avalon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Donald <pe...@apache.org>
Subject Re: Security - AAA implementation [was RE: DefaultRoleManager in Cor nerstone]
Date Fri, 18 Jan 2002 06:31:24 GMT
On Fri, 18 Jan 2002 12:13, MCCAY,LARRY (HP-NewJersey,ex2) wrote:
> > So Role would be another principle? In effect you would do a
> > mapping from
> > "identity" principle to "ROle" principle and then just use
> > that?
>
> Actually, I was thinking that the concept of role could be implemented in
> policy by a collection of permissions.  Specifying the mapping between any
> given principal - say a group principal representing membership to a group
> called adminstrators - is mapped to a set of permissions within a given
> policy context (application) thereby granting these permissions to any
> Subject containing the AdministratorPrincipal - this collection of
> permissions can be identified by name - which is basically role-name in
> J2EE terms.

Not entirely sure where the difference between two above explanations is ;) 
Is it just that in the I described it you changed principles while the way 
you describe it you just add a new principle (the Group/ROle principle) to 
the subject?

> The mapping of the principals to permissions would be done in terms of
> principal type and value to necessary permissions within a given policy
> context (application) and accomplished through the administrative interface
> exposed through JMX.
>
> This is very much in line with the JSR 115 effort - which is in community
> draft, currently.  Providing this JSR is successful, compliance would
> enable the ability to plug in arbitrary authorization providers.
>
> http://www.jcp.org/jsr/detail/115.jsp

sounds good.

> BTW - AAA is Authentication, Authorization and Administration - I usually
> add a fourth - Auditing.
>
> :-)

kool. Got the first two - no idea on third or fourth ;)

-- 
Cheers,

Pete

----------------------------------------
Why does everyone always overgeneralize?
----------------------------------------

--
To unsubscribe, e-mail:   <mailto:avalon-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:avalon-dev-help@jakarta.apache.org>


Mime
View raw message