I just wanted to list some ideas that I have on how we can bridge this gap
between simple language agnostic permissions presently in Triplesec with
First I want to stress why it is important to remain language and platform
neutral and I think you will agree with this line of thought. Even though the
server is written in Java on top of ApacheDS we want it to be applicable for
use on any platform with any language. This way .NET, PHP and many
other clients can leverage the same system.
However as you noted, and I agree fully, in Java we need more than the
presence of a permission to determine if someone is authorized to access
a resource or perform some operation. This is due to the open ended nature
of evaluating the implies() method of a Java permission.
We can easily accommodate both this simplified use of permissions while
allowing for the more complex cases where the implies() method is more
involved by extending the policyPermission objectClass. As you may already
know we can create objectClass subtypes. I'm thinking we can create a
javaPermission subtype which inherits from policyPermission which contains
the fully qualified class name of the permission implementation along with
parameters used to initialize it. This can be used with the implies() method
of the permission to reach access control decisions.
This is something I would like to do along with reading and fully evaluating
that NIST paper so I can then look into the best way to model roles/groups