[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [ebxml-dev] Authentication/Authorization with MSH?
Yes, but if you know who sombody is by validating his credentials, wouldn't you want to know if he/she/it is allowed to send a message to the MSH at all? (just like you mention) That is in my opinion a first level of authorization. Additional levels of authorization can then take place in the MSH (e.g. checking whether a certain process may be used, or whether the xmldsig is valid or whatever)
Ronald
> -----Oorspronkelijk bericht-----
> Van: Fraser Goffin [mailto:goffinf@hotmail.com]
> Verzonden: vrijdag 19 juli 2002 18:52
> Aan: ebxml-dev@lists.ebxml.org
> Onderwerp: RE: [ebxml-dev] Authentication/Authorization with MSH?
>
>
> I agree. The authentication step should occur before anything
> else. In this
> regard we perform authentication before the message even
> reaches the ebXML
> MSH since we don't want to waste time unpacking any ebXML
> content before
> confirming that we should just reject this message out of hand.
>
> Fraser.
>
>
> >From: "Patil, Sanjaykumar" <sanjay.patil@iona.com>
> >To: andrzej@chaeron.com, Martin W Sachs <mwsachs@us.ibm.com>
> >CC: ebxml-dev@lists.ebxml.org
> >Subject: RE: [ebxml-dev] Authentication/Authorization with MSH?
> >Date: Thu, 18 Jul 2002 10:44:37 -0700
> >
> >
> >I can see good reasons why you would defer Authorization to
> the middleware
> >"BSI" layer. The authorization would refer to the particular
> business
> >activity to be invoked on behalf of the incoming message,
> the knowledge of
> >which I guess is held by the "BSI" and above layers. At times, the
> >authorization logic may even depend upon some business contextual
> >information, such as the previous activities performed on
> behalf of the
> >message sender, etc.
> >
> >Authentication on the other hand is generally an isolated
> step from the
> >rest of the message processing. It is also better to perform
> authentication
> >as soon as possible after the message enters the system. MSH
> therefore
> >sounds like the right place for authentication from this perspective.
> >
> >Just my 2 cents.
> >
> >thanks,
> >Sanjay Patil
> >---------------------------------------------------------------
> >IONA Phone: 408 350 9619
> >END 2 ANYWHERE http://www.iona.com
> >
> >
> >-----Original Message-----
> >From: Andrzej Jan Taramina [mailto:andrzej@chaeron.com]
> >Sent: Thursday, July 18, 2002 7:38 AM
> >To: Martin W Sachs
> >Cc: ebxml-dev@lists.ebxml.org
> >Subject: Re: [ebxml-dev] Authentication/Authorization with MSH?
> >
> >
> >Martin:
> >
> > > Do you really want to do authentication/authorization
> inside the MSH (as
> > > defined by the MSG spec)?. If you really mean that you
> want to do it in
> >the
> > > middleware ("BSI"), then I suggest that you look at what
> is defined in
> >the CPPA
> > > specification. The CPPA team has SAML support on its
> list for post
> >version 2.
> > > If I remember correctly, we also have XACML on our futures list.
> >
> >Actually....I'm not sure how to do it.....hence my post to
> the list asking
> >for the
> >collective wisdom of how to do auth/auth with ebXML.
> Pros/Cons of doing
> >before
> >you hit the MSH....calling out from the MSH.....or in the BSI.....
> >
> >Thanks!
> >
> >...Andrzej
> >
> >Chaeron Corporation
> >http://www.chaeron.com
> >
> >
> >
> >----------------------------------------------------------------
> >The ebxml-dev list is sponsored by OASIS.
> >To subscribe or unsubscribe from this elist use the subscription
> >manager: <http://lists.ebxml.org/ob/adm.pl>
> >
> >----------------------------------------------------------------
> >The ebxml-dev list is sponsored by OASIS.
> >To subscribe or unsubscribe from this elist use the subscription
> >manager: <http://lists.ebxml.org/ob/adm.pl>
>
>
>
>
> _________________________________________________________________
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
>
>
> ----------------------------------------------------------------
> The ebxml-dev list is sponsored by OASIS.
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.ebxml.org/ob/adm.pl>
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC