Monday, December 26, 2005
Secure J2EE, Federated Identity and XACML
Several weeks ago I had a conversation with one of my favorite industry CTOs around his company: Securent and usage of XACML 2.0 for policy enforcement. Figured out his company has a wonderful product offering that I hope several analysts will look into. The one thing though that I did conclude is that more vendors need to get behind the XACML specification and incorporate it into their product as security shouldn't be defined using proprietary expressions...
Maybe as a christmas gift I could ask my favorite open source projects: Liferay, ServiceMix and JBoss to integrate support for XACML into the next release. Essentially all of these platforms support the same "pattern" and will allow for adding additional security providers. Minimally, there should be two new providers. First, a authorization provider and most importantly a role mapping provider. The notion of roles shouldn't be embedded within each product but should be centrally defined.
One additional feature I would like to see in JBoss is the notion of Identity-Based connection pooling. We all understand the value of connection pooling and how it benefits scalability but we are now constrained within large enterprises on having to protect our databases and have a bucket of laws we have to comply with. The notion of individually identifying users is crucial to Sarbanes Oxley certification which if fully implemented would otherwise be diametrically opposed to connection pooling. The notion of identity-based connection pooling should either select an existing physical connection or create a new physical connection with the specified identity (analogous to Unix SU).
I wonder if the folks at Microsoft have considered putting XACML support into Active Directory? I am even more curious if the folks at IBM would consider extending RACF to support XACML?
Anyway, I haven't been able to find much analyst perspective on XACML, although I am of the belief that it will make a lot of sense for vendors to move towards this direction especially in federated scenarios.
Have to track down Pat Patterson of Sun and Kim Cameron of Microsoft to provide the answer to a question that has been bothering me. I know that SAML 2.0 can support the notion of role entitlement and this could be realized by both the new metadata constructs as well as embedding XACML, but what is the better way?
Likewise, a similar question to Microsoft in my wanting to know if WS-Federation can support the embedding of XACML?
I wonder if Jamie Lewis over at the Burton Group may know the answer to my question?
| | View blog reactionsMaybe as a christmas gift I could ask my favorite open source projects: Liferay, ServiceMix and JBoss to integrate support for XACML into the next release. Essentially all of these platforms support the same "pattern" and will allow for adding additional security providers. Minimally, there should be two new providers. First, a authorization provider and most importantly a role mapping provider. The notion of roles shouldn't be embedded within each product but should be centrally defined.
One additional feature I would like to see in JBoss is the notion of Identity-Based connection pooling. We all understand the value of connection pooling and how it benefits scalability but we are now constrained within large enterprises on having to protect our databases and have a bucket of laws we have to comply with. The notion of individually identifying users is crucial to Sarbanes Oxley certification which if fully implemented would otherwise be diametrically opposed to connection pooling. The notion of identity-based connection pooling should either select an existing physical connection or create a new physical connection with the specified identity (analogous to Unix SU).
I wonder if the folks at Microsoft have considered putting XACML support into Active Directory? I am even more curious if the folks at IBM would consider extending RACF to support XACML?
Anyway, I haven't been able to find much analyst perspective on XACML, although I am of the belief that it will make a lot of sense for vendors to move towards this direction especially in federated scenarios.
Have to track down Pat Patterson of Sun and Kim Cameron of Microsoft to provide the answer to a question that has been bothering me. I know that SAML 2.0 can support the notion of role entitlement and this could be realized by both the new metadata constructs as well as embedding XACML, but what is the better way?
Likewise, a similar question to Microsoft in my wanting to know if WS-Federation can support the embedding of XACML?
I wonder if Jamie Lewis over at the Burton Group may know the answer to my question?