> -----Original Message-----
> From: David Jencks [mailto:[EMAIL PROTECTED]
>
> On Monday, January 5, 2004, at 04:20 AM, Alan D. Cabrera wrote:
> >> <snip>
> >> OK, this makes sense. However, there are a lot of levels of
> >> indirection (lets assume there is only one realm):
> >>
> >> user --nXm-- principal --nxm--role --nxm-- method
> >>
> >> If there is only one realm and it is easy to specify the
> principals
> >> each user gets in the login system, it might be worthwhile to
> >> provide a shortcut security mapping that equated roles and
> >> principals. Does this make any sense?
> >
> > I'm not clear on what this shortcut security mapping is and
> why it's
> > needed. It kind of sounds like the principal/role mapping
> that is in
> > the deployment descriptor.
>
> My suggestion is a way to set up a simple principal/role mapping
> easily: principal == role.
>
> I'm worried that your scheme may be hard to set up for simple
> scenarios.
>
> The entire declarative security scheme is logically equivalent, IIUC,
> to a single map
> user --nxm-- method.
>
> Everything else is introduced to make administration and modification
> easier.
> Since users come and go frequently, the ejb model suggests at least
>
> user --nxm-- roles --nxm-- methods
>
> Your model further decomposes user --nxm- roles to user --nxm--
> principals --nxm-- roles.
I do this because LoginModules return principals and my implementation of
JACC works w/ principals. Let me also state that the following is what is
stored in the security mapping:
principals --nxm-- roles --nxm-- methods
The mapping of user --nxm-- principals is virtually done by the LoginModule.
> I'm just suggesting that we
> provide a way to
> set up a trivial principal -- role mapping without explicitly listing
> all the mapping elements. This would purely be for
> convenience in case
> someone wanted to, logically, directly assign roles to users.
I think I understand now and agree that this is a useful case to support.
Let me state how I understand this. We're looking to support
trival principals --1x1-- roles --nxm-- methods
where we have LoginModules that stuff trival principals into subjects, i.e.
do the user --nxm-- trivial principals mapping. Off the top of my head, I
think that the simplification should take place in the tool that creates the
security descriptor so that it looks like
roles --nxm-- methods
to the deployer.
What do you think? Did I make sense?
Regards,
Alan
----------------------------------------------------------------
Visit our Internet site at http://www.reuters.com
Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit <http://www.reuters.com/messaging>
Any views expressed in this message are those of the individual sender,
except where the sender specifically states them to be the views of The
Reuters Group.
