[cas-dev] AuthorizedDecider --> PrincipalDiscriminator ?
Velpi
velpi at industria.be
Mon Dec 4 02:26:36 EST 2006
> I wonder if the API should be about authorization at all. What we have here
> is a discriminator among Principals. It examines a Principal, and
> determines whether that Principal is of some subset of all possible
> Principals. So how about
>
> /**
> * Discriminates among Principals, indicating whether a given Principal
> * is a member of some subset of all possible Principals.
> */
> public interface PrincipalDiscriminator {
>
> /**
> * Returns true if the given Principal is a member of
> * the subset of all possible Principals that fulfills the
> * requirements of this Discriminator. Returns false otherwise.
> */
> public boolean principalIsMemberOfSubset(Principal p);
>
> }
>
>
> While a compelling use for a PrincipalDiscrimator is as the rule behind an
> authorization gate (Filter, Aspect, etc.), there are other uses for
> discriminating among Principals. I could have a Controller that returns one
> or another View depending upon whether the Principal is selected by an
> injected Discriminator. I could write a PrincipalDiscriminator that checks
> a Principal against an accessibility preferences store and is suitable for
> determining whether an application should go into text-only highly
> accessible responses. There are any number of things one could do with an
> API for discriminating among Principals.
In our customized version we implemented a "reAuthenticationDecider". It
checks -among others- whether the user is part of a certain group using
LDAP (employees in our case). So I tend to agree with this.
Our decider also needs the request object though.
-- Velpi
More information about the cas-dev
mailing list