[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [wsrp-wsia] [change request #7] User identity (authenticated) forpersonalization
Please correct me if I am wrong, but I think it is perhaps somewhat helpful to think of user categories as general across individual users and user profiles as specific to individual users. Ciao, Rex At 10:25 AM +0100 1/21/03, Tamari, Yossi wrote: >User profiles are there exactly for personalization, so I don't >understand your statement "I also don't quite understand why the >option of user profiles for personalization was never considered.". > >The committee considered moving UserCategories into the user >profile, but there was a pretty wide agreement that UserCategory >mapping would still have to remain a feature, so UserCategories can >not be just a set of properties on the profile. The feeling was that >considering this, we are more >comfortable with the current location of the UserCategories. >What's more, on a technical level, the profile is (relatively) >static for the user and may be cached at the session level, while >UserCategories may be different per user per portlet. > > Yossi. > >-----Original Message----- >From: Subbu Allamaraju [mailto:subbu@bea.com] >Sent: Monday, January 20, 2003 9:56 PM >To: wsrp-wsia@lists.oasis-open.org >Subject: Re: [wsrp-wsia] [change request #7] User identity >(authenticated) for personalization > > >Referring to page 49, lines 36-37, which reads > >"A Portlet optionally declares the user categories it personalizes >markup for in the PortletDescription structure described in section >5.1.11. " > > From this statement, the fact that the producer MAY use user categories >for personalization is not very clear to me. Somehow, the wording seems >to combine user categories with personalization. From what I understand >from the various emails that were exchanged about this issue, I'm under >the impression that people wanted categories to be able to personalize. > >At a more fundamental level, the word "personalization" bothers me. But >I can live without a formal definition (from WSRP's perspective). > >I also don't quite understand why the option of user profiles for >personalization was never considered. That would actually make the spec >more abstract (and avoid all role-related debates). Moreover, unlike the >term "personalization", "user profile"s are extensible and have a formal >meaning in WSRP (as also in JSR168). > >What does the rest of the TC think about this? > >Subbu > >Tamari, Yossi wrote: >> I do not think the spec currently excludes any other >>implementation. It actually uses in this section only "MAY" and >>"optionally". >> The point is that any other implementation is NOT part of the WSRP >>spec, and must be separately agreed upon between the producer and >>the consumer, which is why I refer to it as an extension. >> >> Yossi. >> >> -----Original Message----- >> From: Subbu Allamaraju [mailto:subbu@bea.com] >> Sent: Monday, January 20, 2003 8:14 PM >> To: wsrp-wsia@lists.oasis-open.org >> Subject: Re: [wsrp-wsia] [change request #7] User identity >> (authenticated) for personalization >> >> >> Tamari, Yossi wrote: >> >> > How would this sophisticated producer get the authentication and role >> > information? Don't you actually mean a specific producer/consumer >> > pair, that have (somehow) established a trusted way of passing user >> > and roles? It is dangerous to rely on this user ID for >> >> Yes. But I don't understand why it is dangerous to rely on user identity >> for personalization. It depends on what is being personalized and how a >> producer chose to implement it. >> >> > personalization rather than the userContextID, since we defined use >> > cases where the consumer wants a group of people to share the same >> > personalization (a team concept). The userConetxt allows for that, >> >> Yes. But in some scenarios (e.g, corporate portals), user identity >> and/or identity-derived information is more useful for personalization. >> >> > while using authenticated user ID instead would actually require >> > impersonation of a non-existing user!!! > > > >> > The equivalent problem also arises for userCategories: The >> > userCategories are for this specific portlet so they may not match >> > the general user's role in the producer, and there is also no support >> > in WSRP for exposing these roles and creating mapping (WS-Security >> > may be the answer, but I don't think we will have portals from any >> > two vendors that will can do this correctly currently). What you are >> > really suggesting here is that it is allowed to use extensions to >> > pass this information. I agree. But that is also true for other parts >> >> I don't mean extensions. The consumer may use the same security >> infrastructure that was used for authentication to propagate/assert this >> information. >> >> My concern is that, the current wording of the spec conspicuously >> excludes other means of personalization (such as using eg., J2EE roles, >> or some other form of role mapping or something else). >> >> Subbu >> >> >> >> > of the protocol, and we don't explicitly state that. >> > >> > Yossi. >> > >> > -----Original Message----- From: Rich Thompson >> > [mailto:richt2@us.ibm.com] Sent: Monday, January 20, 2003 6:03 PM To: >> > wsrp-wsia@lists.oasis-open.org Subject: [wsrp-wsia] [change request >> > #7] User identity (authenticated) for personalization >> > >> > >> > Document: WSRP Spec v0.9 Section: 6.10 Page/Line: 48/36-42 Requested >> > by: Subbu Allamaraju Old text: Proposed text: [addition] >> > Sophisticated producers may completely ignore user categories and >> > instead rely on authenticated user and/or consumer identity for >> personalization of behavior and/or markup. >> > >> > Reasoning: >> > >> > Sophisticated producer-consumer implementations may choose to >> > propagate authenticated end user security context using some >> > (unspecified) security mechanism. With such a security mechanism in >> > place, a producer may choose to use the authenticated principal and >> > roles for personalization in place of userContextID and >> > userCategories. >> > >> > I suggest that this section mention this possibility. This would also >> > address sophisticated implementations that rely only on >> > authenticated user identity and roles for personalization. >> > >> > >> > >> > ---------------------------------------------------------------- To >> > subscribe or unsubscribe from this elist use the subscription >> manager: <http://lists.oasis-open.org/ob/adm.pl> >> > >> > ---------------------------------------------------------------- To >> > subscribe or unsubscribe from this elist use the subscription >> manager: <http://lists.oasis-open.org/ob/adm.pl> >> >> >> ---------------------------------------------------------------- >> To subscribe or unsubscribe from this elist use the subscription >> manager: <http://lists.oasis-open.org/ob/adm.pl> >> >> ---------------------------------------------------------------- >> To subscribe or unsubscribe from this elist use the subscription >> manager: <http://lists.oasis-open.org/ob/adm.pl> > > > >---------------------------------------------------------------- >To subscribe or unsubscribe from this elist use the subscription >manager: <http://lists.oasis-open.org/ob/adm.pl> > >---------------------------------------------------------------- >To subscribe or unsubscribe from this elist use the subscription >manager: <http://lists.oasis-open.org/ob/adm.pl> -- Rex Brooks Starbourne Communications Design 1361-A Addison, Berkeley, CA 94702 *510-849-2309 http://www.starbourne.com * rexb@starbourne.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC