The SAML web site is not longer accepting new posts. Information on this page is preserved for legacy purposes only. For current information on SAML, please see the OASIS Security Services Technical Committee Wiki.

SAML, JAAS, & Role-Based Access Control

Web service clients can be implemented as JavaServer Pages, servlets, or Java applications, or as executables written in C++, Perl, Visual Basic, JavaScript. A truly ubiquitous protocol. In this article, I use a Java application as a Web service client and show how to secure that client from an authentication and authorization standpoint via Role-based Access Control (RBAC). Basically, role-based authorization is achieved by using:

  • A SAML (Security Assertion Markup Language) token provisioned as a Group Principal used within the Web service client.
  • The JAAS (Java Authentication and Authorization Service) Framework to contain the Group Principal information in the JAAS Subject.
  • A Custom API that is specified in a similar fashion to standard privileges management systems that provide authorization behavior.
Read the complete article by Frank Teti at Dr Dobbs Portal. Focus Areas: BPEL | DITA | ebXML | IDtrust | OpenDocument | SAML | UBL | UDDI
OASIS sites: OASIS | Cover Pages | | AMQP | CGM Open | eGov | Emergency | IDtrust | LegalXML | Open CSA | OSLC | WS-I