Re: [higgins-dev] AuthN for an open context

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [higgins-dev] AuthN for an open context

From: "Jim Sermersheim" <jimse@xxxxxxxxxx>
Date: Thu, 27 Jul 2006 09:58:16 -0600
Delivered-to: higgins-dev@xxxxxxxxxxx
List-archive: <http://eclipse.org/pipermail/higgins-dev>
List-help: <mailto:higgins-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=unsubscribe>

The scenario I was describing matches your second guess. The solution from Raj (as I understood it) would mean the service would just call open() each time it wanted to re-auth as a different user. Your solution I think is similar... yet different :-)

>>> Greg Byrd <gbyrd@xxxxxxxx> 7/26/06 8:06 AM >>>
Jim,

If I understand the scenario below, your middle-tier service is the
Context Provider. In that case, each user authenticates with the
Context Provider (via open), and the Provider then does whatever it
needs to get to the LDAP data (which might mean passing the user's
credentials to the LDAP directory). If this is correct, then I agree
with Raj -- as far as the IdAS API is concerned, each user opens the
Context; the Context Provider implementation is free to use some sort of
long-lived connection with re-auth if it can, but it's under the covers
as far as the IdAS user is concerned.

But perhaps you mean that the middle-tier service is the one making
requests to IdAS? In that case, the Context could be implemented so
that multiple Contexts could share an existing long-lived back-end
connection, and each could present its user's credentials (assuming one
Context object is created for each open) as needed.

...Greg

>
> To clarify the requirement, it's like this: A (middle-tier) service is
> being consumed by a number of users. As each user performs some
> action, the service must (ultimately) perform an LDAP bind operation
> as that user, then read that user's attributes (this should be done
> using a long-lived LDAP connection). That user's identity is the only
> one with permissions to read the required attributes. We want to do
> this with Higgins. You're right, this may not be the most common
> use-case, but it one we have. Other use-cases requiring the
> functionality include things like switching between superuser and anon
> on the same connection.
>

_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev

References:
- [higgins-dev] AuthN for an open context
  - From: Jim Sermersheim
- Re: [higgins-dev] AuthN for an open context
  - From: Nataraj Nagaratnam
- Re: [higgins-dev] AuthN for an open context
  - From: Jim Sermersheim
- Re: [higgins-dev] AuthN for an open context
  - From: Greg Byrd

Prev by Date: Re: [higgins-dev] Context Provider vs. Context Factory
Next by Date: [higgins-dev] Updated agenda for today
Previous by thread: Re: [higgins-dev] AuthN for an open context
Next by thread: [higgins-dev] Meaning of "open" context
Index(es):
- Date
- Thread

Breadcrumbs