[wildfly-dev] Pattern defined RBAC scoped roles
Ladislav Thon
lthon at redhat.com
Sat Apr 23 02:38:13 EDT 2016
I only have a single comment: writing a regular expression can sometimes
be a bit tricky. Just see the example you used:
> (/profile=[^/]+)??/subsystem=logging(/.*)*
It's also fairly easy to write a regular expression that doesn't quite
do what you want it to do, in some corner cases. Finally, some
well-crafted regular expressions have running time in years or more (at
least in the java.util.regex implementation).
This all leads me to believe that maybe regular expressions are not the
best choice.
Instead, I'm thinking about address prefixes. So the role would be
specified by a set of valid addresses (including the "*" wildcard), and
only the specified resources and all their children would be accessible.
I'm specifically not thinking about _textual_ prefix, so e.g. prefix of
/subsystem=messaging would give you access to the old messaging
subsystem, but it _wouldn't_ give you access to the new
/subsystem=messaging-activemq, even if /subsystem=messaging is a textual
prefix.
Granted, that's way less powerful than regular expressions, but also
easier and safer to use.
WDYT? Am I being too paranoid here?
LT
More information about the wildfly-dev
mailing list