Respondent
Gary Schwartz
Goal/Problem Space
Bedework is an open-source, Java-based, standards-compliant, enterprise calendar system designed to primarily serve higher education. Bedework has a centralized server architecture and web-based clients, and can be accessed from CalDAV clients such as Apple's ical and iPhone, Mozilla's Lightning, and the ZideOne plug-in for Outlook.
Features
The main Bedework components include public calendar suites & data feeds, web-based clients for administration, event submission, and personal calendaring, and servers for CalDAV, CardDAV, and Timezones.
Anthropomorphically speaking, Bedework strives to be the leading Java-based, interoperable calendaring system in higher ed, and looks to transform itself, hopefully without any human intervention whatsoever, into an events-driven, SOA/WS system, providing the infrastructure for "calendaring as a platform" - the "World Wide Calendar".
Technology Stack
Java, Struts, Hibernate, Ehcache, iCal4j, Lucene, jQuery, Xalan-Java, Apache Commons.
Bedework is implemented as fully standard (JSR 154) collection of servlets, and as such relies on the container for authentication.
Identity Services
Managed Information |
Consume? |
Produce? |
Broker/Convey? |
|---|---|---|---|
Privileges |
|
X |
|
Roles |
|
|
|
Groups |
X |
|
|
Attributes |
X |
|
|
Identification |
X |
|
|
Defined Interfaces |
Consume? |
Produce? |
Broker/Convey? |
Authentication |
X |
|
|
Attributes |
X |
|
|
Permissions |
|
X |
|
Provisioning |
|
|
|
Authorization |
|
X |
|
Subjects |
|
|
|
Other |
Consume? |
Produce? |
Broker/Convey? |
Standards and Interfaces
Bedework implements interfaces which provide basic LDAP support to obtain principal group information and principal attributes.
Shibbolized instances of Bedework have been deployed, but there are compatibility issues with CalDAV and Shibboleth.
Issues and Challenges
Authorization within the Bedework services is based on DAV access control using ACLs. This is proving to be complex for users, and inadequate in that the assignment of roles to a principal needs to affect multiple services, e.g. CalDAV and CardDAV.
Shibboleth implements the Web Browser Single-Sign On profile of SAML, which requires a full web-browser to run. Virtually no *-DAV clients are full web browsers. We need something else to base federated identity authorization for *-DAV (CalDAV, CardDAV, WebDAV, etc).