[security-dev] PicketLink IDM Relationships and SASL Authorizations
Pedro Igor Silva
psilva at redhat.com
Thu Jun 20 15:15:23 EDT 2013
I wrote a simple test case to try to satisfy your objectives.
We can also use custom attributes if you need some kind of metadata for each relationship instance.
----- Original Message -----
From: "Darran Lofthouse" <darran.lofthouse at jboss.com>
To: security-dev at lists.jboss.org
Sent: Thursday, June 20, 2013 12:27:08 PM
Subject: [security-dev] PicketLink IDM Relationships and SASL Authorizations
Within SASL there is a capability where during the authentication phase
the agent being authenticated can request that subsequently they want
the authorization privileged of another agent.
The loading the identity of the agent being requested is fine but at the
moment I am looking within PicketLink IDM at how this one agent being
able to run as another agent can be modeled.
I can see using a custom relationship how it should be fairly easy to
model a 1:1 mapping of users that an 'impersonate' each other but I have
a few additional scenarios that could also be needed so wanted to look
for ideas on how to support all of these simultaneously.
- A single agent can impersonate a single agent.
- A single agent can impersonate any user that is a member of a
- A member of a specific group can impersonate a single agent.
- A member of one group can impersonate an agent of another (or same)
As mentioned in IRC over the last couple of days having some form of
permissions check API in the IDM for the non AS processes feels like it
would fit this really well - however at the moment I can perform this
check outside of any permissions API so just looking for ideas how it
could be achieved.
security-dev mailing list
security-dev at lists.jboss.org
More information about the security-dev