geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cabrera, Alan" <Alan.Cabr...@reuters.com>
Subject RE: o.a.g..security.*ModuleConfiguration broke Geronimo-Nova inte gration
Date Mon, 05 Jan 2004 20:17:05 GMT


> -----Original Message-----
> From: David Jencks [mailto:david@coredevelopers.net] 
> 
> On Monday, January 5, 2004, at 04:20 AM, Alan D. Cabrera wrote:
> >> <snip>
> >> OK, this makes sense.  However, there are a lot of levels of 
> >> indirection (lets assume there is only one realm):
> >>
> >> user  --nXm-- principal --nxm--role --nxm-- method
> >>
> >> If there is only one realm and it is easy to specify the 
> principals 
> >> each  user gets in the login system, it might be worthwhile to 
> >> provide a shortcut security mapping that equated roles and 
> >> principals.  Does this make any sense?
> >
> > I'm not clear on what this shortcut security mapping is and 
> why it's 
> > needed.  It kind of sounds like the principal/role mapping 
> that is in 
> > the deployment descriptor.
> 
> My suggestion is a way to set up a simple principal/role mapping 
> easily: principal == role.
> 
> I'm worried that your scheme may be hard to set up for simple 
> scenarios.
> 
> The entire declarative security scheme is logically equivalent, IIUC, 
> to a single map
> user --nxm-- method.
> 
> Everything else is introduced to make administration and modification 
> easier.
> Since users come and go frequently, the ejb model suggests at least
> 
> user --nxm-- roles --nxm-- methods
> 
> Your model further decomposes user --nxm- roles to user --nxm-- 
> principals --nxm-- roles. 

I do this because LoginModules return principals and my implementation of
JACC works w/ principals.  Let me also state that the following is what is
stored in the security mapping:

principals --nxm-- roles --nxm-- methods

The mapping of user --nxm-- principals is virtually done by the LoginModule.

> I'm just suggesting that we 
> provide a way to 
> set up a trivial principal -- role mapping without explicitly listing 
> all the mapping elements.  This would purely be for 
> convenience in case 
> someone wanted to, logically, directly assign roles to users.

I think I understand now and agree that this is a useful case to support.
Let me state how I understand this. We're looking to support

trival principals --1x1-- roles --nxm-- methods

where we have LoginModules that stuff trival principals into subjects, i.e.
do the user --nxm-- trivial principals mapping.  Off the top of my head, I
think that the simplification should take place in the tool that creates the
security descriptor so that it looks like 

roles --nxm-- methods

to the deployer.  

What do you think?  Did I make sense?


Regards,
Alan



---------------------------------------------------------------- 
      Visit our Internet site at http://www.reuters.com 

Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit <http://www.reuters.com/messaging> 

Any views expressed in this message are those of  the  individual sender,
except  where  the sender specifically states them to be the views of The
Reuters Group.

Mime
View raw message