Let's talk policy
kcbabo May 24, 2012 12:32 PMDavid and I had a brief chat about the Security Policy JIRA and figured it would be good to discuss in the community. Here's the JIRA for reference:
https://issues.jboss.org/browse/SWITCHYARD-725
What we need to implement for 0.5 is the first "stage" of that JIRA, satisfying the following basic use case:
- Service provider declares that authentiation and/or confidentiality is required.
- Service binding is configured to be consistent with the above policy.
Most of the pluming is in place for this bit. We already have a generic policy handler which looks at the policy required by a service and the policy assertions that are present on an exchange. The piece that remains is adding logic to gateway bindings to detect that authentication has taken place and/or if the transport was encrypted (e.g. SSL would satisfy the requirement for confidentiality). As a first pass, I suggest we narrow our focus to SOAP gateway alone, so it's quite possible that the initial solution requires a change to SOAP gateway to check the transport type and authentication status. Whether authentication was based on basic, digest, SSL client auth, or whatever else is not really our concern. I'm guessing a simple query for the Principal or Subject might fit the bill.
Here's what transaction policy looks like:
<component name="WorkService"> <implementation.bean xmlns="urn:switchyard-component-bean:config:1.0" class="org.switchyard.quickstarts.demo.policy.transaction.WorkServiceBean"/> <service name="WorkService" requires="propagatesTransaction"> <interface.java interface="org.switchyard.quickstarts.demo.policy.transaction.WorkService"/> </service> </component>
Security policy would look something like this:
<component name="MyService"> <implementation.bean xmlns="urn:switchyard-component-bean:config:1.0" class="org.switchyard.quickstarts.demo.policy.security.MyServiceBean"/> <service name="MyService" requires="authentication, confidentiality"> <interface.java interface="org.switchyard.quickstarts.demo.policy.transaction.MyService"/> </service> </component>
Asserting that a policy is satisfied in the SOAP Gateway would look similar to this:
Finally, if you want to read the background on SCA policy, that can be found below. I wouldn't get lost in the spec though as what we are discussing here has a pretty narrow focus.
http://docs.oasis-open.org/opencsa/sca-policy/sca-policy-1.1-spec-csprd03.html#_Toc311121482