directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <akaras...@apache.org>
Subject Re: TripleSec and jacc
Date Thu, 28 Dec 2006 12:53:04 GMT
David Jencks wrote:
> 
> On Dec 21, 2006, at 1:59 PM, Alex Karasulu wrote:
> 

...

>>> 2. The current Permission class is not a java.security.Permission.  I
>>> propose to rename it StringPermission (since it works on string
>>> equality), extend java.security.Permission, and introduce a
>>> StringPermissionCollection.  BTW I don't understand why triplesec
>>> Permission includes the applicationName.
>>
>> First off a tsec permission includes the app name because permissions
>> are specific to an appication.  Perm xyz only makes sense wrt the app
>> that it was defined for.  Does this make sense?
> 
> No :-)
> I think you are duplicating information redundantly.  You'll never get
> to the point of checking a permission unless you navigated to it from
> the correct application.  The JACC ejb and web permissions also don't
> make sense outside a particular application, but they don't include the
> PolicyContextId in them for this reason.
> 
> Similarly I don't think it makes sense to have the application name in
> Role nor the permissions stored directly in ldap.

Ok let's make a JIRA note about removing this added information.  We can
still operate without the additional back referral to the application
from which the role and permission come from.  You're right that it is
redundant.  I just have to see where it's depended upon and figure out a
means to not have to depend on it.

...


Alex

Mime
View raw message