You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@juddi.apache.org by Alex Ceponkus <al...@ceponkus.org> on 2002/01/14 09:37:07 UTC
[jUDDI-developers] AuthN vs AuthZ (was: First cut at jUDDI high-level diagrams)
Not sure if the authentication module encompasses authorization, if not,
then I think we need an AuthZ module also. Some organizations might want to
provide further details about who can read/modify individual uddi entries
scoped within a business. As a first pass, we can implement a simple authz
module that just gives access to all the entries for a given business to
anybody that gets authenticated by the authn module (which is what I think
would happen the way things are now.) Please correct me if I am wrong.
Alex
> -----Original Message-----
> From: juddi-developers-admin@lists.sourceforge.net
> [mailto:juddi-developers-admin@lists.sourceforge.net]On Behalf Of
> William Z Pope
> Sent: Monday, January 14, 2002 9:34 AM
> To: Steve Viens; juddi-developers@lists.sourceforge.net
> Subject: RE: [jUDDI-developers] First cut at jUDDI high-level diagrams
>
>
>
> Steve already pointed out that in spite of the fact that I've done
> security work in the past authentication isn't important enough to
> be included in the diagrams twice. :)
> Any other comments to the list please.
>
> =bill
>
> -----Original Message-----
> From: juddi-developers-admin@lists.sourceforge.net
> [mailto:juddi-developers-admin@lists.sourceforge.net]On Behalf Of Steve
> Viens
> Sent: Monday, January 14, 2002 8:28 AM
> To: juddi-developers@lists.sourceforge.net
> Subject: [jUDDI-developers] First cut at jUDDI high-level diagrams
>
>
> fyi,
>
> Bill Pope has started putting together architecture docs for jUDDI.
> These are just started mind you and there isn't any textual description
> to go along with them yet. They're located in a 'diagrams' folder of the
> jUDDI web site:
>
> http://juddi.org/diagrams
>
> Both Visio and JPEG versions are available.
>
> Thanks Bill!
>
> Steve
>
> PS: Alex, you can work this stuff into the *NEW* jUDDI web site any way
> you would like when you get to it. I just wanted to get them out there.
>
> Steve Viens
> jUDDI Project Manager
> sviens@steveviens.com
> http://juddi.org/
>
>
>
> _______________________________________________
> juddi-developers mailing list
> juddi-developers@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/juddi-developers
>
>
>
> _______________________________________________
> juddi-developers mailing list
> juddi-developers@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/juddi-developers
>
RE: [jUDDI-developers] AuthN vs AuthZ (was: First cut at jUDDI high-level diagrams)
Posted by Steve Viens <sv...@steveviens.com>.
Alex, sounds good! :)
Care to take a shot at writing up a use case so we're all understand the
issue?
(as time allows of course)
Steve
-----Original Message-----
From: juddi-developers-admin@lists.sourceforge.net
[mailto:juddi-developers-admin@lists.sourceforge.net] On Behalf Of Alex
Ceponkus
Sent: Monday, January 14, 2002 12:20 PM
To: Steve Viens; juddi-developers@lists.sourceforge.net
Subject: RE: [jUDDI-developers] AuthN vs AuthZ (was: First cut at jUDDI
high-level diagrams)
> Unfortunately the UDDI specification (verstion 2) does not really
> support a very complex authorization module.
It doesn't at this time, but it's such a big missing piece that authz
will either be addressed in a later spec or organizations using uddi
registries (especially internal registries) will use proprietary
mechanisms to get that functionality. Either way, we should be building
the necessary plumbing at the early stages.
> You are correct - kind of. The AuthN (authentication) module only
> handles userid/credintial authentication. The individual UDDI services
> will handle AuthZ (authorization - who can delete stuff). The userid
> of the owner of each individual UDDI object will be stored with the
> object.
So it looks like there is a need for a separate authz module that those
individual services can query.
> We had assumed that authentication could be implemented in many
> different methods (via different authentication modules) such as
> Windows userid, UNIX etc/passwd, LDAP etc. I don't think we want to
> place too many requirements on this component of jUDDI.
I agree, a separate module sounds like a clean architectural split.
Alex
_______________________________________________
juddi-developers mailing list juddi-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/juddi-developers
RE: [jUDDI-developers] AuthN vs AuthZ (was: First cut at jUDDI high-level diagrams)
Posted by Alex Ceponkus <al...@ceponkus.org>.
> Unfortunately the UDDI specification (verstion 2) does not really
> support a very complex authorization module.
It doesn't at this time, but it's such a big missing piece that authz will
either be addressed in a later spec or organizations using uddi registries
(especially internal registries) will use proprietary mechanisms to get that
functionality. Either way, we should be building the necessary plumbing at
the early stages.
> You are correct - kind of. The AuthN (authentication) module only
> handles userid/credintial authentication. The individual UDDI services
> will handle AuthZ (authorization - who can delete stuff). The userid of
> the owner of each individual UDDI object will be stored with the object.
So it looks like there is a need for a separate authz module that those
individual services can query.
> We had assumed that authentication could be implemented in many
> different methods (via different authentication modules) such as Windows
> userid, UNIX etc/passwd, LDAP etc. I don't think we want to place too
> many requirements on this component of jUDDI.
I agree, a separate module sounds like a clean architectural split.
Alex
RE: [jUDDI-developers] AuthN vs AuthZ (was: First cut at jUDDI high-level diagrams)
Posted by Steve Viens <sv...@steveviens.com>.
Unfortunately the UDDI specification (verstion 2) does not really
support a very complex authorization module.
You are correct - kind of. The AuthN (authentication) module only
handles userid/credintial authentication. The individual UDDI services
will handle AuthZ (authorization - who can delete stuff). The userid of
the owner of each individual UDDI object will be stored with the object.
We had assumed that authentication could be implemented in many
different methods (via different authentication modules) such as Windows
userid, UNIX etc/passwd, LDAP etc. I don't think we want to place too
many requirements on this component of jUDDI.
Comments?
Steve
-----Original Message-----
From: juddi-developers-admin@lists.sourceforge.net
[mailto:juddi-developers-admin@lists.sourceforge.net] On Behalf Of Alex
Ceponkus
Sent: Monday, January 14, 2002 11:41 AM
To: zpope@pobox.com; Steve Viens; juddi-developers@lists.sourceforge.net
Subject: [jUDDI-developers] AuthN vs AuthZ (was: First cut at jUDDI
high-level diagrams)
Not sure if the authentication module encompasses authorization, if not,
then I think we need an AuthZ module also. Some organizations might
want to provide further details about who can read/modify individual
uddi entries scoped within a business. As a first pass, we can
implement a simple authz module that just gives access to all the
entries for a given business to anybody that gets authenticated by the
authn module (which is what I think would happen the way things are
now.) Please correct me if I am wrong.
Alex
> -----Original Message-----
> From: juddi-developers-admin@lists.sourceforge.net
> [mailto:juddi-developers-admin@lists.sourceforge.net]On Behalf Of
> William Z Pope
> Sent: Monday, January 14, 2002 9:34 AM
> To: Steve Viens; juddi-developers@lists.sourceforge.net
> Subject: RE: [jUDDI-developers] First cut at jUDDI high-level diagrams
>
>
>
> Steve already pointed out that in spite of the fact that I've done
> security work in the past authentication isn't important enough to be
> included in the diagrams twice. :) Any other comments to the list
> please.
>
> =bill
>
> -----Original Message-----
> From: juddi-developers-admin@lists.sourceforge.net
> [mailto:juddi-developers-admin@lists.sourceforge.net]On Behalf Of
> Steve Viens
> Sent: Monday, January 14, 2002 8:28 AM
> To: juddi-developers@lists.sourceforge.net
> Subject: [jUDDI-developers] First cut at jUDDI high-level diagrams
>
>
> fyi,
>
> Bill Pope has started putting together architecture docs for jUDDI.
> These are just started mind you and there isn't any textual
> description to go along with them yet. They're located in a 'diagrams'
> folder of the jUDDI web site:
>
> http://juddi.org/diagrams
>
> Both Visio and JPEG versions are available.
>
> Thanks Bill!
>
> Steve
>
> PS: Alex, you can work this stuff into the *NEW* jUDDI web site any
> way you would like when you get to it. I just wanted to get them out
> there.
>
> Steve Viens
> jUDDI Project Manager
> sviens@steveviens.com
> http://juddi.org/
>
>
>
> _______________________________________________
> juddi-developers mailing list juddi-developers@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/juddi-developers
>
>
>
> _______________________________________________
> juddi-developers mailing list
> juddi-developers@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/juddi-developers
>
_______________________________________________
juddi-developers mailing list
juddi-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/juddi-developers
[jUDDI-developers] RE: AuthN vs AuthZ (was: First cut at jUDDI high-level diagrams)
Posted by William Z Pope <zp...@pobox.com>.
I agree, this was my expectation all along.
=bill
-----Original Message-----
From: Alex Ceponkus [mailto:alex@ceponkus.org]
Sent: Monday, January 14, 2002 11:41 AM
To: zpope@pobox.com; Steve Viens; juddi-developers@lists.sourceforge.net
Subject: AuthN vs AuthZ (was: First cut at jUDDI high-level diagrams)
Not sure if the authentication module encompasses authorization, if not,
then I think we need an AuthZ module also. Some organizations might want to
provide further details about who can read/modify individual uddi entries
scoped within a business. As a first pass, we can implement a simple authz
module that just gives access to all the entries for a given business to
anybody that gets authenticated by the authn module (which is what I think
would happen the way things are now.) Please correct me if I am wrong.
Alex
> -----Original Message-----
> From: juddi-developers-admin@lists.sourceforge.net
> [mailto:juddi-developers-admin@lists.sourceforge.net]On Behalf Of
> William Z Pope
> Sent: Monday, January 14, 2002 9:34 AM
> To: Steve Viens; juddi-developers@lists.sourceforge.net
> Subject: RE: [jUDDI-developers] First cut at jUDDI high-level diagrams
>
>
>
> Steve already pointed out that in spite of the fact that I've done
> security work in the past authentication isn't important enough to
> be included in the diagrams twice. :)
> Any other comments to the list please.
>
> =bill
>
> -----Original Message-----
> From: juddi-developers-admin@lists.sourceforge.net
> [mailto:juddi-developers-admin@lists.sourceforge.net]On Behalf Of Steve
> Viens
> Sent: Monday, January 14, 2002 8:28 AM
> To: juddi-developers@lists.sourceforge.net
> Subject: [jUDDI-developers] First cut at jUDDI high-level diagrams
>
>
> fyi,
>
> Bill Pope has started putting together architecture docs for jUDDI.
> These are just started mind you and there isn't any textual description
> to go along with them yet. They're located in a 'diagrams' folder of the
> jUDDI web site:
>
> http://juddi.org/diagrams
>
> Both Visio and JPEG versions are available.
>
> Thanks Bill!
>
> Steve
>
> PS: Alex, you can work this stuff into the *NEW* jUDDI web site any way
> you would like when you get to it. I just wanted to get them out there.
>
> Steve Viens
> jUDDI Project Manager
> sviens@steveviens.com
> http://juddi.org/
>
>
>
> _______________________________________________
> juddi-developers mailing list
> juddi-developers@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/juddi-developers
>
>
>
> _______________________________________________
> juddi-developers mailing list
> juddi-developers@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/juddi-developers
>