[jboss-jira] [JBoss JIRA] (ELY-444) AuthorizationIdentity and PermissionMapper
Pedro Igor (JIRA)
issues at jboss.org
Fri Apr 29 08:09:00 EDT 2016
[ https://issues.jboss.org/browse/ELY-444?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13199018#comment-13199018 ]
Pedro Igor edited comment on ELY-444 at 4/29/16 8:08 AM:
---------------------------------------------------------
Recently, I've been working on a Authorization API. I think we could review what I did and see if we can reuse something or how to adapt it to Elytron. If you find it useful.
I think authorization can be completely decoupled from the authentication subsystem, where the concept of an Identity is abstract and simple enough to just provide the necessary information (basically, the claims/attributes) to evaluate authorization policies and grant/deny permissions. Beside the identity, we should also consider environment/execution information to base authorization decisions. In this case, it will allow us to support different access control mechanisms and combinations of them.
An SPI should also be interesting in order to plug different Policy Providers, where we could define policies using different strategies. From simple RBAC to more complex policies using a script language.
was (Author: pcraveiro):
Recently, I've been working on a Authorization API. I think we could review what I did and see if we can reuse something or how to adapt it to Elytron. If you find it useful.
I think authorization can be completely decoupled from the authentication subsystem, where the concept of an Identity is abstract and simple enough to just provide the necessary information to evaluate authorization policies and grant/deny permissions. Beside the identity, we should also consider environment/execution information to base authorization decisions. In this case, it will allow us to support different access control mechanisms and combinations of them.
An SPI should also be interesting in order to plug different Policy Providers, where we could define policies using different strategies. From simple RBAC to more complex policies using a script language.
> AuthorizationIdentity and PermissionMapper
> ------------------------------------------
>
> Key: ELY-444
> URL: https://issues.jboss.org/browse/ELY-444
> Project: WildFly Elytron
> Issue Type: Enhancement
> Components: API / SPI, Realms
> Reporter: David Lloyd
> Fix For: 1.1.0.Beta6
>
>
> When we initially designed the PermissionMapper we went to certain lengths to avoid exposing details of the realm. But now as the API has evolved it is clear that the permission mapper will need access to more information. The AuthorizationIdentity (or perhaps another object which includes the AuthorizationIdentity) should be made available to the permission mapper.
> In addition, this object could be expanded to include more information about the authentication, for example mechanism-specific information, which can feed into the authorization decision and could be useful for other things. Examples include: authentication timestamp, mechanism name/kind, forwarding credentials, and other attributes which derive from the mechanism as opposed to the identity.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list