On Mon, Feb 16, 2009 at 6:26 AM, Ashish <[email protected]> wrote: > My concern here is, there is too much to be interpreted by a User/Implementor. > From a security implementation perspective, I understand these two > things, Identity and > Authority (Role). Now if we had imposed something like > getAuthorities() in Authority interface > would have made life easy. With a marker interface, not sure what do we > achieve.
While, again, I agree that the API might have turned out to be over-generic (given the history), there are some requirements that does force it to be slightly different than most role based authentication schemes. For example, we want to be able to set write permissions on a per user level. Also, I'm not sure that a marker interface is really the best description of these interfaces, is more of a generic supertype that we can pass around with type safety. >>> 2. Authority interface has functions, that pertain to Authorization. >>> The interface should have the Role given to the User? >> >> Not sure I understand the question. Authority populates an >> AuthorizationRequest which can give a user a role (or write >> permission, or whatever is needed) if that's what we want (we do not >> currently have roles, but the interfaces would certainly allow for >> such an implementation). > > Ok the idea is, each user has some authority or Role, based on which > Authorization happens. > Something, like you pass Authority and Identity to the Authorization > Manager and it shall decide > whether to grant access or not. These interfaces allow for such an > implementation, but its > not so intuitive. I guess intuition differs from people to people :-) I do find the API over-generic, but no complex or hard to understand (and I'm usually pretty thick when it comes to understanding APIs). > I am keeping a close eye on JSecurity (in Incubation). Once its out, > maybe we can use it within > FtpServer. Yes, if you look through the archives of this and the JSecurity list, you will find that there has already been several discussions on this topic. > Will recommend having a look at Spring Security implementation. may be > it shall bring us on the same page. Spring (or at the time Acegi) Security served as the model on which the FtpServer AaA model was design, so you will find many similarities. /niklas
