| [higgins-dev] Authentication (was [IdAS] Context open/close semantics) |
|
>>> Greg Byrd <gbyrd@xxxxxxxx> 8/10/06 8:59 AM >>>
> >Considering your earlier point about multiple back-end data stores, what >does "authenticate against IdAS" mean in general? In delegate mode, >this is pretty obvious. But in passthrough mode (which your examples >seem to imply), does this mean "force an authentication to all backing >stores for a particular IContext"? > >I could see a testAccess method or something to force authentication
>using the identity passed in during the open call, if that seems >useful. (But I'd still want to know what "force authentication" means >with respect to a particular Context that's fronting other Contexts or >multiple data stores in different authentication domains.) After more consideration, I think if we have a way of effectively saying "authenticate this user, and return the outcome (success or fail)", then any given CP can decide (or be configured to know) exactly what that means. It would be nice to have only one method which takes a user's authN materials. So I'm in favor of open() allowing a bool (bEagerAuthN), or adding an authenticate and moving the identity argument to that method (this would force all consumers to obtain a context, call open() then authenticate() -- ugh)
<snip> Jim |