OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wsrp-wsia message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [wsrp-wsia] [I#175] Roles should be per-Entity and not per-Producer


Hi Alan.

I am a little confused. Surely the WSRP roles cannot be used as a fully
fledged access control mechanism as it does not involve any credentials. I
think that a vendor would not want to expose any security relevant data
based on some role information that have not been verified by the producer
itself. The latter will be solved by WS-security. The WSRP roles were only
intended for portlet internal use, not for use within the app server
environment (like granting access to secured resource, etc)

Best regards
Carsten Leue

-------
Dr. Carsten Leue
Dept.8288, IBM Laboratory B÷blingen , Germany
Tel.: +49-7031-16-4603, Fax: +49-7031-16-4401



                                                                           
             "Kropp, Alan"                                                 
             <Alan.Kropp@vigne                                             
             tte.com>                                                   To 
                                       "'Rex Brooks'"                      
             12/10/2002 07:37          <rexb@starbourne.com>, Carsten      
             PM                        Leue/Germany/IBM@IBMDE,             
                                       wsrp-wsia@lists.oasis-open.org      
                                                                        cc 
                                                                           
                                                                   Subject 
                                       RE: [wsrp-wsia] [I#175] Roles       
                                       should be per-Entity and not per-Pr 
                                       oducer                              
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




I strongly second Rex here...

I do not agree with the arguments in favor of removing roles from the
protocol.  WSRP is by nature a remote protocol, and as such we must rely on
the protocol carrying enough, detailed information about a given
interaction
to permit the Producer to properly service the call, and that *has* to
include the proper access control context.

If 1.0 ships with no role support, I _guarantee_ that vendors (well, this
vendor anyway) will each immediately shift their implementations to carry
roles/access control information via extensions.  To force implementers
into
using extensions for basic interoperability is, IMNSHO, a non-starter for
1.0.




-----Original Message-----
From: Rex Brooks [mailto:rexb@starbourne.com]
Sent: Tuesday, December 10, 2002 9:42 AM
To: Carsten Leue; wsrp-wsia@lists.oasis-open.org
Subject: Re: [wsrp-wsia] [I#175] Roles should be per-Entity and not
per-Producer


I'm concerned that if we dropped roles altogether, no matter how
dicey or messy it is to keep them, we would see dozens of different
extensions added into the mix by producers and consumers, but if we
can make a clear but very simple way to include them, we stand a
better chance of having fewer wildly different kinds of role
verification put in use willy nilly. I agree it should be per entity
(or portlet if we settle on that as the name of the great thingie).

Ciao,
Rex

At 5:03 PM +0100 12/10/02, Carsten Leue wrote:
>Just to reopen the role discussion: instead of thinking of refining the
>role support we should think of dropping it altogether. I summarized the
>reasons for this already in another email.
>One example reoccurs in Eilon's example - the producer that spans multiple
>web-apps in J2EE. For me this seems to apply that the producer would use
>the app's J2EE roles as WSRP roles. In this case I would also assume that
>after a WSRP call containing such role information a call like
isUserInRole
>would work on the producer. However as no credentials are sent around this
>is impossible to implement.
>
>>From my point of view it would be best to rely on WS-Security.
>
>Best regards
>Carsten Leue
>
>-------
>Dr. Carsten Leue
>Dept.8288, IBM Laboratory B÷blingen , Germany
>Tel.: +49-7031-16-4603, Fax: +49-7031-16-4401
>
>
>
>
>              Gil Tayar
>              <Gil.Tayar@webcol
>              lage.com>
To
>                                        wsrp-wsia@lists.oasis-open.org
>              12/10/2002 09:18
cc
>              AM
>
Subject
>                                        [wsrp-wsia] [I#175] Roles should
be
>                                        per-Entity and not per-Producer
>
>
>
>
>
>
>
>
>
>
>Issue: 175
>Status: Active
>Topic: interface
>Class: Technical
>Raised by: Eilon Reshef
>Title: Roles should be per-Entity and not per-Producer
>Date Added: 10-Dec-2002
>Document Section:   v0.85/4.1.7
>Description:
>RoleDescription[] - should it be per each Entity and not per Producer? The
>current model only supports roles per Producer which works when the
>Producer is a centralized portal environment, but makes it much harder to
>manage and deploy changes in less controlled environment. For example,
this
>means that if a development environment allows portlet developers to
define
>custom roles per portlet (e.g., if one Producer may span multiple web-apps
>in J2EE), then the Producer must continuously accumulate all roles from
all
>its portlets to present a coherent role list. And, the Consumer needs to
>sample that list more often to ensure that there are no changes. Another
>example is how would an application-level-WSRP-proxy support multiple
>services with different roles?
>
>
>
>----------------------------------------------------------------
>To subscribe or unsubscribe from this elist use the subscription
>manager: <http://lists.oasis-open.org/ob/adm.pl>


--
Rex Brooks
Starbourne Communications Design
1361-A Addison, Berkeley, CA 94702 *510-849-2309
http://www.starbourne.com * rexb@starbourne.com


----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC