[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [wsrp-wsia] [I#175] Roles should be per-Entity and not per-Producer
Hi Carsten, I think your approach is very specific to a J2EE environment, and some of the problems that arise when the portal is just a service inside this J2EE server. The idea that any producer/consumer pair will either use the same user/role source or there will be ONE user (with one set of roles) for ALL the users of a consumer, which basically means roles are meaningless, seems broken to me. I would agree with some of the other messages in this thread that if roles are not part of the protocol, they would immediately become a vendor extension for us. As for the concern that has been raised about defining a competing standard to WS-Security (which I don't think deals with this anyway), I claim that roles are an elemental portal concept, and used much more extensively inside the portal than inside the J2EE server (our whole content catalog is based on roles). I agree that implementing WSRP roles within the J2EE environment, and within a JSR 168 container is challenging, but we should not automatically see this as a WSRP error. Perhaps the J2EE standard needs to be expanded to support applications that manage their own user IDs and roles? I believe we have found a solution for this within our own J2EE server, is it not possible within the WebSphere server? Yossi. -----Original Message----- From: Carsten Leue [mailto:CLEUE@de.ibm.com] Sent: Tuesday, December 10, 2002 7:43 PM To: Andre Kramer Cc: wsrp-wsia@lists.oasis-open.org Subject: RE: [wsrp-wsia] [I#175] Roles should be per-Entity and not per-Pr oducer Hi Andre. I think that the general approach to pass the roles in the context of a trust relationship is already questionable. Normally - from my knowledge - it rather works the way that a server (our producer) verifies the user credentials on his own and assigns roles accordingly. The solution for WSRP would be as follows. 1. we do not pass roles at all 2. we use WS-Security to pass user credentials (optionally). WS-Security support is built-in in standard java stacks and the .NET stack. The credentials and the respective server side role assignments will be handled automatically by the stack. The question now is what user credentials to pass. I see two options: - during registration the producer tells the consumer a pair of credentials. In this case the consumer portal would be seen as a user that logs in to the producer portal with each WS request. The producer could then assign roles to this consumer-user in the "normal" app server specific way. The end-user would still be keyed via the user identifier we pass as part of the user profile (however the user would not be logged in) - if producer and consumer share the same user population the real end-user credentials could be exchanged. The information if the population would be shared would be part of the registration process also. Does that make sense? My strong feeling is that if we use roles we establish a parallel authentication concept to WS-security that will become obsolete and hurt us a lot in the future. Best regards Carsten Leue ------- Dr. Carsten Leue Dept.8288, IBM Laboratory Böblingen , Germany Tel.: +49-7031-16-4603, Fax: +49-7031-16-4401 Andre Kramer <andre.kramer@eu. citrix.com> To Carsten Leue/Germany/IBM@IBMDE, 12/10/2002 05:34 wsrp-wsia@lists.oasis-open.org PM cc Subject RE: [wsrp-wsia] [I#175] Roles should be per-Entity and not per-Pr oducer I must confess I am not able to keep up with the latest and greatest security specs developments, but is WS-Security not more a framework for developing security protocols rather than a protocol we could use as is? Could you describe how WS-Security (SAML seems a better framework for this) could be used to agree on the set of role definitions to be shared by the producer and consumer and how it would be used to pass roles information along with the rest of the UserContext we now have? I could then check if I'm able to do this using the .NET tool chain, for example. regards, Andre -----Original Message----- From: Carsten Leue [mailto:CLEUE@de.ibm.com] Sent: 10 December 2002 16:03 To: wsrp-wsia@lists.oasis-open.org Subject: Re: [wsrp-wsia] [I#175] Roles should be per-Entity and not per-Producer Just to reopen the role discussion: instead of thinking of refining the role support we should think of dropping it altogether. I summarized the reasons for this already in another email. One example reoccurs in Eilon's example - the producer that spans multiple web-apps in J2EE. For me this seems to apply that the producer would use the app's J2EE roles as WSRP roles. In this case I would also assume that after a WSRP call containing such role information a call like isUserInRole would work on the producer. However as no credentials are sent around this is impossible to implement. From my point of view it would be best to rely on WS-Security. Best regards Carsten Leue ------- Dr. Carsten Leue Dept.8288, IBM Laboratory Böblingen , Germany Tel.: +49-7031-16-4603, Fax: +49-7031-16-4401 Gil Tayar <Gil.Tayar@webcol lage.com> To wsrp-wsia@lists.oasis-open.org 12/10/2002 09:18 cc AM Subject [wsrp-wsia] [I#175] Roles should be per-Entity and not per-Producer Issue: 175 Status: Active Topic: interface Class: Technical Raised by: Eilon Reshef Title: Roles should be per-Entity and not per-Producer Date Added: 10-Dec-2002 Document Section: v0.85/4.1.7 Description: RoleDescription[] - should it be per each Entity and not per Producer? The current model only supports roles per Producer which works when the Producer is a centralized portal environment, but makes it much harder to manage and deploy changes in less controlled environment. For example, this means that if a development environment allows portlet developers to define custom roles per portlet (e.g., if one Producer may span multiple web-apps in J2EE), then the Producer must continuously accumulate all roles from all its portlets to present a coherent role list. And, the Consumer needs to sample that list more often to ensure that there are no changes. Another example is how would an application-level-WSRP-proxy support multiple services with different roles? ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl> ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC