OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wsrp-interfaces message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [wsrp-wsia] RE: [wsrp-interfaces] [wsrp][intefaces] Use case foruserfiltere d getDescription()

But I thought we already do include remote access control in WSRP?  I thought we had discussed allowing portlets to define roles that
consumers map -- and that user identity/role information is passed via the protocol so that the producer can do remote access control.
Is this correct?  If so I am merely suggesting another place in the protocol where exposing such a capabilities is useful.

As for WS-Authorization and other standards I am not sure if they are the best fit here.  Can you brief me on the standard and why/how
its the solution?  I worry that it is a web service standard whereas we need to do authorization at the entity level [which aren't web
services].  I can intuit that is might impact how the user/roles are communicated and basic producer authorization works but worry that
we would still need to define entity level authorization more explicitly.

Carsten Leue wrote:

> In my opinion we should not include remote access control in the WSRP
> protocol.
> - it seems to be orthogonal to WSRP and we will likely be able to leverage
> upcoming standards as WS-Authorization. If we define this now it might be
> to early.
> - it adds too much complexity, especially if - as Yossi points out - the
> access control rules might change over time
> Best regards
> Carsten Leue
> -------
> Dr. Carsten Leue
> Dept.8288, IBM Laboratory Böblingen , Germany
> Tel.: +49-7031-16-4603, Fax: +49-7031-16-4401
> |---------+---------------------------->
> |         |           "Tamari, Yossi"  |
> |         |           <yossi.tamari@sap|
> |         |           .com>            |
> |         |                            |
> |         |           08/11/2002 11:42 |
> |         |           AM               |
> |---------+---------------------------->
>   >-------------------------------------------------------------------------------------------------------------------------------|
>   |                                                                                                                               |
>   |       To:       "'Michael Freedman'" <Michael.Freedman@oracle.com>, interfaces <wsrp-interfaces@lists.oasis-open.org>,        |
>   |        wsrp-wsia <wsrp-wsia@lists.oasis-open.org>                                                                             |
>   |       cc:                                                                                                                     |
>   |       Subject:  [wsrp-wsia] RE: [wsrp-interfaces] [wsrp][intefaces] Use case for user filtere       d getDescription()        |
>   |                                                                                                                               |
>   |                                                                                                                               |
>   >-------------------------------------------------------------------------------------------------------------------------------|
> This raises some problems:
> 1. Are the portlet permissions based on a user ID? I did not think in the
> general case user IDs were transparent to the producer. The permissions are
> role base as far as we talked in the security sub-committee.
> 2. Users permissions at the portlet can change at any time. Does the
> consumer call getDescription for all consumed portlets each time a user
> opens the toolbox? This could create quite a heavy load.
> 3. What does it mean "entities that this user has access to"? even assuming
> we pass all the roles of the user, the portlets have multiple modes. A user
> may be allowed to use one mode but not another. Does this mean he is not
> allowed to put the portlet on his page?
> Considering that the consumer already has its own set of permissions, and
> that I believe most producer will not have per-user /role permissions at
> least in the beginning, I would suggest we defer this.
>              Yossi.
> -----Original Message-----
> From: Michael Freedman [mailto:Michael.Freedman@oracle.com]
> Sent: Friday, August 09, 2002 2:00 AM
> To: interfaces; wsrp-wsia
> Subject: [wsrp-interfaces] [wsrp][intefaces] Use case for user filtered
> getDescription()
> During today's conference call I asked the question "Do we care about
> allowing the consumer to ask get me the description of all the entities
> that this user has access to?" I indicated our Portal has such a
> capability but wasn't sure if/how its used. After a little discussion we
> tabled the question pending having me report back with a use case (if
> any).  This is our use case:
>      In our portal when a user displays the portlet repository (toolbox)
> she is only shown those portlets she has access to.  Though the bulk of
> this authorization is controlled via the Portal's authorization
> mechanisms we do provide a hook to the portlets authorization mechanism
> so it has an opportunity to decide.  (i.e. only users in a given portlet
> role can add this to portlet to a page).
> Our requirement seems to be express in some way via the protocol a way
> to ask the question can this user access this portlet?  For efficiency
> reasons it makes sense to expand this to what portlets can this user
> access?  In our proprietary portlet protocol we chose to overload
> getDescription to accomplish this.  Our getDescription takes an optional
> user which when present means only return me the information about those
> portlets this user can see.
> What we now need to answer are:
>      a) is this a valid and useful usage scenario we should support in
> the protocol?
>      b) if so, how should we support it?  getDescription overload?  Or
> should we have an isRunnable() type call (expecting of course these and
> other calls will ultimately be expanded to be [bulk] array based for
> efficiency?
>        -Mike-
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC