Logo des Repositoriums

Auflistung nach Schlagwort "Authorization"

1 - 5 von 5
  • Textdokument
    Authentication and Authorization in Microservice-Based Applications
    (INFORMATIK 2022, 2022) Sänger,Niklas; Abeck,Sebastian
    The development of microservice-based applications adds challenges when using different cloud services. One such challenge is the integration of authentication and authorization among different systems. In this publication, we describe the development of a software as a service solution with the focus on the integration of authentication and authorization. For the development of the business logic, the integration platform as a service MuleSoft is used. The identity and access management as a service solution Okta is used to provide the necessary means for authentication. To perform authorization decisions, JSON Web Tokens and API proxies are used.
  • Konferenzbeitrag
    FAPI 2.0: A High-Security Profile for OAuth and OpenID Connect
    (Open Identity Summit 2021, 2021) Fett, Daniel
    A growing number of APIs, from the financial, health and other sectors, give access to highly sensitive data and resources. With the Financial-grade API (FAPI) Security Profile, the OpenID Foundation has created an interoperable and secure standard to protect such APIs. The first version of FAPI has recently become an official standard and has already been adopted by large ecosystems, such as OpenBanking UK. Meanwhile, the OpenID Foundation’s FAPI Working Group has started the work on a the second version of FAPI, putting a focus on robust interoperability, simplicity, a more structured approach to security, and improved non-repudiation. In this paper, we give an overview of the FAPI profiles, discuss the learnings from practice that influence the development of the latest version of FAPI, and show how formal security analysis helps to shape security decisions.
  • Konferenzbeitrag
    Token Based Authorization
    (Open Identity Summit 2020, 2020) Baruzzi, Giovanni A.
    A secure, scalable, fine grained and flexible access control is extremely important for the digital society. The approaches used until now (RBAC, Groups in an LDAP Directory, XACML) alone may not be able to deliver to this challenge. Building from past experiences in the Industry, we propose an Access Management Framework where the central role is played by a token containing all the information needed to implement fine grained access control. This Authorization Token should be signed by the approver and embedded into a “claim” to the application at session time. The application, after checking the validity of the token will control access to the desired resource. In this way we can achieve fine granular access control, scalability and independence from network topologies.
  • Zeitschriftenartikel
    Unternehmensweites Berechtigungsmanagement
    (Wirtschaftsinformatik: Vol. 46, No. 4, 2004) Herwig, Volker; Schlabitz, Lars
    The central coordination of access control management is crucial especially for companies that are engaged in cooperative processes with other companies. Most critical is to respect the security needs that arise with the “opening“ towards other partners. The central coordination of access control is indispensable in order to protect the company’s resources.If access control management is to be oriented directly towards the corporate goals in contrast to a merely technical view there is a need for extended concepts — like role based access control (RBAC).The first software products that make use of the RBAC-concept for a centrally coordinated access control management are available and can be used in practice.
  • Zeitschriftenartikel
    Vorgehensmodelle für die rollenbasierte Autorisierung in heterogenen Systemlandschaften
    (Wirtschaftsinformatik: Vol. 49, No. 6, 2007) Wortmann, Felix; Winter, Robert
    KernpunkteDer State-of-the-Art in Forschung und Praxis zur Autorisierung in heterogenen Systemlandschaften wird dargestellt. Folgende Ergebnisse können aus der Analyse abgeleitet werden:Die existierenden Forschungsbeiträge enthalten nur wenig detaillierte Vorgehensmodelle zur Integration der rollenbasierten Autorisierung.Die Praxis hält konkretere Ansätze bereit, die als Ausgangspunkt für verbesserte Vorgehensmodelle dienen können.Durch eine Kombination von Erkenntnissen aus Theorie und Praxis kann die Grundlage für ein verbessertes Vorgehensmodell geschaffen werden.AbstractThe authors examine how an authorization architecture can be defined which spans various information systems and organizational units. After introducing authorization and architecture fundamentals, related work on authorization, architecture management and role definition is discussed. In particular regarding procedure models for authorization architecture design, these approaches are not very detailed. Moreover they are neither theoretically well-founded nor transparently derived from current industry practices. Therefore two actual industry practices are presented as case studies. By consolidating these practices with findings from current research, a starting point for an improved procedure model for authorization is proposed.