The Author Online Book Forums are Moving

The Author Online Book Forums will soon redirect to Manning's liveBook and liveVideo. All book forum content will migrate to liveBook's discussion forum and all video forum content will migrate to liveVideo. Log in to liveBook or liveVideo with your Manning credentials to join the discussion!

Thank you for your engagement in the AoF over the years! We look forward to offering you a more enhanced forum experience.

msloan (2) [Avatar] Offline
I would like our application to have authorization performed at the framework level, in a manner that does not rely on the developer to have to code this kind of stuff for each service in the composite app.

Currently our group (not using SCA at the moment) is taking the approach that a developer will develop a service with the WSDL first approach. Later we will run a tool to generate a "fronting BPEL service proxy that will intercept the original service request and first authenticate, then call the target service, and finally ensure that the returned data object only has data attributes populated which the client is authorized to access.

Does Tuscany offer anything that might simplify this?
simon.laws (19) [Avatar] Offline
Re: Best way to do authentication and authorization with SCA programming model

The approach in Tuscany would be to exploit the policy framework that SCA defines. The policy framework allows you to manage quality of service concerns like authentication and authorization independently of how a component has been implemented. You can associate policy with a component implementation, a component service or a component reference in the composite file either directly of by specifying and intent which is then matched with a policy set at deployment time. The policy sets resolve to pluggable pieces of Java code that perform the actual quality of service processing at the appropriate point in the runtime. SCA defines some security intents such as authentication, authorization, confidentiality etc. We have some policy sets which support these intents in Tuscany, for example, we have some policy sets that work with the web services binding (actually the underlying Axis Rampart code) to support security. But it's relatively straightforward to add new policies. I have seen some work going on recently to add basic authentication support to some of our web2.0 bindings for example.