[cas-dev] AuthorizedDecider --> PrincipalDiscriminator ?

Scott Battaglia scott.battaglia at gmail.com
Mon Dec 4 14:47:50 EST 2006 

It would seem to me that for someone looking at the class, it would be
easier to understand what an AuthorizedDecider is as opposed to
PrincipalDiscriminator, especially since Authorization is a common security
term.  The goal is to keep this library scoped towards security.

-Scott

On 12/4/06, Velpi <velpi at industria.be> wrote:
>
> > I wonder if the API should be about authorization at all.  What we have
> here
> > is a discriminator among Principals.  It examines a Principal, and
> > determines whether that Principal is of some subset of all possible
> > Principals.  So how about
> >
> > /**
> >  * Discriminates among Principals, indicating whether a given Principal
> >  * is a member of some subset of all possible Principals.
> >  */
> > public interface PrincipalDiscriminator {
> >
> >   /**
> >    * Returns true if the given Principal is a member of
> >    * the subset of all possible Principals that fulfills the
> >    * requirements of this Discriminator.  Returns false otherwise.
> >    */
> >   public boolean principalIsMemberOfSubset(Principal p);
> >
> > }
> >
> >
> > While a compelling use for a PrincipalDiscrimator is as the rule behind
> an
> > authorization gate (Filter, Aspect, etc.), there are other uses for
> > discriminating among Principals.  I could have a Controller that returns
> one
> > or another View depending upon whether the Principal is selected by an
> > injected Discriminator.  I could write a PrincipalDiscriminator that
> checks
> > a Principal against an accessibility preferences store and is suitable
> for
> > determining whether an application should go into text-only highly
> > accessible responses.  There are any number of things one could do with
> an
> > API for discriminating among Principals.
>
> In our customized version we implemented a "reAuthenticationDecider". It
> checks -among others- whether the user is part of a certain group using
> LDAP (employees in our case). So I tend to agree with this.
> Our decider also needs the request object though.
>
> -- Velpi
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20061204/ab414bb1/attachment.html

More information about the cas-dev mailing list