[JBoss JIRA] (ELY-444) AuthorizationIdentity and PermissionMapper
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-444?page=com.atlassian.jira.plugin.sy... ]
Darran Lofthouse updated ELY-444:
---------------------------------
Fix Version/s: 1.1.0.Beta7
(was: 1.1.0.Beta6)
> AuthorizationIdentity and PermissionMapper
> ------------------------------------------
>
> Key: ELY-444
> URL: https://issues.jboss.org/browse/ELY-444
> Project: WildFly Elytron
> Issue Type: Enhancement
> Components: API / SPI, Realms
> Reporter: David Lloyd
> Fix For: 1.1.0.Beta7
>
>
> When we initially designed the PermissionMapper we went to certain lengths to avoid exposing details of the realm. But now as the API has evolved it is clear that the permission mapper will need access to more information. The AuthorizationIdentity (or perhaps another object which includes the AuthorizationIdentity) should be made available to the permission mapper.
> In addition, this object could be expanded to include more information about the authentication, for example mechanism-specific information, which can feed into the authorization decision and could be useful for other things. Examples include: authentication timestamp, mechanism name/kind, forwarding credentials, and other attributes which derive from the mechanism as opposed to the identity.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
10 years
[JBoss JIRA] (ELY-524) Caching support in the LDAP realm
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-524?page=com.atlassian.jira.plugin.sy... ]
Darran Lofthouse updated ELY-524:
---------------------------------
Fix Version/s: 1.1.0.Beta7
(was: 1.1.0.Beta6)
> Caching support in the LDAP realm
> ---------------------------------
>
> Key: ELY-524
> URL: https://issues.jboss.org/browse/ELY-524
> Project: WildFly Elytron
> Issue Type: Feature Request
> Components: Realms
> Reporter: David Lloyd
> Priority: Critical
> Fix For: 1.1.0.Beta7
>
>
> The LDAP realm should use a caching strategy to avoid excessive database load in the presence of per-request authentication traffic.
> The realm implementation could maintain a synchronized LRU cache of one-time-initialize references to a cached DirContext or Attributes or binding or some combination of these. Because the cache is synchronized, the one-time-initialize object would be added under the lock and then the lock released before the object is populated and returned as a cached credential, allowing atomic action with a minimum of contention.
> For each cached entity, a NamingListener could be established which would invalidate (or possibly update) the cached value as the database changes.
> Alternatively, a NamingListener could be established for all identities, and each update would invalidate or update any cached values corresponding to the DN or resolved name.
> This is a complex design topic so discussion is welcome.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
10 years