>>> Greg Byrd <gbyrd@xxxxxxxx> 8/11/06 1:07 PM >>> > >Yes, I (mostly) agree. (It's possible in some cases to detected this >hijacking -- e.g., using the >JAAS getSubject call -- but in general it's not possible. So passing >IContext instances around >should be avoided.) > >I looked through the API to see if there were places where we return an >IContext: > >IContextFactory.createContext -- of course >IDigitalSubject.getContext -- this is supposed to "return the Context >that contains this DigSub" > >Should this second one return: >(a) the actual Context instance that created this DigitalSubject object? >(b) a new (unopened) Context instance? >(c) a ContextRef?
Safest (and probably easiest to implement) would be a (c). (a) exposes the security risk, and (b) causes IDigitalSubject to act a bit like a context factory. I think (c) is manageable from a consumer's POV.
>We do have methods that return IDigitalSubjects, via >SubjectRelationships. These DigitalSubjects >may be from different contexts. Should the relationship instead return >a reference to a DigitalSubject, >as in ContextRef+CUID?
I mentioned (or meant to mention) this once before as something that seemed like it needed to change. IContext has relationships with other IContexts via their contextRef (extends hasRelationships<URI>), whereas IDigitalSubject extends hasRelationships<IDigitalSubject>. I prefer what you said above (IDigitalSubject having relationships to ContextRef+CUID pairs).
>In other words, if I follow a relationship from a Subject in my opened >Context to a Subject that >belongs to a different (unopened) Context, and then do getContext on >that Subject, what should I get?
Right, and do you even get the DS back? I mean, without an open context, how is it obtained (using what identity for authN/authZ?)
>My opinion is that getSubject should return a ContextRef,
Typo? Do you mean "getContext should return a ContextRef"?
>and that >SubjectRelationship should return >Iterable<IDigitalSubjectRef>.
I still prefer the ContextRef+CUID pair.
Jim
|