Um Serviço de Autorização Java EE Baseado em Certificados de Atributos X.509
Resumo
Este artigo apresenta a motivação para o uso de certificados de atributos X.509 para armazenamento das associações entre sujeitos e papéis num ambiente RBAC e descreve a implementação de um serviço de autorização que usa essa abordagem. O serviço implementado dá suporte tanto ao modelo "pull" como ao modelo "push" de propagação de credenciais e é integrado a um servidor de aplicações Java EE.
Referências
Akenti (2004). Akenti Project Home Page. http://dsd.lbl.gov/Akenti/. Acessado em 20 de Abril de 2007.
Chadwick, D. W. and Otenko, A. (2002a). RBAC Policies in XML for X.509 Based Privilege Management. In Proceedings of 17th IFIP International Conference on Information Security - SEC2002, pages 39–54.
Chadwick, D. W. and Otenko, A. (2002b). The PERMIS X.509 role based privilege management infrastructure. In Proceedings of the 7th ACM Symposium on Access Control Models And Technologies - SACMAT, pages 135–140.
Crampton, J. and Khambhammettu, H. (2003). Authorization and Certificates: Are We Pushing When We Should Be Pulling? In Proceedings of IASTED International Conference on Communication, Network and Information Security, pages 62–66.
Farrel, S. and Housley, R. (2002). An Internet Attribute Certificate Profile for Authorization, IETF Internet Draft RFC 3281.
Ferraiolo, D. and Kuhn, R. (1992). Role-Based Access Controls. In 15th NIST-NCSC National Computer Security Conference, pages 554–563.
Fleury, M. and Reverbel, F. (2003). The JBoss Extensible Server. In Middleware 2003 — ACM/IFIP/USENIX International Middleware Conference, volume 2672 of LNCS, pages 344–373. Springer-Verlag.
Gamma, E., Helm, R., Johnson, R., and Vlissides, J. (1995). Design Patterns - Elements of Reusable Object-Oriented Software. Addison-Wesley Professional Computing Series. Addison-Wesley, 1st edition.
Housley, R., Polk, W., Ford, W., and Solo, D. (2002). An Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, IETF Internet Draft RFC 3280.
Iliadis, J., Gritzalis, S., Spinellis, D., Cock, D. D., Preneel, B., and Gritzalis, D. (2003). Towards a framework for evaluating certificate status information mechanisms. Computer Communications, 26(16):1839–1850.
ITUT (2001). ITU-T Recommendation X.509 ISO/IEC 9594-8. The Directory: Public Key and Attribute Certificate Frameworks.
Johnston, W., Mudumbai, S., and Thompson, M. (1998). Authorization and Attribute Certificates for Widely Distributed Access Control. In Proceedings of 7th Workshop on Enabling Technologies, Infrastructure for Collaborative Enterprises - WETICE, pages 340–345.
Micali, S. (2002). NOVOMODO: Scalable Certificate Validation And Simplified PKI Management. In Proceedings of First Anual PKI Research Workshop, pages 15–26.
Myers, M., Ankney, R., Malpani, A., Galperin, S., and Adams, C. (1999). X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP, IETF Internet Draft RFC 2560.
OMG (2002). Security Service Specification, Version 1.8. Object Management Group. OMG document formal/02-03-11.
OMG (2004). Common Object Request Broker Architecture: Core Specification, Version 3.0.3, chapter 24 (Secure Interoperability). Object Management Group. OMG document formal/04-03-01.
Permis (2007). Permis Project Home Page. http://sec.cs.kent.ac.uk/permis/. Acessado em 20 de Abril de 2007.
Rivest, R. L. (1998). Can We Eliminate Certificate Revocation Lists? In Proceedings of Financial Cryptography, pages 178–183.
Schmidt, D., Stal, M., Rohnert, H., and Buschmann, F. (2000). Pattern-Oriented Software Architecture Volume 2 - Patterns for Concurrent and Networked Objects. Wiley Series In Software Design Patterns. Wiley, 1st edition.
Sun Microsystems, Inc. (2001). Java Authentication and Authorization Service (JAAS) Reference Guide. [link]. Acessado em 20 de Abril de 2007.
Sun Microsystems, Inc. (2006). Java Platform, Enterprise Edition (Java EE) Specification, version 5. Disponível em http://jcp.org/en/jsr/detail?id=244.
van de Graaf, J. and Carvalho, O. (2004). Reflecting on X.509 and LDAP, or How separating identity and attributes could simplify a PKI. In Proceedings of IV Workshop em Segurança de Sistemas Computacionais - WSEC, pages 37–48.
Chadwick, D. W. and Otenko, A. (2002a). RBAC Policies in XML for X.509 Based Privilege Management. In Proceedings of 17th IFIP International Conference on Information Security - SEC2002, pages 39–54.
Chadwick, D. W. and Otenko, A. (2002b). The PERMIS X.509 role based privilege management infrastructure. In Proceedings of the 7th ACM Symposium on Access Control Models And Technologies - SACMAT, pages 135–140.
Crampton, J. and Khambhammettu, H. (2003). Authorization and Certificates: Are We Pushing When We Should Be Pulling? In Proceedings of IASTED International Conference on Communication, Network and Information Security, pages 62–66.
Farrel, S. and Housley, R. (2002). An Internet Attribute Certificate Profile for Authorization, IETF Internet Draft RFC 3281.
Ferraiolo, D. and Kuhn, R. (1992). Role-Based Access Controls. In 15th NIST-NCSC National Computer Security Conference, pages 554–563.
Fleury, M. and Reverbel, F. (2003). The JBoss Extensible Server. In Middleware 2003 — ACM/IFIP/USENIX International Middleware Conference, volume 2672 of LNCS, pages 344–373. Springer-Verlag.
Gamma, E., Helm, R., Johnson, R., and Vlissides, J. (1995). Design Patterns - Elements of Reusable Object-Oriented Software. Addison-Wesley Professional Computing Series. Addison-Wesley, 1st edition.
Housley, R., Polk, W., Ford, W., and Solo, D. (2002). An Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, IETF Internet Draft RFC 3280.
Iliadis, J., Gritzalis, S., Spinellis, D., Cock, D. D., Preneel, B., and Gritzalis, D. (2003). Towards a framework for evaluating certificate status information mechanisms. Computer Communications, 26(16):1839–1850.
ITUT (2001). ITU-T Recommendation X.509 ISO/IEC 9594-8. The Directory: Public Key and Attribute Certificate Frameworks.
Johnston, W., Mudumbai, S., and Thompson, M. (1998). Authorization and Attribute Certificates for Widely Distributed Access Control. In Proceedings of 7th Workshop on Enabling Technologies, Infrastructure for Collaborative Enterprises - WETICE, pages 340–345.
Micali, S. (2002). NOVOMODO: Scalable Certificate Validation And Simplified PKI Management. In Proceedings of First Anual PKI Research Workshop, pages 15–26.
Myers, M., Ankney, R., Malpani, A., Galperin, S., and Adams, C. (1999). X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP, IETF Internet Draft RFC 2560.
OMG (2002). Security Service Specification, Version 1.8. Object Management Group. OMG document formal/02-03-11.
OMG (2004). Common Object Request Broker Architecture: Core Specification, Version 3.0.3, chapter 24 (Secure Interoperability). Object Management Group. OMG document formal/04-03-01.
Permis (2007). Permis Project Home Page. http://sec.cs.kent.ac.uk/permis/. Acessado em 20 de Abril de 2007.
Rivest, R. L. (1998). Can We Eliminate Certificate Revocation Lists? In Proceedings of Financial Cryptography, pages 178–183.
Schmidt, D., Stal, M., Rohnert, H., and Buschmann, F. (2000). Pattern-Oriented Software Architecture Volume 2 - Patterns for Concurrent and Networked Objects. Wiley Series In Software Design Patterns. Wiley, 1st edition.
Sun Microsystems, Inc. (2001). Java Authentication and Authorization Service (JAAS) Reference Guide. [link]. Acessado em 20 de Abril de 2007.
Sun Microsystems, Inc. (2006). Java Platform, Enterprise Edition (Java EE) Specification, version 5. Disponível em http://jcp.org/en/jsr/detail?id=244.
van de Graaf, J. and Carvalho, O. (2004). Reflecting on X.509 and LDAP, or How separating identity and attributes could simplify a PKI. In Proceedings of IV Workshop em Segurança de Sistemas Computacionais - WSEC, pages 37–48.
Publicado
27/08/2007
Como Citar
GUILHEN, Stefan Neusatz; REVERBEL, Francisco.
Um Serviço de Autorização Java EE Baseado em Certificados de Atributos X.509. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 7. , 2007, Rio de Janeiro.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2007
.
p. 205-218.
DOI: https://doi.org/10.5753/sbseg.2007.20928.
