You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

Authentication Requirements

  1. Cannot just get a String, need to be able interrogate type of token.
    1. User user = securityMgr.getCurrentUser ();
    2. user.getType (); (i.e. Kerberos, MIT ID, email address, Alumni ID, etc)
    3. user.convertTo (type); - allows programmer to convert between supported types
  2. Service layer access to authenticated user without having it explicitly passed in each call
    1. i.e. User user = securityMgr.getCurrentUser (); works on service layer just as it does on the web tier
    2. A way to do machine to machine authentication (or app to app authentication)
    3. An ability to invoke service method on behalf of a named business user
  3. Ability to impersonate another for testing just within a particular application
    1. Grant Impersonate to X for application Y
    2. UI to let X type in user Z to impersonate them within the rest of the application
    3. User user = securityMgr.getCurrentUser (); // must return Z
    4. User user = securityMgr.getTrueUser (); // optional to return X

Authorization requirements

Below are the documents that came out of the GASP/ISDA meetings:

AuthorizationModelForCombiningExplicitAndImplicitAuthorizations.vsd

GASP Authentication Issues.doc

GASP Authorization Issues.doc

  • No labels