Hi David, I just wanted to list some ideas that I have on how we can bridge this gap between simple language agnostic permissions presently in Triplesec with Java permissions.
First I want to stress why it is important to remain language and platform neutral and I think you will agree with this line of thought. Even though the server is written in Java on top of ApacheDS we want it to be applicable for use on any platform with any language. This way .NET, PHP and many other clients can leverage the same system. However as you noted, and I agree fully, in Java we need more than the presence of a permission to determine if someone is authorized to access a resource or perform some operation. This is due to the open ended nature of evaluating the implies() method of a Java permission. We can easily accommodate both this simplified use of permissions while allowing for the more complex cases where the implies() method is more involved by extending the policyPermission objectClass. As you may already know we can create objectClass subtypes. I'm thinking we can create a javaPermission subtype which inherits from policyPermission which contains the fully qualified class name of the permission implementation along with parameters used to initialize it. This can be used with the implies() method of the permission to reach access control decisions. This is something I would like to do along with reading and fully evaluating that NIST paper so I can then look into the best way to model roles/groups in Triplesec. Alex
