jsr375-experts@javaee-security-spec.java.net

[jsr375-experts] Re: Role Service

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Mon, 16 Mar 2015 15:50:19 +0100

Hi,

On Mon, Mar 16, 2015 at 3:53 AM, David Blevins <dblevins_at_tomitribe.com>
wrote:

> Would love to see even some spitballing on what the Role Service mentioned
> in the 375 proposal might look like.
>

I wondered about that too really.

There are essentially two interpretations in my mind;

1. It's the part of the "authentication store" (for which we still don't
have a name, hence it makes almost every discussion like this too more
difficult), that retrieves the roles of the current user whenever that user
logs in.

2. It provides applications access to the role mapping such as asked for in
https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-8

I think having a separate entity to retrieve the roles of the current user
is not that convenient. I'd rather see 1 entity for that such as intended
by https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-1,
https://java.net/jira/browse/JAVAEE_SPEC-25 and
https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-9

To clarify the second interpretation, suppose we'd have a (vendor specific)
configuration file like glassfish-web.xml containing the following:

<glassfish-web-app>

    <security-role-mapping>
        <role-name>appArchitect</role-name>
        <group-name>systemArchitect</group-name>
    </security-role-mapping>

</glassfish-web-app>

Then the role service would allow me to query that the group
"systemArchitect" maps to the role "appArchitect" and the other way around.

I'd prefer to use the term role mapper for this though instead of role
service.

I recently published two articles that discuss role mapping, and which are
hopefully helpful here.

See

*
http://arjan-tijms.omnifaces.org/2014/12/java-ee-authorization-jacc-revisited.html
(general role mapping concepts)
*
http://arjan-tijms.omnifaces.org/2015/01/java-ee-authorization-jacc-revisited.html
(native role mappers of GlassFish, WebLogic and Geronimo)


Thoughts?

Kind regards,
Arjan Tijms






>
> Sometimes the bad idea is better than the good one -- we can all see what
> a bad version might look like and get our brains in gear.
>
>
> --
> David Blevins
> http://twitter.com/dblevins
> http://www.tomitribe.com
> 310-633-3852
>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.