Authentication Requirements

Use Cases

1. Standard Administrative Applications
   1. Client Side Certificate Required
   2. Non-SSL port displays page that gives SSL version of url and info about certificates
   3. If user has valid client certificate but does not have ANY authorizations for this application then the application should display a page that tells user who to contact to get the required authorization.
   4. Ability to impersonate (see below for details)

Authentication List

1. Cannot just get a String, need to be able interrogate type of token.
   1. User user = securityMgr.getCurrentUser ();
   2. user.getType (); (i.e. Kerberos, MIT ID, email address, Alumni ID, etc)
   3. user.convertTo (type); - allows programmer to convert between supported types
2. Service layer access to authenticated user without having it explicitly passed in each call
   1. i.e. User user = securityMgr.getCurrentUser (); works on service layer just as it does on the web tier
   2. A way to do machine to machine authentication (or app to app authentication)
   3. An ability to invoke service method on behalf of a named business user
3. Ability to impersonate another for testing just within a particular application
   1. Grant Impersonate to X for application Y
   2. UI to let X type in user Z to impersonate them within the rest of the application
   3. User user = securityMgr.getCurrentUser (); // must return Z
   4. User user = securityMgr.getTrueUser (); // optional to return X

...