[Architecture] Supporting Always go through IS for Security Mode?

Srinath Perera srinath at wso2.com
Sun Mar 11 20:33:59 PDT 2012 

Hi Thilina,

I think we did a arch review of server to server auth sometime back and had
a design ..

How far are we with the impl? does it goes out with July release?

--Srinath

On Wed, Mar 7, 2012 at 11:26 PM, Thilina Buddhika <thilinab at wso2.com> wrote:

> Hi Paul,
>
> Yes, that was the idea.
>
> Thanks,
> Thilina
>
>
> On Wed, Mar 7, 2012 at 7:47 PM, Paul Fremantle <paul at wso2.com> wrote:
>
>> Thilina
>>
>> Should we be using OAuth for this?
>>
>> Paul
>>
>>
>> On 6 March 2012 16:34, Thilina Buddhika <thilinab at wso2.com> wrote:
>>
>>> Hi Samisa,
>>>
>>>
>>> On Tue, Mar 6, 2012 at 7:46 PM, Samisa Abeysinghe <samisa at wso2.com>wrote:
>>>
>>>>
>>>>
>>>> On Tue, Mar 6, 2012 at 7:39 PM, Thilina Buddhika <thilinab at wso2.com>wrote:
>>>>
>>>>> I think,  to get this model working perfectly, we need to get the new
>>>>> server-to-server authentication model working. The current approach we use
>>>>> to invoke the Identity Server APIs is not efficient.
>>>>>
>>>>
>>>> What would S2S auth model use, which is better than API model.
>>>>
>>>
>>> At the moment, we are calling authentication admin and then use the
>>> authenticated cookie for the actual API invocation. It has some short
>>> comings like ;
>>>
>>> 1. Additional service call for authentication.
>>>
>>> 2. Client side has to keep track of the authenticated sessions and
>>> re-authenticate when the sessions are obsolete. This becomes a bit complex
>>> inside something like a mediator.
>>>
>>> 3. Maintaining the credentials used for authentication. This becomes
>>> trickier with MT comes into play.
>>>
>>> So the plan is to use a preemptive authentication mechanism based on
>>> tokens.
>>>
>>> Thanks,
>>> Thilina
>>>
>>>
>>>
>>>>
>>>>
>>>>
>>>>>
>>>>> Thanks,
>>>>> Thilina
>>>>>
>>>>> On Tue, Mar 6, 2012 at 5:38 PM, Srinath Perera <srinath at wso2.com>wrote:
>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> Following came out of a chat with Prabath, and this shows most of the
>>>>>> IS public APIs and deployment choices. (Prabath please comment)
>>>>>>
>>>>>> There are two main scenarios Authentication and Authorization.
>>>>>>
>>>>>> Authenticate
>>>>>> ============
>>>>>> User may authenticate through CarbonSession
>>>>>> (calling authentication admin Web service, HTTP basic auth, WSS user name
>>>>>> token, SSO token, SAML token? ) .. and that sets authenticated user in the
>>>>>> session, and it does not matter how it got there.
>>>>>>
>>>>>> Carbon server that receives the request by default goes to LDAP
>>>>>> directly (U1), and we do not have U2, U3 as of now. U2 is
>>>>>> under development.  We have U3 server side where external service can
>>>>>> directly call Authentication Admin Web service.
>>>>>>
>>>>>> Authorization
>>>>>> ===========
>>>>>> Our default permissions ( e.g. any mediator) directly goes to DB (P3)
>>>>>> skipping IS.
>>>>>> If going through IS, user can use XACML, KDC (?) or AuthDB
>>>>>> For XACML user can talk to IS via a WS or thrift service
>>>>>> [image: Inline image 1]
>>>>>>
>>>>>> Since our default model is to go to DB directly, all the caches etc
>>>>>> are setup for that case. However, IMO we should also support model that
>>>>>> goes through IS for all scenarios as well. The concern is if the Carbon
>>>>>> Server (e.g. ESB) is in DMZ most ppl will not like it to connect to DB/LDAP
>>>>>> directly as if that node in DMZ is compromised, that will give the attacker
>>>>>> full access.
>>>>>>
>>>>>> Above LDAP interface for IS will solve the problem
>>>>>> for Authentication case, but we need to solve this for authorization case
>>>>>> as well. Server side is mostly done, but we need a client side as well so
>>>>>> that users can switch to go through IS via a configuration change.
>>>>>>
>>>>>> WDYT?
>>>>>>
>>>>>> --Srinath
>>>>>>
>>>>>> --
>>>>>> ============================
>>>>>> Srinath Perera, Ph.D.
>>>>>>   Senior Software Architect, WSO2 Inc.
>>>>>>   Visiting Faculty, University of Moratuwa
>>>>>>   Member, Apache Software Foundation
>>>>>>   Research Scientist, Lanka Software Foundation
>>>>>>   Blog: http://srinathsview.blogspot.com/
>>>>>>   Photos: http://www.flickr.com/photos/hemapani/
>>>>>>  Phone: 0772360902
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Architecture mailing list
>>>>>> Architecture at wso2.org
>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thilina Buddhika
>>>>> Associate Technical Lead
>>>>> WSO2 Inc. ; http://wso2.com
>>>>> lean . enterprise . middleware
>>>>>
>>>>> phone : +94 77 44 88 727
>>>>> blog : http://blog.thilinamb.com
>>>>>
>>>>> _______________________________________________
>>>>> Architecture mailing list
>>>>> Architecture at wso2.org
>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>>>
>>>>> Thanks,
>>>> Samisa...
>>>>
>>>> Samisa Abeysinghe
>>>> VP Engineering
>>>> WSO2 Inc.
>>>> http://wso2.com
>>>> http://wso2.org
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Architecture mailing list
>>>> Architecture at wso2.org
>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>>
>>>>
>>>
>>>
>>> --
>>> Thilina Buddhika
>>> Associate Technical Lead
>>> WSO2 Inc. ; http://wso2.com
>>> lean . enterprise . middleware
>>>
>>> phone : +94 77 44 88 727
>>> blog : http://blog.thilinamb.com
>>>
>>> _______________________________________________
>>> Architecture mailing list
>>> Architecture at wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>>
>>
>>
>> --
>> Paul Fremantle
>> CTO and Co-Founder, WSO2
>> OASIS WS-RX TC Co-chair, VP, Apache Synapse
>>
>> UK: +44 207 096 0336
>> US: +1 646 595 7614
>>
>> blog: http://pzf.fremantle.org
>> twitter.com/pzfreo
>> paul at wso2.com
>>
>> wso2.com Lean Enterprise Middleware
>>
>> Disclaimer: This communication may contain privileged or other
>> confidential information and is intended exclusively for the addressee/s.
>> If you are not the intended recipient/s, or believe that you may have
>> received this communication in error, please reply to the sender indicating
>> that fact and delete the copy you received and in addition, you should not
>> print, copy, retransmit, disseminate, or otherwise use the information
>> contained in this communication. Internet communications cannot be
>> guaranteed to be timely, secure, error or virus-free. The sender does not
>> accept liability for any errors or omissions.
>>
>>
>> _______________________________________________
>> Architecture mailing list
>> Architecture at wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> Thilina Buddhika
> Associate Technical Lead
> WSO2 Inc. ; http://wso2.com
> lean . enterprise . middleware
>
> phone : +94 77 44 88 727
> blog : http://blog.thilinamb.com
>
> _______________________________________________
> Architecture mailing list
> Architecture at wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
============================
Srinath Perera, Ph.D.
  Senior Software Architect, WSO2 Inc.
  Visiting Faculty, University of Moratuwa
  Member, Apache Software Foundation
  Research Scientist, Lanka Software Foundation
  Blog: http://srinathsview.blogspot.com/
  Photos: http://www.flickr.com/photos/hemapani/
 Phone: 0772360902
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.wso2.org/pipermail/architecture/attachments/20120312/52a05d73/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: WSO2SecuirtyArch.png
Type: image/png
Size: 115074 bytes
Desc: not available
URL: <http://mail.wso2.org/pipermail/architecture/attachments/20120312/52a05d73/attachment-0001.png>

More information about the Architecture mailing list