directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From directory-...@incubator.apache.org
Subject [Apache Directory Project Wiki] Updated: JanusHome
Date Tue, 22 Jun 2004 04:10:44 GMT
   Date: 2004-06-21T21:10:43
   Editor: 24.37.52.157 <>
   Wiki: Apache Directory Project Wiki
   Page: JanusHome
   URL: http://wiki.apache.org/directory/JanusHome

   no comment

Change Log:

------------------------------------------------------------------------------
@@ -7,15 +7,68 @@
 
 Following is a proposed direction to drive the development of Janus.
 
-==== Terminology ====
+==== Glossary ====
 
+||'''Credential'''||Unit of proof of identity||
+||'''Realm'''||A set of principals and associated credentials and an authentication method||
+||'''Subject'''||Result of a successful authentication||
+||'''Authenticator'''||Renders an authentication result - may act on several realms||
 ||'''Resource'''||Object of an authorization decision||
 ||'''Action'''||Operation to be performed on a resource||
 ||'''Permission'''||An action on a associated resource which is the subject of an authorization
decision||
 ||'''Condition'''||An expression of predicates on a subject (on its principals)||
 ||'''Rule'''||Definition of an effect of verifying a condition on a permission||
-||'''Effect'''||Consequence of verifying a rule: permit or deny||
+||'''Effect'''||Consequence of evaluating a rule: permit, deny, indeterminate||
 ||'''Policy'''||A set of rules and an algorithm for combining rules||
 ||'''Policy Set'''||A set of policies (or other policy sets) and an algorithm for combining
policies||
 ||'''Applicable Policy'''||A set of policies and policy sets that apply to a resource||
 ||'''Context'''||A set of environmental attributes that affects an authorization decision||
+||'''Information Provider'''||Provides information on subject attributes (e.g. groups, roles)||
+||'''Authorization decision'''||Result of evaluating policies: permit or deny access||
+||'''Authorizer'''||Renders authorization decision based on policies and or policy sets||
+
+==== Control Flow ====
+Based on the above definitions, the typical flow would be (notice the great ASCII art ;-)):
+
+
+'''Authentication'''
+{{{
+               credentials
+Client ---------------------------->                   credentials 
+          authentication request                   -------------------> 
+                                                                        Realm
+                                                   <-------------------              
     
+                                                        Principal
+
+                                   Authenticator    (...might repeat...)
+
+                                                         Subject                        
                     
+                                                    ------------------> 
+                                                                        Information Provider
+                                                    <------------------
+               Subject                                   Subject (e.g. with group or roles
attributes)
+       <----------------------------                    
+           authentication result  
+}}}
+
+'''Authorization'''
+{{{
+            Subject + Permission
+Client ---------------------------->                   
+          authorization request                    ------- 
+                                                         |  Identify applicable policies
+                                                   <------
+                                                        
+                                                      Subject + Permission              
                               
+                                                    -------------------------> 
+                                                                                Applicable
Policy (or policy set)                                                                   
                                                                                         
                                         
+                                      Authorizer    <------------------------- 
+                                                              Effect (combination of applicable
rules effects)
+                  
+                                                          (...migh repeat...)
+
+                                                   ------- 
+                                                         |  Combine policies
+                                                   <------ 
+       <-----------------------------
+            Authorization decision

Mime
View raw message