Re: [higgins-dev] Bandit Realm Definition Samples

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [higgins-dev] Bandit Realm Definition Samples

From: "Tom Doman" <TDoman@xxxxxxxxxx>
Date: Fri, 21 Jul 2006 16:11:23 -0600
Delivered-to: higgins-dev@xxxxxxxxxxx
List-archive: <http://eclipse.org/pipermail/higgins-dev>
List-help: <mailto:higgins-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=unsubscribe>

The test_realms1.xml realms definition file is probably the simplest of
the two samples I sent.  It specifies three realms:
1. An LDAP realm.
2. An XML file realm.
3. A "Join" realm.

Each realm identifies it's type (ie. LDAP, SQL, XML File, "Join,"
etc.)
The LDAP realm contains configuration information about how to connect
to the LDAP server, who to connect as, as well as XACML policy that does
a variety of (sometimes quite complex) mapping of attributes both in and
out of the bandit Identity Abstraction.
The XML file realm contains identity information right inline as part
of it's configuration (though it could be in a separate file).  This is
it's data source.
The "join" realms simply contains a list of realm identifiers through
which it will join all incoming requests.  The idea was to make this
more complex but, for now, all it did was simply try all operations to
the list sub-realms and join the results back out.

The bandit Identity Abstraction is simply a russian doll set of JNDI
context providers.  The topmost level that the user sees (like an
IdASEndpoint?) handles the joining logic.  This goes to another JNDI
level which handles policy modifications (massaging input and output) to
requests.  This layer then goes to the specific JDNI context providers
where the proverbial rubber meets the road where, in this example,
either the configured LDAP server is contacted or the XML data is
accessed according to the massaged request.

It's still not completely clear to me how these map to the proposed
Higgins Context Registry, Context Provider, and Context though.  So,
here are my questions:

1. Would each of the 3 realms be a Context Provider, with the "Join"
Context Provider encapsulating the other two?
2. Via realm configuration, I could easily have had two LDAP realms.
3. Would they both use the same "LDAP" Context Provider with different
URI's?
4. Then, what would the Context represent?  Or would there be a "Join"
Context Provider with two LDAP contexts and an XML context?

Sorry about the foggyness on the purpose of each of these interfaces
but I think more concrete examples such as these will clarify the intent
for me.

Thanks,
Tom

>>> "Tom Doman" <TDoman@xxxxxxxxxx> 7/20/2006 2:24 PM >>>
Attached are a couple of sample bandit realm definition files. 
Though,
I've also attached the governing XML Schema, detailed realm
configuration documentation is available at
http://www.bandit-project.org/index.php/Realm_Configuration if you
want more detail on anything in particular.

Each Bandit realm may be represented by parts of both Higgins Context
Providers and Contexts.  At any rate, that's the mapping we're
currently
try to make so that we can implement all of what we've done within the
Higgins framework.

Thanks,
Tom

Follow-Ups:
- Re: [higgins-dev] Bandit Realm Definition Samples
  - From: Greg Byrd

References:
- [higgins-dev] [IdAS] use cases
  - From: Greg Byrd
- Re: [higgins-dev] [IdAS] use cases
  - From: Tom Doman
- [higgins-dev] Bandit Realm Definition Samples
  - From: Tom Doman

Prev by Date: RE: [higgins-dev] Do we need a less platform dependent contextprovider registry?
Next by Date: [higgins-dev] What's in a name?
Previous by thread: [higgins-dev] Bandit Realm Definition Samples
Next by thread: Re: [higgins-dev] Bandit Realm Definition Samples
Index(es):
- Date
- Thread

Breadcrumbs