You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tuscany.apache.org by Luciano Resende <lu...@gmail.com> on 2008/10/14 10:31:21 UTC

Re: Adding support for Security Policies to Tuscany Web 2.0 extensions

On Wed, Sep 17, 2008 at 1:26 AM, Simon Laws <si...@googlemail.com> wrote:
> Hi Luciano
>
> Good to hear you thinking along these lines. Taking the scenario motivated
> approach will help improve policy support generally I think. I've put
> comments that come immediately to mind in line.
>
> Once you think we have a good handle on the initial scenarios we could start
> making some itests to explore them.
>
> Simon
>
> On Wed, Sep 17, 2008 at 12:27 AM, Luciano Resende <lu...@gmail.com>
> wrote:
>>
>> I have started some research around using Policy to enable some
>> security capabilities to Tuscany Web 2.0 extensions, and have
>> identified some initial scenarios as listed below:
>>
>> Scenarios:
>>
>> Web 2.0 application requires that a user get authenticated before it
>> can access the application.
>
> Intent: authentication
>
> This is the reference side right?
>
> What sort of technologies are you thinking about here.
> authentication.message, authentication.transport? We should look at the
> various strategies we would expect to experience talking to real world
> services. This may incude things like cookie handling.
>
> These Web2.0 applications use a number of different protocols, e.g. Atom,
> Jsonrpc, RSS, but are mostly based on HTTP so I'd be interested in how we
> provide some commonality across these bindings. I am, for example, keen to
> work with you to extend org.apache.tuscany.sca.policy.authentication.basic
> to these bindings.

We can evaluate this once I have it implemented it further. Once
difference I noticed is that you were doing a lot of work on the
Binding Servlet Listner, and after starting using this approach, I'm
investigating the possibility to move the code from the binding
servlet to a interceptor and share this with all the web 2.0 bindings.

>
> (I guess more generally It would be interesting to see if there is common
> HTTP binding function across these Web2.0 bindings but that's a different
> subject)

After starting some changes on the Binding Servlet Listener, I
realized there are indeed lots of communality between all these, and
I'm investigating now using a interceptor to handle this in a common
way across all web 2.0 bindings.

>>
>>
>> Web 2.0 application requires that all communication between
>> client/server be done using SSL.
>
> Intent: authentication.transport?
>           confidentiality?
>           integrity?

Good question, confidentiality sounds good, compared to what I had in
my local changes (Intent: ssl)

>>
>>
>> A given service, exposed using a web 2.0 binding requires user
>> authentication.
>>
>> A given operation, exposed using a web 2.0 binding requires user
>> authentication.
>
> The other thing that comes to mind is looking at the difference between
> container based security configuration and the way that this interacts with
> the binding and policy configuration. So two scenarios
>
> A given service, exposed using a web 2.0 binding requires user
> authentication and is deployed into a container where security is configured
> A given service, exposed using a web 2.0 binding requires user
> authentication and is deployed into a container where security is not
> configured
>

I'm focusing on the second scenario, as this seems to be the way our
web 2.0 applications are mostly used. But the design, that is
described in more details in [1] should cover both scenarios.

[1] http://tuscany.apache.org/sca-java-bindinghttp.html

> Are there any Web2.0 protocol specific security semantics that we need to be
> aware of?
>

The different Web 2.0 Protocols rely on HTTP for security, except
maybe by the Google GData Binding that would have some specific APIs
to handle Google authentication and SSO.

>>
>>
>>
>> Please let me know if you have other scenarios in mind.
>>
>> --
>> Luciano Resende
>> Apache Tuscany Committer
>> http://people.apache.org/~lresende
>> http://lresende.blogspot.com/
>
>

-- 
Luciano Resende
Apache Tuscany, Apache PhotArk
http://people.apache.org/~lresende
http://lresende.blogspot.com/

Re: Adding support for Security Policies to Tuscany Web 2.0 extensions

Posted by Luciano Resende <lu...@gmail.com>.

I have started working on this again, and have made some progress on
enabling SSL using policies and also adding the capability to
configure authentication in embedded servers using policy. These new
stuff is demonstrated in the new store-secure sample.

- Enabling SSL is done via confidentiality intent, and the

composite snipet  :

   <t:binding.http uri="/store" requires="confidentiality"/>

definitions.xml snipet :

   <sca:policySet name="widgetConfidentialityConfigurationPolicySet"
 	provides="sca:confidentiality"
 	appliesTo="tuscany:binding.http">
        <tuscany:confidentiality>
          <tuscany:keyStore type="JKS"
file="target/classes/tuscany.keyStore" password="apache"/>
          <tuscany:trustStore type="" file="" password=""/>
        </tuscany:confidentiality>
  </sca:policySet>


- Enabling authentication is done via the authentication intent. There
is also the possibility to configure the embedded http server by
providing a list of users with it's credentials and roles.

composite snipet:

   <t:binding.http uri="/store" requires="authentication"/>

definitions.xml snipet:

   <sca:policySet name="widgetBindingAuthenticationPolicySet"
 	provides="sca:authentication"
 	appliesTo="tuscany:binding.http">
        <tuscany:authenticationConfiguration>
             <tuscany:user username="admin" password="tuscany" roles="admin"/>
             <tuscany:user username="user1" password="tuscany" roles="user"/>
             <tuscany:user username="user2" password="tuscany" roles="user"/>
        </tuscany:authenticationConfiguration>
  </sca:policySet>


One thing I wanted to check with others is around some internal
differences from tomcat/jetty, while Jetty allow me to pass the
user/credential/role configurations, tomcat has native support to
point to a file with these information. Should we have two different
ways to configure the embedded http server, or should we use a single
way to define the policySet configuring the embedded server and deal
with more complex code to make Tomcat understand the set of
user/credential/roles ?

As for next steps, I still need to tide up some impl in the embedded
servers and figure out our story when deploying to an Java EE
Application Server.


On Tue, Oct 14, 2008 at 12:31 AM, Luciano Resende <lu...@gmail.com> wrote:
> On Wed, Sep 17, 2008 at 1:26 AM, Simon Laws <si...@googlemail.com> wrote:
>> Hi Luciano
>>
>> Good to hear you thinking along these lines. Taking the scenario motivated
>> approach will help improve policy support generally I think. I've put
>> comments that come immediately to mind in line.
>>
>> Once you think we have a good handle on the initial scenarios we could start
>> making some itests to explore them.
>>
>> Simon
>>
>> On Wed, Sep 17, 2008 at 12:27 AM, Luciano Resende <lu...@gmail.com>
>> wrote:
>>>
>>> I have started some research around using Policy to enable some
>>> security capabilities to Tuscany Web 2.0 extensions, and have
>>> identified some initial scenarios as listed below:
>>>
>>> Scenarios:
>>>
>>> Web 2.0 application requires that a user get authenticated before it
>>> can access the application.
>>
>> Intent: authentication
>>
>> This is the reference side right?
>>
>> What sort of technologies are you thinking about here.
>> authentication.message, authentication.transport? We should look at the
>> various strategies we would expect to experience talking to real world
>> services. This may incude things like cookie handling.
>>
>> These Web2.0 applications use a number of different protocols, e.g. Atom,
>> Jsonrpc, RSS, but are mostly based on HTTP so I'd be interested in how we
>> provide some commonality across these bindings. I am, for example, keen to
>> work with you to extend org.apache.tuscany.sca.policy.authentication.basic
>> to these bindings.
>
> We can evaluate this once I have it implemented it further. Once
> difference I noticed is that you were doing a lot of work on the
> Binding Servlet Listner, and after starting using this approach, I'm
> investigating the possibility to move the code from the binding
> servlet to a interceptor and share this with all the web 2.0 bindings.
>
>>
>> (I guess more generally It would be interesting to see if there is common
>> HTTP binding function across these Web2.0 bindings but that's a different
>> subject)
>
> After starting some changes on the Binding Servlet Listener, I
> realized there are indeed lots of communality between all these, and
> I'm investigating now using a interceptor to handle this in a common
> way across all web 2.0 bindings.
>
>>>
>>>
>>> Web 2.0 application requires that all communication between
>>> client/server be done using SSL.
>>
>> Intent: authentication.transport?
>>           confidentiality?
>>           integrity?
>
> Good question, confidentiality sounds good, compared to what I had in
> my local changes (Intent: ssl)
>
>>>
>>>
>>> A given service, exposed using a web 2.0 binding requires user
>>> authentication.
>>>
>>> A given operation, exposed using a web 2.0 binding requires user
>>> authentication.
>>
>> The other thing that comes to mind is looking at the difference between
>> container based security configuration and the way that this interacts with
>> the binding and policy configuration. So two scenarios
>>
>> A given service, exposed using a web 2.0 binding requires user
>> authentication and is deployed into a container where security is configured
>> A given service, exposed using a web 2.0 binding requires user
>> authentication and is deployed into a container where security is not
>> configured
>>
>
> I'm focusing on the second scenario, as this seems to be the way our
> web 2.0 applications are mostly used. But the design, that is
> described in more details in [1] should cover both scenarios.
>
> [1] http://tuscany.apache.org/sca-java-bindinghttp.html
>
>> Are there any Web2.0 protocol specific security semantics that we need to be
>> aware of?
>>
>
> The different Web 2.0 Protocols rely on HTTP for security, except
> maybe by the Google GData Binding that would have some specific APIs
> to handle Google authentication and SSO.
>
>>>
>>>
>>>
>>> Please let me know if you have other scenarios in mind.
>>>
>>> --
>>> Luciano Resende
>>> Apache Tuscany Committer
>>> http://people.apache.org/~lresende
>>> http://lresende.blogspot.com/
>>
>>
>
> --
> Luciano Resende
> Apache Tuscany, Apache PhotArk
> http://people.apache.org/~lresende
> http://lresende.blogspot.com/
>



-- 
Luciano Resende
Apache Tuscany, Apache PhotArk
http://people.apache.org/~lresende
http://lresende.blogspot.com/