Monday, January 02, 2006

Letter to AuthX team

I came across the AuthX project some days back and read through some of the code and documentation. I will not claim that I have understood the whole project and would request you to feel free to correct my understanding.
Now getting down to the whole idea of AAA, lets me put my understanding of this domain.
  • Frameworks do not work, Services Do: I have spoken to a few architects and in addition to that during the process of various implementations, I have realized that frameworks are really a tough sell. Instead what people are looking for is lousely coupled services. So, there would be an authentication service, a fine grained authorization service, and so on. By the concept of service, I do not mean a SOAP or a REST interface but just a java interface that has method that accept primitive variable types (I like to include strings in this which you may not agree with), to ensure it can easily be exposed using REST, SOAP, RMI or VMPipe Call through the MINA.
  • Authentication Service: The authentication service should be able to support identity and password, certificate (which is a single blob) and additional protocols which take multiple steps to complete (like some token based authentications). So, in such a scenario, the interface design should be able to handle all these scenarios. I would recommend that you look at WS-Trust specification as a good starting point for how you may want to design authentication service i.e. as a token issuance service.
  • Authorization Service: I think you have got the basic idea correctly but there are a few important things that I think are missing from your design like the idea of context of authorization, obligation, additional apis. Lets take the idea of context which typically means additional information which are important to make the authorization decision. For example how will I use the authx system to grant access to a person based on the client IP(i.e. intranet vs extranet). This context information typically will include additional information about user, resource, action and environment (like IP, time of day). Even though you may not support these facilities in 1.0, I would suggest that you develop interface to support this feature. I would also suggest looking at XACML specifications. In addition to that authorization interface must support additional set of APIs besides isAuthorized (or renderdecision in your case). It should be able to return answer to the question of type "give me all the resources that this subject can "read". This is asked time and again by the customers for developing their application (for example drawing menus)
  • Other services: I would recommend that you guys should seriously think about developing "Auditing Service" and "Administration Service".

2 comments:

Trustin Lee said...

Why don't you send a message to the Apache Directory project team (dev@directory.apache.org) directly? I forwarded this link to the list. Thank you for your sound criticism anyway! :)

Anonymous said...

Interesting comments, you may also be interested in security services developed for Jetspeed-2 but that can be used as a standalone security framework:

http://portals.apache.org/jetspeed-2/multiproject/jetspeed-security/arch.html

Regards,

David Le Strat