Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [higgins-dev] Two proposed IdAS changes

I'll go ahead and add these for now -- we can always remove/change them if they turn out to be spurious/wrong.

Jim

Tom Doman wrote:
2) Will IdAS consumers need a method to open a context without a specific identity in mind?  Seems like they will need this ability and I can think of two possible additional "materials" they might want to pass in this case, AuthNAnonymousMaterials and AuthNLeastPrivilegedUserMaterials.  I'm assuming anonymous access is self explanatory so I'll explain "Least Privileged User" (LPU) a bit more.  An application consuming IdAS may require specific rights to the underlying store to accomplish the tasks it has been designed to accomplish.  The configurer of the CPs in the system has the knowledge and ability to define an identity as which the IdAS consumer may perform its required tasks successfully.  We already need this concept anyway in cases where the supplied AuthN materials do not actually allow the underlying CP to truly "authenticate" the identity to the underlying back-end service (ie. AuthNSelfIssuedMaterials allow the LDAP CP to identify an identity but 
not to authentic
 ate as
that identity while AuthNNamePasswordMaterials does).  In other words, the CP may be required to run as the LPU on behalf of or in proxy of the identity we're really "opening" the context as.  The LPU is just another DS and should be able to represented as such.  Defining these materials would also allow CP implementors to treat a "null" identity passed to open as unsupported rather than perhaps assigning "anonymous" or "LPU".

Tom

  
Jim Sermersheim <jimse@xxxxxxxxxx> 01/09/07 6:42 PM >>>
        
1) We have a need for an IdAS consumer to be able to open a context 
using some authN materials, and then read the attributes of the DS 
representing the identity in the authN materials used to open the 
context.  These authN materials don't contain the cuid of the DS.  They 
may or may not contain attributes which could be used to search for the 
DS but this can't be relied on.  Therefore, we propose that 
IContext.open return a String which is the cuid of the DS representing 
the identity in the authN materials used to open the context (if any). 
The string may be null when the identity is not represented by any 
specific DS in the context. 

Existing CP's and IdAS consumers would need to be updated for this change.

2) We realized the current AuthNNamePasswordMaterials can be seen as 
similar to other kinds of AuthNMaterials.  One thing many different 
kinds of AuthNMaterials seem to have in common is that they contain a 
set of properties that identify the identity.  The proposal is to do this:
public interface org.eclipse.higgins.idas.IAuthNPropertiesMaterials 
extends IHasProperties
public class org.eclipse.higgins.idas.impl.AuthNPropertiesMaterials 
extends BasicPropertySet implements IAuthNPropertiesMaterials
public class org.eclipse.higgins.idas.impl.AuthNNamePasswordMaterials 
extends AuthNPropertiesMaterials
public class org.eclipse.higgins.idas.impl.AuthNSelfIssuedMaterials 
extends AuthNPropertiesMaterials

Where AuthNNamePasswordMaterials and AuthNSelfIssuedMaterials have 
get/set methods for name/pw and ppid/publicKey repectively, and where 
the implementations store these values as properties.

This way a Context Provider can implement IContext.open by examining the 
class of the passed identity.  If it's something specific like 
AuthNNamePasswordMaterials, it might know exactly what can be done with 
it.  Failing that, it may discover that it implements 
IAuthNPropertiesMaterials and therefore, the property set may be 
interrogated in order to see if it constitutes a set of attributes which 
are suitable for describing an identity which can be used to open the 
context.

Existing CP's and IdAS consumers currently implementing or making use of 
org.eclipse.higgins.idas.AuthNNamePasswordMaterials would need to be 
updated for this change.

Jim
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx 
https://dev.eclipse.org/mailman/listinfo/higgins-dev
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev
  


Back to the top