[jboss-dev-forums] [JBoss AS 7 Development] - Access control notes

[Heiko Braun]

Heiko Braun [https://community.jboss.org/people/heiko.braun] commented on the document

"Access control notes"

To view all comments on this document, visit: https://community.jboss.org/docs/DOC-48596#comment-11953

--------------------------------------------------
> I'm not so sure that even rights to a referent are black-and-white when it comes to rights to a referrer. Just because I can read a security domain config doesn't mean I can read the config of every resource that references it. Perhaps I should be able to see all references so I know what's affected by the resource.

I can understand your point if view. IMO it depends on the question which use cases have precendence. I.e. think about a blank server configuration. Taken your example of a security domain and a remoting connector, you wold need to configure both ends. In this scenario I think we would agree that same rights on both ends (write access) are probably required. 

The example that you used builds on the assumption that one end is already configured. Precendence of use cases would mean that the foremost example will used to guide the design, not the later. The question is not what are the minimum security requirements, but what are permission are required at maximum. 

With regard to this I still believe, that whenever a reference is used as part of the configuration you'd require the same permissions on both ends to enable the full set of use cases that we can think of. IMO for reference this includes creation and removal of the the refernt in all cases.

Does that make sense?
--------------------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20130425/848bd14b/attachment.html