[security-dev] IDM Realms and Applications - The Nitty Gritty

Boleslaw Dawidowicz bdawidow at redhat.com
Fri Nov 16 05:07:52 EST 2012


On Nov 16, 2012, at 1:33 AM, Bill Burke <bburke at redhat.com> wrote:

> 
> 
> On 11/15/2012 4:55 PM, Shane Bryzak wrote:
>> On 11/16/2012 06:25 AM, Bill Burke wrote:
>>> I don't think your design incorporates the idea of a distributed
>>> application:  a set of services and websites that makes up one
>>> application.  In other words the fun SOA buzzword.
>> 
>> Even the latest design?
>> 
>>> 
>>> In my mind, you have a bunch of distributed services.  Each service may
>>> or may not have its own roles and role mappings.  A user is allowed to
>>> execute on a set of services and those services may call other services.
>>> For example: a user may interact solely with Website A, but Website A
>>> may need to interact with other services.
>>> 
>>> So, the actors would be Realm, Applications, Services, Users.
>> 
>> I'd like to see a specific example demonstrating this use case. Would it
>> be possible for the services that make up a single application to simply
>> share the roles defined by that application? Adding yet another layer to
>> the current design is going to really complicate things further.
>> 
> 
> A user might be "admin" for one service, but not "admin" for a different 
> service.  Service "A" might want to invoke on Service "B" on behalf of 
> the user.  Doesn't that have to be conveyed in the model somehow?

And where is realm in this scenario? Because if you map Services A and B as Application from Shane's model it would quite match. Then Realm provides additional scoping. 
 
> 
> Bill
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev




More information about the security-dev mailing list