[DISCUSS] DELTASPIKE-79 Authorization API - Identity Model

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[DISCUSS] DELTASPIKE-79 Authorization API - Identity Model

Shane Bryzak-2
One of the missing pieces from the current discussion on the
Authorization API is the identity model.  At present we have a very
simplistic User class, however we still need to add support for Group
and Role.  My recommendation for this is to base it roughly on the
design of the PicketLink API, which has a base interface called
IdentityType:


public interface IdentityType
{
      String getKey();
}

The getKey() method returns a unique identifier for the User, Group or
Role.  The User, Group and Role interfaces then extend IdentityType:

public interface User extends IdentityType
{
     String getId();
}

getId() returns the username, the same as it currently does.

public interface Group extends IdentityType
{
     String getName();
}

getName() returns the name of the group.

public interface Role extends IdentityType
{
     Group getGroup();
     String getRoleName();
}

getGroup() returns the role's group.
getRoleName() returns the name of the role.

So, to extend on my e-mail of yesterday about Permission Management, the
Permission class (which I did not describe at the time) would look like
this:

public class Permission
{
     public IdentityType getRecipient();
     public Object getResource();
     public String operation;
}

The recipient, being of type IdentityType would then allow permissions
to be granted to either a User, a Group or a Role.

Reply | Threaded
Open this post in threaded view
|

Re: [DISCUSS] DELTASPIKE-79 Authorization API - Identity Model

Boleslaw Dawidowicz
I started separate thread about Identity Management API today. However as Gerard pointed on IRC it may be wiser to not keep 4 different threads running in parallel around similar domain.  

I think pretty everything that Shane suggested here around IdentityType, User, Group and Role is in line with what I described for IDM API. Therefore we could move discussion there. The only part left to discuss here is Permission interface proposal then.

Bolek

On Apr 24, 2012, at 12:22 AM, Shane Bryzak wrote:

> One of the missing pieces from the current discussion on the Authorization API is the identity model.  At present we have a very simplistic User class, however we still need to add support for Group and Role.  My recommendation for this is to base it roughly on the design of the PicketLink API, which has a base interface called IdentityType:
>
>
> public interface IdentityType
> {
>     String getKey();
> }
>
> The getKey() method returns a unique identifier for the User, Group or Role.  The User, Group and Role interfaces then extend IdentityType:
>
> public interface User extends IdentityType
> {
>    String getId();
> }
>
> getId() returns the username, the same as it currently does.
>
> public interface Group extends IdentityType
> {
>    String getName();
> }
>
> getName() returns the name of the group.
>
> public interface Role extends IdentityType
> {
>    Group getGroup();
>    String getRoleName();
> }
>
> getGroup() returns the role's group.
> getRoleName() returns the name of the role.
>
> So, to extend on my e-mail of yesterday about Permission Management, the Permission class (which I did not describe at the time) would look like this:
>
> public class Permission
> {
>    public IdentityType getRecipient();
>    public Object getResource();
>    public String operation;
> }
>
> The recipient, being of type IdentityType would then allow permissions to be granted to either a User, a Group or a Role.
>