directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Directory Wiki] Update of "AuthXHome" by VincentTence
Date Wed, 14 Dec 2005 04:22:27 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Directory Wiki" for change notification.

The following page has been changed by VincentTence:
http://wiki.apache.org/directory/AuthXHome

------------------------------------------------------------------------------
  ## page was renamed from JanusHome
- === About Janus ===
+ === About AuthX ===
  
- Janus is an effort to develop an Authentication, Authorization and Accounting framework
for
+ AuthX is an effort to develop an Authentication, Authorization and Accounting framework
for
- building security infrastructures. Janus is the security sub-project for the Eve directory
server.
+ building security infrastructures. AuthX is the security sub-project for the Eve directory
server.
- 
- === Proposal ===
- 
- Following is a proposed direction to drive the development of Janus.
  
  ==== Glossary ====
  
  ||'''Credential'''||Unit of proof of identity||
- ||'''Realm'''||A set of principals and associated credentials and an authentication method||
+ ||'''Realm'''||A set of credentials with an associated authentication method||
  ||'''Subject'''||Result of a successful authentication||
- ||'''Authenticator'''||Renders an authentication result - may act on several realms||
+ ||'''Authenticator'''||Renders an authentication result||
  ||'''Resource'''||Object of an authorization decision||
  ||'''Action'''||Operation to be performed on a resource||
- ||'''Permission'''||An action on a associated resource which is the subject of an authorization
decision||
+ ||'''Permission'''||An action on a resource which is the subject of an authorization decision||
  ||'''Condition'''||An expression of predicates on a subject (on its principals)||
  ||'''Rule'''||Definition of an effect of verifying a condition on a permission||
- ||'''Effect'''||Consequence of evaluating a rule: permit, deny, indeterminate||
+ ||'''Effect'''||Consequence of evaluating a rule that participates in an authorization decision:
permit, deny, indeterminate||
  ||'''Policy'''||A set of rules and an algorithm for combining rules||
  ||'''Policy Set'''||A set of policies (or other policy sets) and an algorithm for combining
policies||
- ||'''Applicable Policy'''||A set of policies and policy sets that apply to a resource||
  ||'''Context'''||A set of environmental attributes that affects an authorization decision||
  ||'''Information Provider'''||Provides information on subject attributes (e.g. groups, roles)||
  ||'''Authorization decision'''||Result of evaluating policies: permit or deny access||
- ||'''Authorizer'''||Renders an authorization decision based on policies and or policy sets||
+ ||'''Authorizer'''||Renders an authorization decision based on policies/or policy sets||
  
  ==== Control Flow ====
+ Based on the above definitions, follows a representation of the security flow:
- Based on the above definitions, the typical flow would be:
- 
  
  '''Authentication'''
  {{{
                 credentials
  Client ---------------------------->                   credentials 
            authentication request                   -------------------> 
-                                                                         Realm
+                                                                         Realm (validates
credentials)
                                                     <-------------------             
      
                                                          Principal
  
-                                    Authenticator    (...might repeat...)
+                                    Authenticator
  
                                                           Subject                       
                      
                                                      ------------------> 
-                                                                         Information Provider
+                                                                         Information Provider
(describes Subject with additional attributes)
                                                      <------------------
-                Subject                                   Subject (e.g. with group or roles
attributes)
+                Subject                                   Subject (with attributes, e.g.
group or roles)
         <----------------------------                    
             authentication result  
  }}}
@@ -58, +52 @@

  {{{
              Subject + Permission
  Client ---------------------------->                   
-           authorization request                    ------- 
-                                                          |  Identify applicable policies
-                                                    <------
-                                                         
-                                                       Subject + Permission             
                                
+           authorization request                        Subject + Permission            
                                 
                                                      -------------------------> 
-                                                                                 Applicable
Policy (or policy set)                                                                   
                                                                                         
                                         
+                                                                                 Policy (or
policy set)                                                                              
                                                                                         
                               evaluates contained rules
-                                       Authorizer    <------------------------- 
+                                                     <------------------------- 
-                                                               Effect (combination of applicable
rules effects)
+                                                        Effect (combination of applicable
rules effects)
                    
-                                                          (...might repeat...)
+                                       Authorizer    (repeat for all policies)
  
-                                                    ------- 
+                                                     ------- 
-                                                          |  Combine policies
+                                                           |  Renders authorization decision
-                                                    <------ 
+                                                     <------ 
         <-----------------------------
              Authorization decision
  

Mime
View raw message