Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[higgins-dev] Re: IdAS user accounts management proposals

If this turns out to be a complaint at the way the JNDI CP is leaving the underlying connection in an incorect authZ state when authenticating with AuthNSelfIssuedMaterials, I entered this defect: https://bugs.eclipse.org/bugs/show_bug.cgi?id=211945


I thought we had already entered it (we've talked about it a number of times), but it looks like we didn't get around to it.


Jim

>>> "Sergey Lyakhov" <slyakhov@xxxxxxxxxxxxxx> 12/04/07 11:50 AM >>>
Jim,

It seems current implementation of authentication in IdAS (as JNDI CP as
Jena CP) using AuthNSelfIssuedMaterials credantials has some weakness. When
user gets a managed card with self-issued token credential type, we open
IdAS context by the user's username/password credential, and store the PPID
value of self-issued card as "cardKeyHash" attribute value of DigitalSubject
(where profile data is stored). So, we are storing "PPID" credential data as
user data. Then, when we perform PPID-based authentication, we open IdAS
context using some credentials (not related to the owner of required
profile), and select DigitalSubject (profile) by "cardKeyHash" attribute.
Really it does not look like the right implementation of PPID-based
authentication. I suppose we need to add to IdAS interfaces the ability to
manage IdAS user accounts and support of multi-credential authentication.


Maybe there is some sence to make the following changes:

1. Add a new interface IUserAccount with methods:
a) getCredentials() - return all credentials of the user which can be used
by this user for authentication in the Context;
b) getCredentialByType(credentialType);
c) addCredential() - add a new credential (like username/password
credential);
c) removeCredential();

2. Add to IContext the following methods:
a) getSupportedCredentialTypes();

b) buildCredential(credentialType);
c) createUserAccount();
d) removeUserAccount();
e) getUserAccounts();
f) getUserAccount(credential);

3. Change IContext.open(Object credentials) to return an instance of
IUserAccount instead of  ID of "default" DigitalSubject.

4. Also we propose to add role-based authorization mechanism in such a way:
a) extend IUserAccount with methods
    setRole() - assign the Role to the User
    getRoles() - get all the Roles which user has been assigned
b) extend IContext with methods
    createUserRole()
    deleteUserRole()
    getUserRoles()
    getUserAccountsByRole()
c) extend IDigitalSubject with methods
    setPermission(permissions, roles);
    clearPermission(permissions);
    or IContext with same methods
    setPermissions(subjectId, permissions, roles);
    clearPermissions(subjectId, permissions, roles);
    permissions - read/modify/delete etc.


Thanks,
Sergey Lyakhov


Back to the top