[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [wsrp-wsia] [I#175] Roles should be per-Entity and not per-Producer
Hi Alan. I am a little confused. Surely the WSRP roles cannot be used as a fully fledged access control mechanism as it does not involve any credentials. I think that a vendor would not want to expose any security relevant data based on some role information that have not been verified by the producer itself. The latter will be solved by WS-security. The WSRP roles were only intended for portlet internal use, not for use within the app server environment (like granting access to secured resource, etc) Best regards Carsten Leue ------- Dr. Carsten Leue Dept.8288, IBM Laboratory Böblingen , Germany Tel.: +49-7031-16-4603, Fax: +49-7031-16-4401 "Kropp, Alan" <Alan.Kropp@vigne tte.com> To "'Rex Brooks'" 12/10/2002 07:37 <rexb@starbourne.com>, Carsten PM Leue/Germany/IBM@IBMDE, wsrp-wsia@lists.oasis-open.org cc Subject RE: [wsrp-wsia] [I#175] Roles should be per-Entity and not per-Pr oducer I strongly second Rex here... I do not agree with the arguments in favor of removing roles from the protocol. WSRP is by nature a remote protocol, and as such we must rely on the protocol carrying enough, detailed information about a given interaction to permit the Producer to properly service the call, and that *has* to include the proper access control context. If 1.0 ships with no role support, I _guarantee_ that vendors (well, this vendor anyway) will each immediately shift their implementations to carry roles/access control information via extensions. To force implementers into using extensions for basic interoperability is, IMNSHO, a non-starter for 1.0. -----Original Message----- From: Rex Brooks [mailto:rexb@starbourne.com] Sent: Tuesday, December 10, 2002 9:42 AM To: Carsten Leue; wsrp-wsia@lists.oasis-open.org Subject: Re: [wsrp-wsia] [I#175] Roles should be per-Entity and not per-Producer I'm concerned that if we dropped roles altogether, no matter how dicey or messy it is to keep them, we would see dozens of different extensions added into the mix by producers and consumers, but if we can make a clear but very simple way to include them, we stand a better chance of having fewer wildly different kinds of role verification put in use willy nilly. I agree it should be per entity (or portlet if we settle on that as the name of the great thingie). Ciao, Rex At 5:03 PM +0100 12/10/02, Carsten Leue wrote: >Just to reopen the role discussion: instead of thinking of refining the >role support we should think of dropping it altogether. I summarized the >reasons for this already in another email. >One example reoccurs in Eilon's example - the producer that spans multiple >web-apps in J2EE. For me this seems to apply that the producer would use >the app's J2EE roles as WSRP roles. In this case I would also assume that >after a WSRP call containing such role information a call like isUserInRole >would work on the producer. However as no credentials are sent around this >is impossible to implement. > >>From my point of view it would be best to rely on WS-Security. > >Best regards >Carsten Leue > >------- >Dr. Carsten Leue >Dept.8288, IBM Laboratory Böblingen , Germany >Tel.: +49-7031-16-4603, Fax: +49-7031-16-4401 > > > > > Gil Tayar > <Gil.Tayar@webcol > lage.com> To > wsrp-wsia@lists.oasis-open.org > 12/10/2002 09:18 cc > AM > Subject > [wsrp-wsia] [I#175] Roles should be > per-Entity and not per-Producer > > > > > > > > > > >Issue: 175 >Status: Active >Topic: interface >Class: Technical >Raised by: Eilon Reshef >Title: Roles should be per-Entity and not per-Producer >Date Added: 10-Dec-2002 >Document Section: v0.85/4.1.7 >Description: >RoleDescription[] - should it be per each Entity and not per Producer? The >current model only supports roles per Producer which works when the >Producer is a centralized portal environment, but makes it much harder to >manage and deploy changes in less controlled environment. For example, this >means that if a development environment allows portlet developers to define >custom roles per portlet (e.g., if one Producer may span multiple web-apps >in J2EE), then the Producer must continuously accumulate all roles from all >its portlets to present a coherent role list. And, the Consumer needs to >sample that list more often to ensure that there are no changes. Another >example is how would an application-level-WSRP-proxy support multiple >services with different roles? > > > >---------------------------------------------------------------- >To subscribe or unsubscribe from this elist use the subscription >manager: <http://lists.oasis-open.org/ob/adm.pl> -- Rex Brooks Starbourne Communications Design 1361-A Addison, Berkeley, CA 94702 *510-849-2309 http://www.starbourne.com * rexb@starbourne.com ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC