A common problem that I see in the field is how to enforce the security policy in the execution context of a service (are those enough SOA concepts in one sentence for you?). The market is full of Federated Identity Management tools. Once you decide on what identity management package you will use, you have the task to actually integrate that solution with the rest of your infrastructure.
Let's supposed that you decide to go with a SAML token solution from a vendor that is big and blue for example. The way this will work, is the identity management server will either intercept or redirect the initial communication going to your services, and challenge the service consumer to provide credentials. If the identity server accepts the credentials it will consider the service consumer authenticated and place a SAML token in the header of the request to the service.
Now, suppose the service the consumer is trying to access is a web service. What the identity server will do is place a SAML token in the SOAP header of the request going to the web service. All the web service container needs to do now is verify that the request has a valid SAML token. This would take care of authentication. By accepting the token the web services acknowledges that the consumer is who it pretending to be. The SAML authentication process is actually more involved than that, but for the example this will do.
If you are using JBoss, this is what you need to do to make your web services accept the token:
a) Create a generic handler (according to the JSR 109 specifications) that gets called before it ever hits the endpoint. You insert this handler in the chain. You make the handler deny the request if the
SAML token in the SOAP header is not valid.
b) You set the principal in the SOAP envelope to the principal that you read from the token. This will allow your JAAS login module to have a Subject loaded.
c) You create a custom JAAS login module that takes the Subject and performs authorization. Just because the consumer is who it say it is, it does not mean that it has access to this particular service. A common solution is to save the user/roles information for JAAS login module in an LDAP server. Then, the login module loads what roles are assigned to the user and the application server decides whether the role can access the resource or not. You define what roles can access a resource in the application configuration files.
This architecture will work with other type of tokens, or non token based federated identity management. In this particular case the authentication was separated from the authorization because of limitations with federated system. The SAML token can easily contain the role information for the user, so the application server does not have to hit the LDAP server as well.
Let me know if you need more details or have any questions, comments, etc.
All businesses that are web based can take advantage of the features of project management. Whether it's bake shop, bank, landscaping, or construction, the software will help all team leaders. The software is also customizable to fit any business. With the tools that are available team leaders will be able to input what they want and what they don't want.
Posted by: Project Management Software | May 25, 2010 at 04:29 AM
By applying project management software to your company, you will instantly have a pleasurable time in dealing with any project that comes about. It is important that you are kept as organized as possible because of the possibility that you could miss something. That mistake could end up costing you and your project a successful completion.
Posted by: Computer Support Los Angeles | May 29, 2010 at 05:42 AM
you are giving the best information about (SSO) in SOA but there are not enough.
Posted by: Article Submission Website | August 25, 2010 at 09:03 AM
Nice post.I am glad to see so much response at here.
Posted by: incall agency toronto | August 30, 2010 at 11:47 AM
I want to get more and more news and update from this site to increase my knowledge in this direction.
Posted by: toronto escorts | October 18, 2010 at 12:56 PM
Good post is like good cooking;it can be tasted,but not explained.
Posted by: ugg boots outlet | November 11, 2010 at 11:39 PM
I want to bring out the secrets of nature and apply them for the happiness of man . I don't know of any better service to offer for the short time we are in the world .
Posted by: cheap air jordans | November 12, 2010 at 07:12 PM
I did not discuss that particular issue!!
Posted by: moncler jackets | November 15, 2010 at 04:41 PM
I was once asked.*_*
Posted by: nike air max | November 16, 2010 at 11:13 PM
I tremble for my country when I reflect that God is just, that His justice cannot sleep forever. Do you agree?
Posted by: Air Jordan | March 16, 2011 at 03:35 AM
i agree with your views from here.
Posted by: Nike Air Max | April 20, 2011 at 08:27 PM
So fun article is! I agree the idea!
Posted by: Coach Outlet Online | June 27, 2011 at 09:43 PM
The court of appeals granted the plaintiffs’ petition and overruled the trial court’s order. The court of appeals employed the balancing test found in Valley Bank. The court first found the objectors met the criteria to establish the requested documents were an invasion of their privacy. The plaintiffs then demonstrated that the requested information was directly relevant to their claims and essential to a fair resolution of the lawsuit. Thus, the information was discoverable. The court of appeals found that the trial court’s failure to analyze each category of requested information under the standard of Valley Bank was an abuse of discretion.
Posted by: Cheap Louis Vuitton Bags | July 29, 2011 at 05:33 PM
For as long I can remember I've wanted to fly. It seems for just as long I've dreamt of owning my own aeroplane. My own little machine. For the last 5 years I've been saving hard and it was difficult because we just bought a house at the same time as I started saving. All a long the motivation had been aviation - and the promise of free money from the government. That savings plan has matured now and there a serious risk of the money incinerating my pocket.
Posted by: Cheap Nike Shox | August 07, 2011 at 09:12 PM
Nice, de visiter votre blog à nouveau, il a été pour moi mois. Eh bien cet article que j'ai été attendu pendant si longtemps. J'ai besoin de cet article pour compléter ma mission au sein du collège, et il a même sujet avec votre article. Merci, grande part.
Posted by: Buy Generic Levitra | August 26, 2011 at 12:24 AM
All a long the motivation had been aviation - and the promise of free money from the government. That savings plan has matured now and there a serious risk of the money incinerating my pocket.
Posted by: lacoste 2010 shoes | August 31, 2011 at 01:06 AM
That's understandable that money can make people independent. But what to do if one does not have money? The one way is to get the home loans and just sba loan.
Posted by: WillieGarrett29 | September 02, 2011 at 01:30 AM
so good
Posted by: Dr Dre Solo | October 24, 2011 at 01:20 AM
Do you understand that it's high time to receive the home loans, which would realize your dreams.
Posted by: loan | December 22, 2011 at 03:13 AM