Today is an exciting day. Not only am I creating my first blog entry, but I'm
also sharing some interesting work I have been doing with respect to Mandatory
Access Control (MAC) and Java that I'll be presenting at JavaOne on Tuesday May
8, 2007 (TS-1427).
Over a year ago, I started thinking about the issues related to Multilevel Security (MLS) Systems (e.g., Solaris Trusted Extensions) and how one would exploit MLS features from web services. This would result in an environment that could provide dissemination control of sensitive/labeled information in the form of web services.
Knowing that I would be working in the application server space to develop web services, I looked for ways to expose multilevel capabilities like sensitivity labels through Java Native Interfaces (JNI). This allowed me to develop basic services that determine the label of the network connection over which a request is received and decide if the label of the requested data could be provided. In simple terms, if the network connection was labeled "RESTRICTED", then data dominated by "RESTRICTED" could be returned.
The first installment of my prototype (the JNI portion) is available on openolaris.org. I'm doing some cleanup on the servlet code and hope to have it posted by the end of June.
Never in my wildest dreams did I think that a weekend prototyping effort would land me at JavaOne. Too cool :-)
-John
Over a year ago, I started thinking about the issues related to Multilevel Security (MLS) Systems (e.g., Solaris Trusted Extensions) and how one would exploit MLS features from web services. This would result in an environment that could provide dissemination control of sensitive/labeled information in the form of web services.
Knowing that I would be working in the application server space to develop web services, I looked for ways to expose multilevel capabilities like sensitivity labels through Java Native Interfaces (JNI). This allowed me to develop basic services that determine the label of the network connection over which a request is received and decide if the label of the requested data could be provided. In simple terms, if the network connection was labeled "RESTRICTED", then data dominated by "RESTRICTED" could be returned.
The first installment of my prototype (the JNI portion) is available on openolaris.org. I'm doing some cleanup on the servlet code and hope to have it posted by the end of June.
Never in my wildest dreams did I think that a weekend prototyping effort would land me at JavaOne. Too cool :-)
-John
Posted by Michael Hale on May 29, 2007 at 02:44 PM PDT #