Google Site Search

Google
 

Monday, February 25, 2008

Contextual Security - a need or a luxury?

Reading Mary Ann Davidson's article in the latest issue of Oracle Magazine (yes, the free one they send home), titled "Context Is Everything", I have got to wonder whether everyone is aware of a need to attach a context to the security in their enterprise.

Contextual security is where I got a little too excited about XACML when I could easily attach context to my authorization decisions. Of course, this was way before I read Mary's article. Remember, we did do a successful interop at the Burton Catalyst Conference in June 2007 under the auspices of OASIS......

As Mary said, a "All or Nothing" type of security only takes you that far.

In JBoss Application Server 4 and earlier, we had the concept of Security Proxies that were mainly introduced to provide context based security. Things like "Junior Traders can make trades only if it is under $1million", "Stop all four-letter words in the arguments" etc....

Well to answer the question - contextual security is a need or a luxury, I am sure you agree that it is a critical need of the hour....

I would like to make authorization decisions such as:
"This web page is accessible by users who are 18 years or older"
"This web resource is accessible by employees whose status is active and are accessing from the following sub-net and during regular business hours".

Externalized security policies allow you to change the requirements without changing the middleware. This is where specifications like xacml hold a lot of strength. Yes, I hear you. Lots of xml - lots of xml. Well, this is where tools will arrive (hopefully) to mitigate.

2 comments:

Anonymous said...

Forgive my oversimplified view of security, but isn't adding context a programmatic problem that may be addressed through the addition of a custom LoginModule?

Anil Saldanha said...

A custom login module would be more of an implementation detail about enforcing the "contextual" security.

Remember the JAAS login module does not have a whole lot of contextual information available unless you provide hooks to it via options or some other injection mechanism.