OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wsrp-wsia message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [wsrp-wsia] [change request #7] User identity (authenticated) forpersonalization

How would this sophisticated producer get the authentication and role information?
Don't you actually mean a specific producer/consumer pair, that have (somehow) established a trusted way of passing user and roles?
It is dangerous to rely on this user ID for personalization rather than the userContextID, since we defined use cases where the consumer wants a group of people to share the same personalization (a team concept). The userConetxt allows for that, while using authenticated user ID instead would actually require impersonation of a non-existing user!!!

The equivalent problem also arises for userCategories: The userCategories are for this specific portlet so they may not match the general user's role in the producer, and there is also no support in WSRP for exposing these roles and creating mapping (WS-Security may be the answer, but I don't think we will have portals from any two vendors that will can do this correctly currently).
What you are really suggesting here is that it is allowed to use extensions to pass this information. I agree. But that is also true for other parts of the protocol, and we don't explicitly state that.


-----Original Message-----
From: Rich Thompson [mailto:richt2@us.ibm.com]
Sent: Monday, January 20, 2003 6:03 PM
To: wsrp-wsia@lists.oasis-open.org
Subject: [wsrp-wsia] [change request #7] User identity (authenticated)
for personalization

Document: WSRP Spec v0.9
Section: 6.10
Page/Line: 48/36-42
Requested by: Subbu Allamaraju
Old text:
Proposed text:
[addition] Sophisticated producers may completely ignore user categories 
and instead rely on authenticated user and/or consumer identity for 
personalization of behavior and/or markup.


Sophisticated producer-consumer implementations may choose to propagate 
authenticated end user security context using some (unspecified) 
security mechanism. With such a security mechanism in place, a producer 
may choose to use the authenticated principal and roles for 
personalization in place of userContextID and userCategories.

I suggest that this section mention this possibility. This would also 
address sophisticated implementations that rely only on authenticated 
user identity and roles for personalization.

To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC