[jboss-as7-dev] Securing the Console
Darran Lofthouse
darran.lofthouse at jboss.com
Tue Jan 25 10:00:52 EST 2011
Yes I agree it should all be role based.
What I was really getting at here rather than the specifics of 'read
only' or 'read write' attributes is that the detyped model is self
describing - should that description actually take into account what the
current user can actually do? i.e. The users view of the domain could
filter out everything they don't have access to so they would only see a
subset. Or would it still make sense to expose everything that they can
not do and maybe provide an alternative indicator that although an
operation exists they can not invoke it?
Regards,
Darran Lofthouse.
On 01/25/2011 02:25 PM, Heiko Braun wrote:
>
> On Jan 25, 2011, at 12:35 PM, Darran Lofthouse wrote:
>
>> Another aspect to consider is that values in the model can be described as "read only" and "read write"
>
>
> IMO this distinction doesn't make sense at all. All attributes are read-only by default and for operations you don't know
> if they change state (guess this would be called 'write'). IMO we should drop these weak classifications and simply use a role based approach. Similar to the EE specs. Either can execute the operation or you can't, depending wether or nor you inherit a particular role.
>
>
>
>
>
>
More information about the jboss-as7-dev
mailing list