You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by Simon Godik <si...@godik.com> on 2006/02/07 04:42:37 UTC
principals and trust rules for csi-v2
Trust rules for csi-v2:
We derive B from Kb by authentication (Kb => B); B controls A means that B
is trusted on A;
B|A means B is quoting A; (or) B says A says s; B|A is a quoting principal;
(Abadi etal)
B is auth token identity;
A is identity token identity;
Backward trust:
Kb => B;
Local Trust Root controls: B controls A (B is trusted to assert A) (local
trust rules)
B|A says s; (s is request that is invoked as A)
Forward trust:
Kb => B;
Kz controls (B is a proxy for A); (this is authorization assertion signed by
Kz);
B|A says s; (s is request that is invoked as A)
Csi-v2 principals:
QuotingPrincipal class has getQuotedPrincipal() (A) and
getQuotingPrincipal() (B) methods;
QuotingPrincipal instance is added to the subject;
We can write authorization rules in terms of B|A, eg map B|A into roles.
Comments?
Simon