[Registry-dev] Moving authorization functionality to the JDBC
registry
Chathura C. Ekanayake
chathura at wso2.com
Thu Mar 13 22:00:32 PDT 2008
Glen has proposed earlier that we can remove the SecureRegistry and
perform the authorizations inside the jdbc registry.
Now I also feel that it is better to do authorization operations in the
jdbc registry itself because of the following reasons.
1) Handlers may want to perform their own authorizations for resources
they handle. But handlers are executed inside the jdbc registry.
2) Resource and Collection implementations need to authorize
dependencies, child resource paths, etc. These authorization do not go
through secure registry.
3) In some situations it is more efficient to perform authorization as
soon as the record is retrieved from the database (i.e after
resultSet.next()). This specially helps in pagination.
4) If we keep the secure registry and perform authorizations in above 1,
2 and 3 places as well, it is confusing to the API users where they may
think that authorizations only occur in the secure registry.
So I think we can remove the secure registry and perform authorizations
in relevant places. Still we can support "non-secure" registry where all
the actions are performed using the "anonymous" user. So there won't be
any added complexity to the simplest usage.
Thoughts...
Thanks,
Chathura
More information about the Registry-dev
mailing list