We are truly living in interesting times, and while I sometimes prefer to be boring, I think that the increasing interest in authorization is definitively a good sign. Recent discussions on the OAuth Charter for the IETF WG, and Martin Kuppinger's article on Authorization Management are good indicators that the community is moving towards new approaches for distributed authorization.

While XACML has solved many of the problems that may arise from a technical perspective, it is fairly heavy-weight and in its current form not particularly appealing to the large number of RESTafarians. Also, as Martin is pointing out in his articles, what seems to missing is a framework comprising business rules and policy management for "multi-layer authorization" models. Nevertheless, with the recent addition of XACML to the HITSP IS01^[1] and the XSPA XACML 2.0 profile for healthcare will likely raise the visibility for XACML beyond its core community.

At this point, privacy protection concerns (as also voiced in  XACML core) will play a major role, especially when considering the sensitivity of HC related information. As such any authentication management framework must either address these privacy protection issues, or be open enough to interface with emerging technologies such as CARML et al. from the IGF.

tags: authorization xacml oauth hitsp carml igf privacy

[1] Along with SAML 2.0, WS-Federation, and WS-Trust...

Oh well, I finally sat down and took the time to convert my aging main web site into something more dynamic. Since my - overall - quite reliable hoster gives me free PHP5 and MySQL databases, I took a closer look at Drupal, given its overall support, ease of use and add-on module availability. My first impressions are quite good: it was easy to get up and does not seem to be too hard to administer. Converting my exising HTML went well, although the default editor (or more specifically: the Drupal filters) have a tendency to get in the way at the beginning.

Now, one thing I will probably spend a little time on over the next few weeks (time permitting - haha), is to develop a somewhat more reasonable authentication scheme for my various web properties. I have a happy collection of PHP apps, this .NET based blog, and also some custom Java apps. So far there is really no identity management in place; a fact that has been a sore for a while. A simple SSO authentication scheme across these difference platforms is a panacea, but it should not be to difficult to achieve. I am looking actively into using Oauth or SAML as the token format, and a simple RESTful transport.

tags: web site identity saml oauth rest

Times are changing, and people have to change with it. Doh - another pearl of obvious wisdom, but there is an interesting application to the work life: while regular employment might change rather abruptly, business and community relationships usually do not. So while you might no longer be working for a particular company (say, Sun, for example), you would still be interested in continuing your work in a particular area of interest (say, identity, for example).

In this spirit, I decided to join the Liberty Alliance as an individual member. The new structure of the organization, combined with a reasonable fee schedule allows me to continue my formal relationship with one of the more comprehensive identity consortia currently in existence. While I have not yet quite made up my mind on how this engagement will be, I know that there are a number of current project in TEG and IAEG that stir my interest.

One of the most interesting developments in Liberty right now is the realization that a RESTful approach is quite necessary to extend from an enterprise-centric identity management system to one that can scale up to the needs of health care providers and governments. The need for a lightweight IdM and federation framework is indisputable, and the GSA and Internet2 have already demonstrated that the existing feature set in SAML2 is sufficient to build a meaningful federation. However, it will take the legal and business rules framework of the IAF and related efforts to extend these technologies into the realm of social networking and eGovernment where you cannot rely on having a mutual trusted partner in identity.

So, going forward, it will be a lot of fun to dabble with the same technology, only now from a slightly (or not so slightly) different angle. 

tags: project liberty identity rest

Wow - what a week this was... I have been through quite some ups and downs, and that is not even mentioning the fact that the U.S. got a new administration.

Bad news first: not only did I have a mild form of food poisining (not that there was anything 'mild' about it, but I heard it can be much worse), but I am also affected by the workforce reduction at Sun. Yes, that's right... after a meager 11+ years I am on to new adventures elsewhere. To all those that I have been working with: it was a very interesting and mostly fun ride. I really had a sense of being able to work on something big and accomplish a lot, but the energy and the creativity at Sun was very inspiring. I met a lot of smart people there, and I hope that I will have the chance to continue working with them, one way or another.

Going forward, I see myself continuing on the themes that I have been dealing with for a while now: interoperability, web-centric (now cloud) computing, and the related identity and security aspects. There is a lot of work ahead, and I am quite determined to continue contributing. 

Since my age-old email at Sun will cease to work soon, you will now be able to reach me though an interim alias: work-at-removethispart.beuchelt.com^[1]. I am also on Facebook and LinkedIn, so please feel free to connect with me:

http://www.facebook.com/people/Gerald-Beuchelt/615829807

http://www.linkedin.com/in/beuchelt

With more time on my hands for now, I will also start spamming your RSS readers... just kidding - but I will write more here now, so stay tuned.

But now for the good news: yesterday my application to become a U.S. citizen was approved and - assuming all goes well - I will take my Oath in early March. Contrary to its horrible reputation my experience with USCIS (formerly INS) was actually quite good: yes, they are bureaucratic (you should have seen the piles of files they had on me), but overall the process was quite efficient and fast: it will have taken less than 6 months from sending in the application to my Oath ceremony.

Interestingly enough, my becoming a U.S. citizen will also open new doors on the job market: as of March I will be able to get a security clearance, work on certain government contracts, etc. The timing could not have been better.

tags: identity management naturalization workforce reduction

[1]Sorry for putting the "removethispart" subdomain in - obviously it is only beuchelt.com after the @ sign. 

UPDATE: Many thanks to Tim Bray for highlighting this note in his (most unfortunately rapidly growing) Stray Sunbeams series!

There has already been quite some discussion on how to get Windows 7 to run under VirtualBox (bottom line: it works - just install it). Here is a litte add-on to this discussion: Running Windows 7 Beta 1 under VirtualBox on Solaris 10 U5 over a SunRay terminal (exhale....).

Now, since I had tried Vista under VirtualBox, I was not expecting anything (except abysmal graphic performance), but - lo and behold - I was quite positively surprised: the install was complete smooth, and the VirtualBox Vista drivers worked like a charm, once I was using the compatibility mode with Vista (right-click the executable on the mounted ISO image, select Properties and the Compatibility tab, select Vista, close everything and then simply double click to install). Without this trick, the VirtualBox installer would complain about not supporting Windows 7 yet.

Overall performance was pretty much as expected: a lot better than Windows Vista, and about the same as Windows XP. Now bearing in mind that the SunRay system is not exactly targeted at power users for CAD applications, and you will arrive at a the conclusion that Windows 7 Beta 1 under VirtualBox is a logical step from running Windosw XP in the same scenarios to deal with those 7 applications that you just cannot find in open source. If Windows 7 actually came in a freeware version, it could actually be worthwhile upgrading those legacy HDD images. But then, Microsoft has shown over the last few years that they are capable of learning, so I will not loose my hope ...

Seriously: if Windows 7 has a similar performance and resource demand profile as the beta versions, it has a good chance of convincing me to attempt another upgrade. Just one thing will be crucial: application backward compatibility.

tags: Windows 7 Sunray Solaris VirtualBox

The workshop on Open eGovernment is starting right now. Here is my slide deck, for all that might be interested:

MIT MediaLabs - Open Identity Archtecture.pdf (1.01 MB)

Soon after this is complete, the entire workshop will be posted on the MediaLab webpage - please stay tuned for the link.

tags: identity management policy

As part of the new U.S. administration's BigDialog and Open Government technology agenda, the CommunityCount web forum is polling for issues that are relevant to the identity management community. If you want to make you voice heard with the transition team and the next CTO and science office staff go here, put in your questions and issues, and vote on the others.

Here is my contribution - please vote.

tags: identity management policy

For our current internal project, I needed a way to display images within a Java Swing application. There are probably as many solutions to this out, as there are swing programmers, but here is a quick way to get this done, that solves my two major issues:

Resizable, i.e. when the panel changes in size, the image changes along.

Integratable with NetBeans, especially with the Matisse component designer.

This worked for me:

public class ImagePanel extends JPanel {

    private Image image;
    private Image displayImage;

    public ImagePanel() {
        super();
    }

    public ImagePanel(Image image) {
        super();
        this.image = image;
        this.displayImage = image;
    }

    @Override
    public void paintComponent(Graphics g) {
        fitImage();

        while (!g.drawImage(displayImage, 0, 0, null)) {
        }
    }

    @Override
    public void setSize(Dimension d) {
        super.setSize(d);
    }

    private synchronized void fitImage() {

        if (image != null) {
            int imageHeight = image.getHeight(null);
            int imageWidth = image.getWidth(null);

            double ratio = ((double) imageHeight) / ((double) imageWidth);

            Dimension d = this.getSize();

            double height = d.getHeight();
            double width = d.getWidth();

            if (height == 0 || width == 0) {
                height = this.image.getHeight(null);
                width = this.image.getWidth(null);

            } else {
                double tempH = Math.floor(ratio * width);
                double tempW = Math.floor(height / ratio);

                if (tempH + 1 > height) {
                    width = tempW;
                } else {
                    height = tempH;
                }
            }
            displayImage = image.getScaledInstance((int) Math.floor(width), (int) Math.floor(height), Image.SCALE_DEFAULT);
        }
    }

    public Image getImage() {
        return image;
    }

    public void setImage(Image image) {
        this.image = image;
        fitImage();
    }

Note the while-loop in the paintComponent() method. Without this, you will only get partial image updates, since the drawImage() method on Graphics runs in the background. For very large images or latency sensitive applications this might be an issue, but for my application this is quite acceptable.

In order to integrate this class with NetBeans, you create a Swing JPanel with the graphical designer, and set the "Custom Creation Code" for that panel to be your ImagePanel. Within the code, you can now easily cast to ImagePanel, thus giving you the full image functionality, while not sacrificing visual design.

tags:java swing image panel NetBeans