On Sunday, January 4, 2004, at 11:10 AM, Alan D. Cabrera wrote:
explain-----Original Message----- From: David Jencks [mailto:[EMAIL PROTECTED]
I think so.
However, I'm pretty confused at the moment by all the different concepts around security. If you could spend a few minutes andhow contextID realm role principal permission
relate I'd really appreciate it. In particular I really don't understand how realms and contextIDs relate and may have put the wrong call in the EJBModuleDeploymentPlanner.
This can be split up into two parts, Authentication and Authorization.
On the authentication side, Security realms provide LoginModules that populate Subjects w/ their principals. Geronimo wraps theses LoginModules with its own so that it can register the Subjects and perform various optimization; I was thinking that it would be a good idea to allow non-Geronimo LoginModules.
Authorization is handled by PolicyConfigurations; these are indexed by context ids which uniquely identify a deployed application. Roles and their permissions are registered w/ the PolicyConfiguration. I have further extended this so that principals can be mapped to roles and then, as an optimization, principals are mapped to permissions.
OK, this makes sense. However, there are a lot of levels of indirection (lets assume there is only one realm):
user --nXm-- principal --nxm--role --nxm-- method
If there is only one realm and it is easy to specify the principals each user gets in the login system, it might be worthwhile to provide a shortcut security mapping that equated roles and principals. Does this make any sense?
thanks david jencks
