Information Technology Reference
In-Depth Information
1.4.2.3
Policy-Based Authorization
The policy-based authorization module in CROWN Security implements
policy decision points in both the handler and the service. We adopt
XACML (eXtensible Access Control Markup Language) [19] to express
i ne-grained access control policy in AuthzService. By using SAML asser-
tions, the AuthzService can make authorization decisions based on user
attributes rather than identity.
In Figure 1.11, the authorization module intercepts each request sent to
the target service, and then collects attribute certii cates signed by the
attribute authority for both the user and the service to form a request con-
text, which is conducted by a policy decision point to make an authoriza-
tion decision for the request. As mentioned previously, the authorization
policy is coded with XACML language and managed by the domain
administrator.
1.4.2.4
Credential Management
Grid portals are increasingly used to provide user interfaces for grids.
Through these interfaces, users can access a grid conveniently. When secu-
rity is taken into account, a user requires access to his credentials in a secure
and convenient way, anytime and anywhere. The credential management
module in CROWN security, which consists of a CredManService and
corresponding client tools, known as CredMan, is designed to meet this
Attribute authority
Service admin
User's
SAML attribute
Service's
SAML attribute
Service's
Security config
Configuration
tools
Attribute parser
Request
Policy
decision
point
Context constructor
Grid user
XACML policy parser
XACML
policy
XACML
policy
Domain admin
FIGURE 1.11
Structure of authorization module.
Search WWH ::
Custom Search