[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [higgins-dev] whoami (was [IdAS] Context open/close semantics)
|
Yes, I (mostly) agree. (It's possible in some cases to detected this
hijacking -- e.g., using the
JAAS getSubject call -- but in general it's not possible. So passing
IContext instances around
should be avoided.)
I looked through the API to see if there were places where we return an
IContext:
IContextFactory.createContext -- of course
IDigitalSubject.getContext -- this is supposed to "return the Context
that contains this DigSub"
Should this second one return:
(a) the actual Context instance that created this DigitalSubject object?
(b) a new (unopened) Context instance?
(c) a ContextRef?
We do have methods that return IDigitalSubjects, via
SubjectRelationships. These DigitalSubjects
may be from different contexts. Should the relationship instead return
a reference to a DigitalSubject,
as in ContextRef+CUID?
In other words, if I follow a relationship from a Subject in my opened
Context to a Subject that
belongs to a different (unopened) Context, and then do getContext on
that Subject, what should I get?
My opinion is that getSubject should return a ContextRef, and that
SubjectRelationship should return
Iterable<IDigitalSubjectRef>.
...Greg
Jim Sermersheim wrote:
>>> Greg Byrd <gbyrd@xxxxxxxx> 8/10/06 8:59 AM >>>
<snip>
>I'm not yet in favor of the whoami call. I guess I'm worried about
>someone random querying a Context and getting my identity object, which
>might contain private credentials.
<snip>
If there were a way for someone to randomly query a Context and gain
access to your private credentials via a whoami method, then there is
a serious security problem regardless of that method. If I (Jim) can
somehow obtain a Context that you (Greg) originally opened with your
credentials, then I am now essentially you. I can read and update
anything you have privileges to. For some CP's this includes your
credentials (even without a whoami method).
Applications need to be written in such a way as to not share
authenticated Contexts among non-trusted parties.
------------------------------------------------------------------------
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev