[Eric Dobbs Wrote]
> <AuthorizationPolicy>
> <grant>
> <principal class="o.a.t.security.turbine.Role">
> Anonymous
> </principal>
> <scope name="PublishedArticles">
> <permission>ReadArticle</permission>
> </scope>
> </grant>
...
> </AuthorizationPolicy>
It's looking like a reasonable proposition, but...
An example that was quoted a while back in this thread was the way in which
Scarab uses the concept of projects to provide permission macro sets within
an application. How would this be accomplished with the proposed DTD? Would
this require an extension to the DTD or have I missed something?
I assume that each application will have its own <AuthorizationPolicy>
entry? How would this effect the idea of single login for all applications.
For that matter (a little off subject) how would single login be
accomplished.
> The authentication code might look like this:
>
> SecurityManager sm = SecurityManager.getInstance();
> try
> {
> TurbineSubject subject = sm.getSubject(userid,password);
I know this wasnt intended to explain authorisation, but I flinch every time
I see a userid and password pair passed as parameters between top level
classes.
This is one aspect of JAAS I would like to see adopted in Turbine. I would
like to use Certificate based login to Turbine. The current Turbine
implementation makes this a little difficult due to the explicit use of user
and password in the SecurityService interface.
> The tool would load that XML security policy into
> memory when it is initialized.
So that the Policy can be edited online, wouldnt it be better to have the
Policy in a DB, or similar? Or add the flexibility to configure it. This
would also be a nice concept to utilise from JAAS.
Sorry that there are so many questions and no solutions. Believe it or not,
I like the general direction your taking this, just needs more polish. :-)
Chris
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
