[security-dev] IDM Realms and Applications - The Nitty Gritty
bdawidow at redhat.com
Fri Nov 16 05:07:52 EST 2012
On Nov 16, 2012, at 1:33 AM, Bill Burke <bburke at redhat.com> wrote:
> On 11/15/2012 4:55 PM, Shane Bryzak wrote:
>> On 11/16/2012 06:25 AM, Bill Burke wrote:
>>> I don't think your design incorporates the idea of a distributed
>>> application: a set of services and websites that makes up one
>>> application. In other words the fun SOA buzzword.
>> Even the latest design?
>>> In my mind, you have a bunch of distributed services. Each service may
>>> or may not have its own roles and role mappings. A user is allowed to
>>> execute on a set of services and those services may call other services.
>>> For example: a user may interact solely with Website A, but Website A
>>> may need to interact with other services.
>>> So, the actors would be Realm, Applications, Services, Users.
>> I'd like to see a specific example demonstrating this use case. Would it
>> be possible for the services that make up a single application to simply
>> share the roles defined by that application? Adding yet another layer to
>> the current design is going to really complicate things further.
> A user might be "admin" for one service, but not "admin" for a different
> service. Service "A" might want to invoke on Service "B" on behalf of
> the user. Doesn't that have to be conveyed in the model somehow?
And where is realm in this scenario? Because if you map Services A and B as Application from Shane's model it would quite match. Then Realm provides additional scoping.
> Bill Burke
> JBoss, a division of Red Hat
> security-dev mailing list
> security-dev at lists.jboss.org
More information about the security-dev