Actually the way Scott Golightly and I were thinking of it originally when we came up with the scenario was that the web app was run at the bank and called the services at the brokerage.
To me, a sample app /demo is sort of like a movie - you have to ask people to suspend belief to an extent, but if you go too far they will roll their eyes and not follow along. So Scott and I were trying to come up with a believable scenario that showed the value of claims-based security (without causing an excessive refactoring of StockTrader). Our idea was the Brokerage offers trading capabilities to banks and the banks incorporate that functionality into "branded" applications that customers of a particular bank could take advantage of. While we only have one front-end implemented, the idea is that multiple banks could implement their own front-end and use the same services provided by the brokerage, if they had the trust relationship set up. So that was the original thinking, but if we have a strong case to change it, I'm open. :-) -----Original Message----- From: Pablo Cibraro [mailto:[email protected]] Sent: Thursday, December 10, 2009 10:26 AM To: [email protected] Subject: RE: StockTrader Sample Documentation Updates I agree with Nick on this. It makes much more sense to have the trader client application in the Broker security domain. The bank (The passive STS) is only authenticating the clients. We do not have a client application for the bank itself. Regards, Pablo. -----Original Message----- From: Ben Dewey [mailto:[email protected]] Sent: Thursday, December 10, 2009 2:12 PM To: [email protected] Subject: RE: StockTrader Sample Documentation Updates > Nick Wrote: > Those statements were based off the diagram at the bottom of the second page > of the spec attached to STONEHENGE-73 [1]. Am I misreading that? I'd like to have Pablo's take on it. Is the scenario setup for a Brokerage Firms Web Site/Services and a Bank PassiveSTS? Seems to me that the diagram on p2 of [1] is incorrect, the website should be part of the brokerage firm. -Ben Dewey [1] http://issues.apache.org/jira/secure/attachment/12412416/Changes+to+Apache+Stonehenge+to+Support+Claims+Based+Security.pdf
