Return-Path: 
 <dev-return-6452-apmail-shiro-dev-archive=shiro.apache.org@shiro.apache.org>
X-Original-To: apmail-shiro-dev-archive@www.apache.org
Delivered-To: apmail-shiro-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 61A9418AAC
	for <apmail-shiro-dev-archive@www.apache.org>;
 Fri,  7 Aug 2015 19:47:14 +0000 (UTC)
Received: (qmail 37711 invoked by uid 500); 7 Aug 2015 19:47:14 -0000
Delivered-To: apmail-shiro-dev-archive@shiro.apache.org
Received: (qmail 37676 invoked by uid 500); 7 Aug 2015 19:47:14 -0000
Mailing-List: contact dev-help@shiro.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@shiro.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@shiro.apache.org>
List-Post: <mailto:dev@shiro.apache.org>
List-Id: <dev.shiro.apache.org>
Reply-To: dev@shiro.apache.org
Delivered-To: mailing list dev@shiro.apache.org
Received: (qmail 37664 invoked by uid 99); 7 Aug 2015 19:47:13 -0000
Received: from Unknown (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 07 Aug 2015 19:47:13 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org)
 with ESMTP id 7F7F41A9964
	for <dev@shiro.apache.org>; Fri,  7 Aug 2015 19:47:13 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 2.879
X-Spam-Level: **
X-Spam-Status: No, score=2.879 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	HTML_MESSAGE=3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
	SPF_PASS=-0.001] autolearn=disabled
Authentication-Results: spamd2-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-us-west.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new,
 port 10024)
	with ESMTP id rKhoEbrwbo43 for <dev@shiro.apache.org>;
	Fri,  7 Aug 2015 19:47:11 +0000 (UTC)
Received: from mail-ig0-f177.google.com (mail-ig0-f177.google.com
 [209.85.213.177])
	by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with
 ESMTPS id 8C1EB20F60
	for <dev@shiro.apache.org>; Fri,  7 Aug 2015 19:47:11 +0000 (UTC)
Received: by igbij6 with SMTP id ij6so37555810igb.1
        for <dev@shiro.apache.org>; Fri, 07 Aug 2015 12:47:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:from:date:message-id:subject:to:content-type;
        bh=pj/+OEqZco4NtXAzJEQB6j9BYwM1reW+vlCjOGGbSLY=;
        b=EgJIhOcNi/Lky9wmmvM0Z3SiFKvfZPndg1mJ7/Szzxq66MNhOETEhjZRtpsp9JsF7A
         T/I/440TeUc9soZ8kZTHyEn5IisMibyvSLEDPS9nau8sMNBFYITdEFbnwS79zpmGxNJ3
         5kfz1kdJ4MucOVTR8sJnEIC8hjV99kTrdr8cCwhXs04dBPotJpZiXk6JxLY78uEE16qb
         VdEJZg0vexirBwnMfztRghy3rImCTk5AGyQsCLERcdo4JRQi1nskc6m4dIQXfrGHrtaO
         1DS72G9jMtYtnDNY7rR6rcWzZduUvViwoRbmVNO8udOCIg1PbHQDAwX6pm2f132De42o
         yf1Q==
X-Received: by 10.50.43.167 with SMTP id x7mr5670251igl.95.1438976824716; Fri,
 07 Aug 2015 12:47:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.38.139 with HTTP; Fri, 7 Aug 2015 12:46:25 -0700 (PDT)
From: Darin Gordon <darinc@gmail.com>
Date: Fri, 7 Aug 2015 15:46:25 -0400
Message-ID: 
 <CAJTjJvU2y3t022vzxbEiwDVG9hn68e7rRO0xgr6dttvSRqpgsg@mail.gmail.com>
Subject: shiro v2 proposal for realm-level authorization support
To: dev@shiro.apache.org
Content-Type: multipart/alternative; boundary=089e011602b27a4b12051cbde65b

--089e011602b27a4b12051cbde65b
Content-Type: text/plain; charset=UTF-8

All

For your consideration.. I tried my best to edit this draft but didn't want
to delay it further.  I will clarify any points as needed:

There remains a general lack of support for realm-level authorization in
the new
shiro v2 and there is no specification for how Shiro will provide it.  So,
to facilitate
discussion, and for your consideration, is a proposal for doing so.

In Summary:
1) Expand use of the Account object to include information used for authz
2) deprecate the AuthorizationInfo object model as it is replaced by the
   revised Account object
3) Define 2 new interfaces for the AccountStore to facilitate requests for
   credentials or privileges
4) Define 2 new interfaces for the AccountStoreRealm to facilitate
authentication
   and authorization
5) consolidate the A.S.R.'s cache handling to a single method-- account
cache handling


Details:

Account
====================
Generally speaking, a user account entity includes identifiers
(principals), credentials.
Further, an account has access privileges.  The latest Shiro v2
implementation
is as if one side of a coin has been addressed to support use of an Account
object
yet the other side hasn't yet been touched: the AuthenticationInfo object
is deprecated,
yet the AuthorizationInfo object isn't.

In v2, the legacy "information object", AuthenticationInfo, is replaced
by a more intuitive Account object.  This Account object currently contains
an
accountID, credentials, and identifiers (attributes).  With this object
specification,
an Account object can satisfy authentication attempts.

Unfortunately, with this design another legacy "information object" --
the AuthorizationInfo object -- must still be created and used to
facilitate authorization.

What I mean with the coin metaphor is that who a user is, how a user's
identity
is confirmed, and what that user can do in a system are all considered
within
the context of an Account:
I) Who a user is = Identifiers (formerly Principals)
II) Confirming identity = Credentials
III) What a user can do  = Privileges


AccountStore
====================
An AccountStore is the intermediary between a realm and a data store.
An AccountStore obtains Account information -- who a user is, how a user is
identified, and/or what that user can do in an application --  from a data
store
 and returns it in the form of an Account object to the realm that is
requesting
this information.

An AccountStore MAY OR MAY NOT interact with an all-inclusive,
comprehensive
data source containing all application security related information.  In an
enterprise, there may be multiple data stores used for application security.
For instance, an enterprise may use one data store to obtain authentication
credentials (LDAP).  Another data store may be consulted to obtain access
control
privileges (RDBMS).

Therefore, an AccountStore MAY OR MAY NOT return a comprehensive Account
object that
contains all security-related information (credentials and privileges).

With this given, I propose that two AccountStore interfaces be created:
    1) CredentialsAccountStore
    2) PrivilegesAccountStore

Doing so allows gives a developer the flexibility to implement in an
AccountStore
support for one or both information gathering responsibilities with any
given data store.


AccountStoreRealm
====================
The AccountStoreRealm (A.S.R.) is the AccountStore (A.S.) liaisan.  Contrary
to what has been stated in v2 code comments, there need not be a 1:1
relationship
between an A.S.R. and an A.S.
    - An A.S. may realistically only communicate with no more than one
A.S.R.,
      but it has an interface that would allow any other to issue requests
with
      it
    - An A.S.R , if it handles authentication AND authorization requests,
      will likely communicate with more than one AccountStore (such as when
      LDAP is used for authc and an RDBMS is used for authz info)

--089e011602b27a4b12051cbde65b--