Web Services: Services and Role-Based Security, Three Scenarios
Steve Mane has an excellent post comparing three strategies for user authentication and authorization. The three scenarios are:
- Client Managed
- Service Managed
- 3rd Party (Federated) Security
Each of these scenarios is compared against authentication and role-based authorization. His conclusion?
WSE2 is a big step forward in term of secure web services, but it’s not the endgame just yet. There’s a lot that can be done with WSE2 out of the box directly. Integrating with Windows domain authentication is a big step; it solves one part of the role-based security puzzle. If all your services can talk to the same NT credential store, you can auto-issue SCT’s to your heart’s content and at least have what I describe as “Option B” taken care of (with the added benefit of having a unified cross-service credential store). It’s not the general-case, interoperable solution that pan-enterprise web services need to succeed, but it’s a step in the right direction. The real solution lies in federating identities, and that’s something for which we’ll just have to wait.
He links to a post I just found recently that I want to blog more on later: the time-line for SAML, Liberty Alliance, and WS-Federation. I just wish it were yesterday!