent.  Could be we are talking
>>about different things here.  On the other hand, it could be that we can
>>find one solution that meets both needs (external, standards-based,
>>platform-independent identity/authentication/authorization service +
>>Avalon/J2EE container embedded provider).  Kind of like Eve is doing for
>>ldap ;-)
> 
> 
> That's the holy grail I'm looking for as well.
> 
> - Vincent
> 
> 
> ------------------------------------------------------------------------
> 

RE: Introducing myself

[Vincent Tence <vt...@videotron.ca>]

On Thu, 2003-12-04 at 05:58, Noel J. Bergman wrote:
> Vincent Tence wrote:
> 
> > This framework is based on the work done by the aaa4avalon projet at sf.
> > The guys at aaa4avalon are all a bit busy and they can't find the time
> > to work on the project anymore. So after talking wih them, we decided it
> > would be better easier for me to start a new project and hopefully merge
> > back at some point. I have attached a diagram from the original project
> > that shows the general idea.
> 
> Welcome.  :-)

Thanks :)

> It is my understanding from Alex that you are interested to bring your
> project here, perhaps initially as a part of the Directory project.  Is that
> correct?

Yes, we discussed of bringing the AAA project to the Directory project.

> Does your AAA code (http://sourceforge.net/projects/aaaframework/) include
> any of their code (http://sourceforge.net/projects/aaa4avalon)?  

As I said, the aaaframework code is based on the aaa4avalon code. Some
of the original code will stay, some has still to be reworked, and other
bits will eventually disappear.

> I see that both projects are under the Apache Software License.Do we also need anything
> from the AAA4Avalon project?

Not anymore.

- Vincent

Re: Introducing myself

[Nicola Ken Barozzi <ni...@apache.org>]

Noel J. Bergman wrote:
...
> [Nicola Ken: if an outside project is already under the Apache Software
> License, what does that imply in terms of our requirement to get a software
> grant?]

IANAL, so I'm asking licensing.

AFAIK a project should not use the original ASF license, as the code is 
not in Apache CVS and is not of Apache. Where did that code originate?

-- 
Nicola Ken Barozzi                   nicolaken@apache.org
             - verba volant, scripta manent -
    (discussions get forgotten, just code remains)
---------------------------------------------------------------------

RE: Introducing myself

["Noel J. Bergman" <no...@devtech.com>]

Vincent Tence wrote:

> This framework is based on the work done by the aaa4avalon projet at sf.
> The guys at aaa4avalon are all a bit busy and they can't find the time
> to work on the project anymore. So after talking wih them, we decided it
> would be better easier for me to start a new project and hopefully merge
> back at some point. I have attached a diagram from the original project
> that shows the general idea.

Welcome.  :-)

It is my understanding from Alex that you are interested to bring your
project here, perhaps initially as a part of the Directory project.  Is that
correct?

Does your AAA code (http://sourceforge.net/projects/aaaframework/) include
any of their code (http://sourceforge.net/projects/aaa4avalon)?  I see that
both projects are under the Apache Software License.Do we also need anything
from the AAA4Avalon project?

[Nicola Ken: if an outside project is already under the Apache Software
License, what does that imply in terms of our requirement to get a software
grant?]

	--- Noel

RE: Introducing myself

[Vincent Tence <vt...@pyxis-tech.com>]

> Hi Vincent,
>
> Welcome aboard!  I am also interested in these things.  I lost
> the earlier
> sf thread on AAA and I would like to come up to speed on this framework.
> Can you post some links describing both the technical structure and the
> integration model / philosophy.

This framework is based on the work done by the aaa4avalon projet at sf.
The guys at aaa4avalon are all a bit busy and they can't find the time
to work on the project anymore. So after talking wih them, we decided it
would be better easier for me to start a new project and hopefully merge
back at some point. I have attached a diagram from the original project
that shows the general idea.

> Is this framework compatible with XACML,
> SAML and/or Liberty?

Not XACML or SAML compatible at that point. The initial idea is to have a
set
of reusable components for AAA and then provide integration layers to
existing
standards. I'm not quite there yet ;-)

<snip/>

> I think that it is important that
> whatever we implement, we try to keep it standards-based and, as much as
> possible, platform and language independent.  Could be we are talking
> about different things here.  On the other hand, it could be that we can
> find one solution that meets both needs (external, standards-based,
> platform-independent identity/authentication/authorization service +
> Avalon/J2EE container embedded provider).  Kind of like Eve is doing for
> ldap ;-)

That's the holy grail I'm looking for as well.

- Vincent

Re: Introducing myself

[Phil Steitz <ph...@steitz.com>]

Vincent Tence wrote:
> Hi all,
> 
> Let me take a few moments of your time to introduce myself. 
> 
> 
> Alex and I have been in communication for several weeks discussing
> Authentication, Authorization, and Accounting (AAA) concerns. I have
> been working on a AAA framework for containers at sf.net and we saw an
> opportunity to consolidate our effotrs, by both using the directory
> server as a backend to the AAA framework and using the AAA framework as
> the basis to the directory server's security subsystem.
> 
> I have been working recently on finding the best way to make the AAA
> framework both Avalon and PicoContainer compatible (Alex says I'm a Pico
> junky now) and I understood it's also a concern of Eve to run with as
> many IoC containers as possible to broaden its acceptation.
> 
> I hope we can join forces in working towards building the security
> infrastructure of Eve and making Eve compatible with other IoC
> containers variations.
> 
> Cheers,
> Vincent
> 

Hi Vincent,

Welcome aboard!  I am also interested in these things.  I lost the earlier 
sf thread on AAA and I would like to come up to speed on this framework. 
Can you post some links describing both the technical structure and the 
integration model / philosophy.  Is this framework compatible with XACML, 
SAML and/or Liberty? Sun has put an OSS XACML implementation of SF and I 
have been toying with the idea of integrating something like that into 
this project (using directory instances as both identity providers and 
policy stores, probably clean-rooming the XACML implementation, but taking 
some ideas from the Sun stuff).  I think that it is important that 
whatever we implement, we try to keep it standards-based and, as much as 
possible, platform and language independent.  Could be we are talking 
about different things here.  On the other hand, it could be that we can 
find one solution that meets both needs (external, standards-based, 
platform-independent identity/authentication/authorization service + 
Avalon/J2EE container embedded provider).  Kind of like Eve is doing for 
ldap ;-)

Phil

RE: Introducing myself

[Vincent Tencé <vt...@pyxis-tech.com>]

<snip/>
> In the meantime - are you
> connected at all with the Turbine guys - they are currently working on
> a authentication framework in Fulcrum using Merlin.  Seems to me that
> there could be some synergy here.

I was not aware of that, I'll take a look. Thanks.

- Vincent

Re: Introducing myself

[Stephen McConnell <mc...@apache.org>]

Hi Vincent:

Welcome abord!  There are more than a couple of people over in Avalon
land that have been thinking about your AAA content.   There have been
some discussions as to how much of this belongs in the container and
what should be exposed to the client. I've a bunch of my own ideas on
this but would be keen to hear your own!  In the meantime - are you
connected at all with the Turbine guys - they are currently working on
a authentication framework in Fulcrum using Merlin.  Seems to me that
there could be some synergy here.

On the Merlin side of things ... looks like we should be able to cut
a new release before the end of the year.  The new release will
include a bunch of stuff that will make like easier for the Eve
product by generally improving/optimising the overall embedding
strategy. If you have any pressing requirements make sure you post
something to dev@avalon. 

Cheers, Steve.


Vincent Tence wrote:

>Hi all,
>
>Let me take a few moments of your time to introduce myself. 
>
>
>Alex and I have been in communication for several weeks discussing
>Authentication, Authorization, and Accounting (AAA) concerns. I have
>been working on a AAA framework for containers at sf.net and we saw an
>opportunity to consolidate our effotrs, by both using the directory
>server as a backend to the AAA framework and using the AAA framework as
>the basis to the directory server's security subsystem.
>
>I have been working recently on finding the best way to make the AAA
>framework both Avalon and PicoContainer compatible (Alex says I'm a Pico
>junky now) and I understood it's also a concern of Eve to run with as
>many IoC containers as possible to broaden its acceptation.
>
>I hope we can join forces in working towards building the security
>infrastructure of Eve and making Eve compatible with other IoC
>containers variations.
>
>Cheers,
>Vincent
>
>
>  
>

-- 

Stephen J. McConnell
mailto:mcconnell@apache.org

|------------------------------------------------|
| Magic by Merlin                                |
| Production by Avalon                           |
|                                                |
| http://avalon.apache.org/merlin                |
| http://dpml.net/                               |
|------------------------------------------------|