Information Technology Reference
In-Depth Information
Besides the information related to the request or response message,
some other information such as session keys, states of automated trust
negotiation, and properties of resources is also needed by the handlers
to i nish their processing. In CROWN Security, this information is
termed “security contexts” and is classii ed and managed by a context
manager.
It should be noted that most handlers currently implemented in CROWN
Security follow the policy-based design. For some handlers, such as the
authentication handler and the authorization handler, there are two editions
available with different modes, namely, the callout mode and the stan-
dalone mode. For instance, a standalone authentication handler will follow
the authentication policy specii ed in a node-local security descriptor with
all the policy decisions made locally, whereas a callout authentication
handler will merely read the locations of access points of a centralized
authentication service and consult the service for policy decisions.
As discussed above, to wrap, share, and protect the raw resources in
autonomous domains, CROWN nodes should be deployed into the hosts of
the domain. The software to be installed is called CROWN NodeServer,
which is the core component of the CROWN middleware system. The
NodeServer is implemented based on a GT WS-Core container with various
new features and extensions, such as remote and hot service deployment,
monitoring and management service, and so on.
The security structure for the CROWN node is tightly integrated with
the CROWN NodeServer. Some functions of CROWN-ST come together
with CROWN NodeServer as security handlers, which can be coni gured
and customized by administrators in security processing chains.
1.4.2.2
Communication Security
The communication security module consists of both security handlers and
security services, which can be used to secure corresponding messages
between nodes, including encryption, decryption, signatures, authentica-
tion handlers, authentication services, and secure-conversation services.
All handlers provided by CROWN Security conform to the WS-Security
standard in terms of SOAP message encryption and signature. Moreover,
the WS-Policy [17] language is used to express different policies for mes-
sage processing, which makes CROWN Security highly l exible.
CROWN Security currently supports three modes of message-level
security: username token mode, secure-message mode, and secure-
conversation mode. The i rst two modes are similar to those implemented
in GT4, which complies with WS-Security. Furthermore, our secure-
conversation mode supports using both an X.509 certii cate and a
KerberosV5 ticket as a user's credentials for authentication and encryp-
tion, which conforms to WS-SecureConversation [11], WS-Trust [18], and
IETF GSS-API standards [12].
Search WWH ::
Custom Search