[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [wsrp-wsia] [change request #7] User identity (authenticated) forpersonalization
How would this sophisticated producer get the authentication and role information? Don't you actually mean a specific producer/consumer pair, that have (somehow) established a trusted way of passing user and roles? It is dangerous to rely on this user ID for personalization rather than the userContextID, since we defined use cases where the consumer wants a group of people to share the same personalization (a team concept). The userConetxt allows for that, while using authenticated user ID instead would actually require impersonation of a non-existing user!!! The equivalent problem also arises for userCategories: The userCategories are for this specific portlet so they may not match the general user's role in the producer, and there is also no support in WSRP for exposing these roles and creating mapping (WS-Security may be the answer, but I don't think we will have portals from any two vendors that will can do this correctly currently). What you are really suggesting here is that it is allowed to use extensions to pass this information. I agree. But that is also true for other parts of the protocol, and we don't explicitly state that. Yossi. -----Original Message----- From: Rich Thompson [mailto:richt2@us.ibm.com] Sent: Monday, January 20, 2003 6:03 PM To: wsrp-wsia@lists.oasis-open.org Subject: [wsrp-wsia] [change request #7] User identity (authenticated) for personalization Document: WSRP Spec v0.9 Section: 6.10 Page/Line: 48/36-42 Requested by: Subbu Allamaraju Old text: Proposed text: [addition] Sophisticated producers may completely ignore user categories and instead rely on authenticated user and/or consumer identity for personalization of behavior and/or markup. Reasoning: Sophisticated producer-consumer implementations may choose to propagate authenticated end user security context using some (unspecified) security mechanism. With such a security mechanism in place, a producer may choose to use the authenticated principal and roles for personalization in place of userContextID and userCategories. I suggest that this section mention this possibility. This would also address sophisticated implementations that rely only on authenticated user identity and roles for personalization. ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC