Small summary of the Opensource Authentication and Authorization talk by Allan Foster.
First noteworhty thing: The headset didn’t work, and got replaced, and the fact that people want more and more single sign on where they can use all their different credential methods to sign on to all different things they want to sign on too. The speaker makes his talk an argument of also having a centralized authorization mechanism (XACML3).
So applications do not longer need to know how authentication is done, how the users profile is stored etc… But only need to know about authorization, “is this user allowed to perform this action on this data? YES|NO”. These rules can become very complex as we all know. so we need this stuff centrally managed (e.g. corporate LDAP, SSO sites).
The speaker makes u huge argument for single sign on, applications should only validate an identity not do the login itself. For most applications this is easy. But the authorization is a different story. Mostly it’s coded into the application because they are very domain specific. For this there are different options like Ad Hoc (if then elses everywhere to error prone!) JEE Policy (but they are difficult to change), on URL level (downsides: most frameworks have 1 url with lots behind it, so the amount of roles is limited), Custom Policy ( writing your own is expensive, hard to maintain etc..)
So what we need is an external policy provider. But it must be extensible, flexible, centrally administrated and handle specific domain complexity. For this there is XACML3 a xml based standard for this, based on rules. The rules compiled out of resources, actions, subjects and conditions on one side and response, attributes and advice on the other side. The provider does not need to know about what kind of rules are defined in the sets, that’s for the application using the service. The service just returns a YES|NO on the questions asked. (like question: user x wants to edit data y, can it?). The questions or resources (in XACML3) can of course be very complex.
In the end Allan Foster points us to OpenAM (of ForgeRock) which is derived from Sun Access Manager what was opensourced in 2007, so OpenAM is also open source and will stay that.
I believe this is worth checking out!