Hi,
On Monday, April 13, 2015, Adam Bien <abien_at_adam-bien.com> wrote:
> your roles are more like permissions, right?
I know what you mean, but technically it's a terminology thing again.
What's the exact definition of "permission" and "role"?
Intuitively we may say "permission is about a concrete action or
operation", and "role is a facet of a person's identity", but in practice
this is not well defined and different security systems (not just Java)
greatly blur the lines.
In Java EE, as mentioned, a role can have any semantic meaning the app
gives it.
> So what we effectively need is 1:n mapping between groups and permissions.
>
> Or more precise n:m mapping between roles and permissions with optional
> groups?
That mapping in fact is already there ;) roles already map to permissions.
See
http://arjan-tijms.omnifaces.org/2015/04/how-java-ee-translates-webxml.html
But permissions are currently not "named", which may be part of the
confusion.
There's a seperate issue for standardising group to role mapping. IMHO the
sometimes mandatory but non standard group to role mapping of a couple of
servers is one of the bigger obstacles in the current Java EE security
system.
See this example for IBM's WebSphere/Liberty:
http://stackoverflow.com/questions/29524920/group-to-role-mapping-in-ibm-liberty-wlp-when-using-war
Kind regards,
Arjan Tijms
>
> cheers,
>
> adam
>
>
>
> > On 02.04.2015, at 22:54, arjan tijms <arjan.tijms_at_gmail.com
> <javascript:;>> wrote:
> >
> > Hi,
> >
> > On Thu, Apr 2, 2015 at 8:52 PM, David Blevins <dblevins_at_tomitribe.com
> <javascript:;>> wrote:
> > > And I would certainly like to tell you how I think about that:)
> > >
> > > Well, the default examples that are presented in the specs and
> tutorials are most of the time roles like „monitor“, „administrator“ and
> „operator“ or sth like that.
> > > I find that it does not really match the reality that I work with
> everyday.
> >
> > First of all, thanks for the feedback.
> >
> > I have to say that though I typically use roles like "administrator" in
> my articles (because it's such an established practice), as an application
> developer I don't often use roles that way.
> >
> > At zeef.com for example we're using fine grained roles that control if
> the user is allowed to do a specific operation. Made up examples that could
> however be real role names in our software are: VIEW_OWN_ACCOUNT,
> CLOSE_OWN_ACCOUNT, VIEW_BALANCE, EDIT_BALANCE, VIEW_NEW_USERS, etc.
> >
> >
> > Jan (Cc'ed) had similar feedback. Basically saying "roles are not
> useful" and "permissions are king".
> >
> > It depends on which semantic you attach to it.
> >
> > If you think "roles" are only allowed to be high level things like
> "administrator", then I agree they are not useful. If you think that if you
> want something like "VIEW_OWN_ACCOUNT" you can only call that "permission",
> then I agree again that permissions are king.
> >
> > However, Java EE does not mandate that a role is only allowed to be
> something like "administrator". At the end of the day, it's just a
> collection of attributes attached to a user that you test for. The names of
> those attributes as well as the semantic value your application assigns to
> them is yours to decide.
> >
> > There is often a wish though to group the finer grained roles into a
> more coarse grained thing. At zeef.com we use the term "group" for this
> (as Java EE uses too, just not in a standardized way). A group in our
> system is something like "administrator", "manager", "customer", etc. Every
> such group maps to multiple roles. And multiple groups can map to the same
> role.
> >
> > E.g.
> >
> > group "customer" can map to roles: VIEW_OWN_ACCOUNT, CLOSE_OWN_ACCOUNT,
> VIEW_BALANCE
> > group "manager" can map to roles: VIEW_BALANCE, EDIT_BALANCE,
> VIEW_NEW_USERS
> >
> > I found that there's somewhat of the misconception that a "group" like
> "administrator" needs to have a 1:1 mapping to a name that's application
> specific, but has the exact same meaning. E.g. people think that
> "administrator" is only allowed to be mapped to "admin". But this is not
> the case in any of the proprietary group-to-role mapping systems in any
> server that I've used. It's always a many:many mapping and the semantics
> are again yours to decide.
> >
> > Kind regards,
> > Arjan Tijms
> >
> >
> >
> >
> >
>
>