Eric Dobbs wrote: (snip)
> On Tuesday, January 15, 2002, at 04:55 AM, Santiago Gala wrote: In fact, the idea came to me from a co-worker (Juan Carlos Alvarez) lurking around here and quite a few other lists, but so shy as to hardly ever post! Due hommage. ;) > >> Separating the service in this three components/subservices will help >> isolate clean interfaces between them (The work is partially done, as >> we have a UserManager in turbine, and also a AccessController). This >> will help clean any implementation we do, and will allow for easy >> interoperation of different implementations. It will also make audits >> simpler, since the code of each sub-component will be simpler and >> more focused. > > > I'm not sure how it will look in code, but I like the idea of > several specialized and loosely coupled security services. > Here's Santiago's three (I'll elaborate on this a bit below): > >> 1- Authentication >> 2- AccessControl > I used this term on purpose (as we have a AccessController in Turbine), but it is usually called Authorization, as you point later. >> >> 3- User Management/Profiling > Things like home directory, the passwd command, .profile, are examples at the OS level. >> >> >> I think this idea is very sound. He came to it while finding a way to implement LDAP authentication while keeping DB Authorizaton (groups, roles, and permissions) and Profiling (perm storage) information. After discussion, we agreed that these services can be largely isolated, so that they use different implementations, because they are functionally independent, related through the Principal/Subject abstraction (using JAAS jargon) that a user gets assigned after successful login. Your (snipped) elaboration on the Authorization part is nice. I think you could write good documents on the security service ;) -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
