Introduction

Open distributed computing environments must address four symmetrical security issues:

Services need not trust Users.

For example, a database service may require that only certain users be able to modify records.

Users need not trust Services.

For example, a person using an unknown word-processor application may not wish it to delete existing files.

Users need not trust Users.

For example, a system administrator may only transiently allow an ordinary user to access a resource such as a tape drive.

Services need not trust Services.

For example, a distributed database service may limit rights of different application programs that use it.

SDM is an architectural framework for structuring remote method invocations (RMI) among distributed components. It does not involve new encryption techniques, authentication protocols, or language constructs. SDM instead builds upon existing mechanisms, mainly those already established in the Java JDK1.2 security framework, to establish a practical basis for constructing flexible yet secure components and support infrastructure.

This paper focuses on the way in which delegation is structured and used in SDM to support secure operation when multiple components together provide a given service. Other aspects of the framework are described only briefly. Readers may find further details in [6].

The remainder of this paper is structured as follows. Section 2 defines Java-based security concepts and terminology surrounding Principals, Permissions, Privileges, Roles, and Security Domains. Section 3 introduces the SDM delegation framework. Section 4 describes the details of the resulting protocols, which are extended in Section 5 to handle dynamic revocation of delegated privileges. Section 6 briefly compares SDM to other approaches.