Hi,
I would like to propose the following re-factorisation of the current
Realm interface. Righ now, Realm contains 3 methods related to
authorization:
hasRole
hasUserDataPermission
hasResourcePermission
I would like to create a new interface called Authorizator(and a default
AuthorizatorBase) that will take care of those methods. I just think
those methods should be grouped together, and I think they are not
directly related to the Realm "concepts" (better separation of
concepts). It will allows peoples to change the current resource
authorization mechanism without having to modify the Realm interface.
Precisely, the method will have the following signature:
public boolean hasResourcePermission(HttpRequest request,
HttpResponse response,
SecurityConstraint constraint,
Context
context)
public boolean hasRolePermission(HttpRequest request,
HttpResponse
response,
String role);
public boolean hasUserDataPermission(HttpRequest request,
HttpResponse response,
SecurityConstraint constraint,
Context context)
In the current implementation, those methods will get invoked by the
AuthenticatorBase and when the user call isUserInRole().
This factorisation will provide the ability to replace/extend the
default AuthorizatorBase (that implement the Servlet
<security-constraint> stuffs...section SRV 12.7) by another mechanism:
LDAP, NFS, Database, File base, JSR 115, etc. This way peoples will be
able to grant/denied permissions not only based on the web.xml content,
but also using other technologies. Althrough it is possible to do that
with the current Tomcat 5 codebase, I recommend we create this extra
interface. For J2EE 1.4, I was able to implement JSR 115 without having
to much problems, but I'm sure having a specialized interface will make
implementation easier.
The Realm.hasRole will be deprecated in order to achieve that
re-factorisation.
What do you think?
Thanks,
-- Jeanfrancois
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
- Re: [5] [Proposal] Adding an authorization interface Jeanfrancois Arcand
- Re: [5] [Proposal] Adding an authorization interf... Craig R. McClanahan
- Re: [5] [Proposal] Adding an authorization interf... Costin Manolache
- Re: [5] [Proposal] Adding an authorization in... Jeanfrancois Arcand
- Re: [5] [Proposal] Adding an authorizatio... Costin Manolache
- Re: [5] [Proposal] Adding an authoriz... Jeanfrancois Arcand
- Re: [5] [Proposal] Adding an aut... Costin Manolache
- Re: [5] [Proposal] Adding an... Remy Maucherat
- Re: [5] [Proposal] Addin... Costin Manolache
- Re: [5] [Proposal] Addin... Remy Maucherat
- Re: [5] [Proposal] Adding an... Jeanfrancois Arcand
