OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wsrp-wsia message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [wsrp-wsia] [I#175] Roles should be per-Entity and not per-Producer

Hi Alan.

I am a little confused. Surely the WSRP roles cannot be used as a fully
fledged access control mechanism as it does not involve any credentials. I
think that a vendor would not want to expose any security relevant data
based on some role information that have not been verified by the producer
itself. The latter will be solved by WS-security. The WSRP roles were only
intended for portlet internal use, not for use within the app server
environment (like granting access to secured resource, etc)

Best regards
Carsten Leue

Dr. Carsten Leue
Dept.8288, IBM Laboratory B÷blingen , Germany
Tel.: +49-7031-16-4603, Fax: +49-7031-16-4401

             "Kropp, Alan"                                                 
             tte.com>                                                   To 
                                       "'Rex Brooks'"                      
             12/10/2002 07:37          <rexb@starbourne.com>, Carsten      
             PM                        Leue/Germany/IBM@IBMDE,             
                                       RE: [wsrp-wsia] [I#175] Roles       
                                       should be per-Entity and not per-Pr 

I strongly second Rex here...

I do not agree with the arguments in favor of removing roles from the
protocol.  WSRP is by nature a remote protocol, and as such we must rely on
the protocol carrying enough, detailed information about a given
to permit the Producer to properly service the call, and that *has* to
include the proper access control context.

If 1.0 ships with no role support, I _guarantee_ that vendors (well, this
vendor anyway) will each immediately shift their implementations to carry
roles/access control information via extensions.  To force implementers
using extensions for basic interoperability is, IMNSHO, a non-starter for

-----Original Message-----
From: Rex Brooks [mailto:rexb@starbourne.com]
Sent: Tuesday, December 10, 2002 9:42 AM
To: Carsten Leue; wsrp-wsia@lists.oasis-open.org
Subject: Re: [wsrp-wsia] [I#175] Roles should be per-Entity and not

I'm concerned that if we dropped roles altogether, no matter how
dicey or messy it is to keep them, we would see dozens of different
extensions added into the mix by producers and consumers, but if we
can make a clear but very simple way to include them, we stand a
better chance of having fewer wildly different kinds of role
verification put in use willy nilly. I agree it should be per entity
(or portlet if we settle on that as the name of the great thingie).


At 5:03 PM +0100 12/10/02, Carsten Leue wrote:
>Just to reopen the role discussion: instead of thinking of refining the
>role support we should think of dropping it altogether. I summarized the
>reasons for this already in another email.
>One example reoccurs in Eilon's example - the producer that spans multiple
>web-apps in J2EE. For me this seems to apply that the producer would use
>the app's J2EE roles as WSRP roles. In this case I would also assume that
>after a WSRP call containing such role information a call like
>would work on the producer. However as no credentials are sent around this
>is impossible to implement.
>>From my point of view it would be best to rely on WS-Security.
>Best regards
>Carsten Leue
>Dr. Carsten Leue
>Dept.8288, IBM Laboratory B÷blingen , Germany
>Tel.: +49-7031-16-4603, Fax: +49-7031-16-4401
>              Gil Tayar
>              <Gil.Tayar@webcol
>              lage.com>
>                                        wsrp-wsia@lists.oasis-open.org
>              12/10/2002 09:18
>              AM
>                                        [wsrp-wsia] [I#175] Roles should
>                                        per-Entity and not per-Producer
>Issue: 175
>Status: Active
>Topic: interface
>Class: Technical
>Raised by: Eilon Reshef
>Title: Roles should be per-Entity and not per-Producer
>Date Added: 10-Dec-2002
>Document Section:   v0.85/4.1.7
>RoleDescription[] - should it be per each Entity and not per Producer? The
>current model only supports roles per Producer which works when the
>Producer is a centralized portal environment, but makes it much harder to
>manage and deploy changes in less controlled environment. For example,
>means that if a development environment allows portlet developers to
>custom roles per portlet (e.g., if one Producer may span multiple web-apps
>in J2EE), then the Producer must continuously accumulate all roles from
>its portlets to present a coherent role list. And, the Consumer needs to
>sample that list more often to ensure that there are no changes. Another
>example is how would an application-level-WSRP-proxy support multiple
>services with different roles?
>To subscribe or unsubscribe from this elist use the subscription
>manager: <http://lists.oasis-open.org/ob/adm.pl>

Rex Brooks
Starbourne Communications Design
1361-A Addison, Berkeley, CA 94702 *510-849-2309
http://www.starbourne.com * rexb@starbourne.com

To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC