Authentication Requirements
Use Cases
- Standard Administrative Applications
- Valid MIT Issued Client Side Certificate is Required, if the user does not have a valid MIT issued certificate the user is routed to a non-ssl page that tells the user how to obtain an MIT issued certificate.
- Non-SSL port displays page that gives SSL version of url and info about how to obtain an MIT issued certificate
- If user has valid client certificate but does not have ANY authorizations for this application then the application should display a page that tells user who to contact to get the required authorization.
- Ability to impersonate (see below for details)
Authentication List
- Cannot just get a String, need to be able interrogate type of token.
- User user = securityMgr.getCurrentUser ();
- user.getType (); (i.e. Kerberos, MIT ID, email address, Alumni ID, etc)
- user.convertTo (type); - allows programmer to convert between supported types
- Service layer access to authenticated user without having it explicitly passed in each call
- i.e. User user = securityMgr.getCurrentUser (); works on service layer just as it does on the web tier
- A way to do machine to machine authentication (or app to app authentication)
- An ability to invoke service method on behalf of a named business user
- Ability to impersonate another for testing just within a particular application
- Grant Impersonate to X for application Y
- UI to let X type in user Z to impersonate them within the rest of the application
- User user = securityMgr.getCurrentUser (); // must return Z
- User user = securityMgr.getTrueUser (); // optional to return X
Authorization requirements
Below are the documents that came out of the GASP/ISDA meetings:
AuthorizationModelForCombiningExplicitAndImplicitAuthorizations.vsd