OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [ebxml-dev] Authentication/Authorization with MSH?

It isn't obvious that it is necessary to require authorization to the MSH itself. The MSG is not a message endpoint; it is the send/receive agent for the applications behind it. Someone who is authorized to communicate with one or more of the applications behind the MSH should be assumed to be authorized to send messages through the MSH to the applications. Someone who is not authorized to any of those applications is effectively not authorized to the MSH and those messages should be rejected.

Regards,
Marty

*************************************************************************************
Martin W. Sachs
IBM T. J. Watson Research Center
P. O. B. 704
Yorktown Hts, NY 10598
914-784-7287; IBM tie line 863-7287
Notes address: Martin W Sachs/Watson/IBM
Internet address: mwsachs @ us.ibm.com
*************************************************************************************
Ronald van Kuijk <rvkuijk@abz.nl>




          Ronald van Kuijk <rvkuijk@abz.nl>

          07/19/2002 01:12 PM



To: ebxml-dev@lists.ebxml.org
cc:
Subject: RE: [ebxml-dev] Authentication/Authorization with MSH?


Yes, but if you know who sombody is by validating his credentials, wouldn't you want to know if he/she/it is allowed to send a message to the MSH at all? (just like you mention) That is in my opinion a first level of authorization. Additional levels of authorization can then take place in the MSH (e.g. checking whether a certain process may be used, or whether the xmldsig is valid or whatever)

Ronald

> -----Oorspronkelijk bericht-----
> Van: Fraser Goffin [mailto:goffinf@hotmail.com]
> Verzonden: vrijdag 19 juli 2002 18:52
> Aan: ebxml-dev@lists.ebxml.org
> Onderwerp: RE: [ebxml-dev] Authentication/Authorization with MSH?
>
>
> I agree. The authentication step should occur before anything
> else. In this
> regard we perform authentication before the message even
> reaches the ebXML
> MSH since we don't want to waste time unpacking any ebXML
> content before
> confirming that we should just reject this message out of hand.
>
> Fraser.
>
>
> >From: "Patil, Sanjaykumar" <sanjay.patil@iona.com>
> >To: andrzej@chaeron.com, Martin W Sachs <mwsachs@us.ibm.com>
> >CC: ebxml-dev@lists.ebxml.org
> >Subject: RE: [ebxml-dev] Authentication/Authorization with MSH?
> >Date: Thu, 18 Jul 2002 10:44:37 -0700
> >
> >
> >I can see good reasons why you would defer Authorization to
> the middleware
> >"BSI" layer. The authorization would refer to the particular
> business
> >activity to be invoked on behalf of the incoming message,
> the knowledge of
> >which I guess is held by the "BSI" and above layers. At times, the
> >authorization logic may even depend upon some business contextual
> >information, such as the previous activities performed on
> behalf of the
> >message sender, etc.
> >
> >Authentication on the other hand is generally an isolated
> step from the
> >rest of the message processing. It is also better to perform
> authentication
> >as soon as possible after the message enters the system. MSH
> therefore
> >sounds like the right place for authentication from this perspective.
> >
> >Just my 2 cents.
> >
> >thanks,
> >Sanjay Patil
> >---------------------------------------------------------------
> >IONA Phone: 408 350 9619
> >END 2 ANYWHERE http://www.iona.com
> >
> >
> >-----Original Message-----
> >From: Andrzej Jan Taramina [mailto:andrzej@chaeron.com]
> >Sent: Thursday, July 18, 2002 7:38 AM
> >To: Martin W Sachs
> >Cc: ebxml-dev@lists.ebxml.org
> >Subject: Re: [ebxml-dev] Authentication/Authorization with MSH?
> >
> >
> >Martin:
> >
> > > Do you really want to do authentication/authorization
> inside the MSH (as
> > > defined by the MSG spec)?. If you really mean that you
> want to do it in
> >the
> > > middleware ("BSI"), then I suggest that you look at what
> is defined in
> >the CPPA
> > > specification. The CPPA team has SAML support on its
> list for post
> >version 2.
> > > If I remember correctly, we also have XACML on our futures list.
> >
> >Actually....I'm not sure how to do it.....hence my post to
> the list asking
> >for the
> >collective wisdom of how to do auth/auth with ebXML.
> Pros/Cons of doing
> >before
> >you hit the MSH....calling out from the MSH.....or in the BSI.....
> >
> >Thanks!
> >
> >...Andrzej
> >
> >Chaeron Corporation
> >http://www.chaeron.com
> >
> >
> >
> >----------------------------------------------------------------
> >The ebxml-dev list is sponsored by OASIS.
> >To subscribe or unsubscribe from this elist use the subscription
> >manager: <http://lists.ebxml.org/ob/adm.pl>
> >
> >----------------------------------------------------------------
> >The ebxml-dev list is sponsored by OASIS.
> >To subscribe or unsubscribe from this elist use the subscription
> >manager: <http://lists.ebxml.org/ob/adm.pl>
>
>
>
>
> _________________________________________________________________
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
>
>
> ----------------------------------------------------------------
> The ebxml-dev list is sponsored by OASIS.
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.ebxml.org/ob/adm.pl>
>

GIF image

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Search: Match: Sort by:
Words: | Help

Powered by eList eXpress LLC