On Monday, January 5, 2004, at 12:17 PM, Cabrera, Alan wrote:
-----Original Message----- From: David Jencks [mailto:[EMAIL PROTECTED]
On Monday, January 5, 2004, at 04:20 AM, Alan D. Cabrera wrote:principals<snip> OK, this makes sense. However, there are a lot of levels of indirection (lets assume there is only one realm):
user --nXm-- principal --nxm--role --nxm-- method
If there is only one realm and it is easy to specify thewhy it'seach user gets in the login system, it might be worthwhile to provide a shortcut security mapping that equated roles and principals. Does this make any sense?
I'm not clear on what this shortcut security mapping is andneeded. It kind of sounds like the principal/role mappingthat is inthe deployment descriptor.
My suggestion is a way to set up a simple principal/role mapping easily: principal == role.
I'm worried that your scheme may be hard to set up for simple scenarios.
The entire declarative security scheme is logically equivalent, IIUC, to a single map user --nxm-- method.
Everything else is introduced to make administration and modification easier. Since users come and go frequently, the ejb model suggests at least
user --nxm-- roles --nxm-- methods
Your model further decomposes user --nxm- roles to user --nxm-- principals --nxm-- roles.
I do this because LoginModules return principals and my implementation of
JACC works w/ principals. Let me also state that the following is what is
stored in the security mapping:
principals --nxm-- roles --nxm-- methods
The mapping of user --nxm-- principals is virtually done by the LoginModule.
I'm just suggesting that we provide a way to set up a trivial principal -- role mapping without explicitly listing all the mapping elements. This would purely be for convenience in case someone wanted to, logically, directly assign roles to users.
I think I understand now and agree that this is a useful case to support.
Let me state how I understand this. We're looking to support
trival principals --1x1-- roles --nxm-- methods
where we have LoginModules that stuff trival principals into subjects, i.e.
do the user --nxm-- trivial principals mapping. Off the top of my head, I
think that the simplification should take place in the tool that creates the
security descriptor so that it looks like
roles --nxm-- methods
to the deployer.
What do you think? Did I make sense?
I think we agree. One thing I'm not sure of is what and where the deployment tool is. If the geronimo xml is input to it, a shorter notation for the trivial 1x1 mapping would be desirable. If geronimo xml is output from the tool, a shorter notation would be unnecessary.
Thanks david
Regards, Alan
---------------------------------------------------------------- Visit our Internet site at http://www.reuters.com
Get closer to the financial markets with Reuters Messaging - for more information and to register, visit <http://www.reuters.com/messaging>
Any views expressed in this message are those of the individual sender,
except where the sender specifically states them to be the views of The
Reuters Group.
