Il giorno 18/gen/2013, alle ore 09.21, Jan Bernhardt ha scritto: > Hi Fabio, > >>> >>> === Renaming Service === >>> Rename AuthenticationController to EntitlementService(Impl), since >> containing methods have little to nothing to do with authentication. It is >> only >> about Entitlements... >> >> Why not AuthorizationController or AccessController? I'd prefer the first >> one. >> May be this controller will be improved to add access controller features int >> the next future (please, take a look at the roadmap). > > I just took a look at the roadmap, and as far as I understand, authorization > features mentioned there are all about handling ENTITLEMENTS for different > realms and avoiding duplicates. REST based services are focusing on resources > and not processes. Authorization or AccessControl describes a process, > whereas Entitlement is the actual resource needed for Authorization > decisions. Let me give you an example. Authorization Services usually provide > a method like "user.hasRole(admin)" in RESTful design this would be mapped to > asking for an existing resource: Like > http://loclahost:9080/entitlements/users/4711/entitlements/admin if user with > id 4711 has role admin the response would be 200 OK (maybe with entitlement > object in response body). If user does not have the role admin, response code > would be 404 NOT FOUND, hence the caller would know that user 4711 is not > authorized. > > From this perspective, do you agree with me?
Actually, not. In an AM scenario, the caller shouldn't know that a certain profile is authorized if and only if it has a certain role. This should be handled by the Access Manager. Usually the caller ask for authorization to access to a certain resource; the access manager search against entitlements/access policies and give back an answer. This is the reason why I'd suggest to use the prefix Authorization. Of course, I think that this controller could also expose methods for entitlement retrieving to be used by an administration console. Regards, F.
