Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jacc-dev] State machine requirement in Authorization is mismatch between vendor and user code
Hi,

The PolicyConfiguration in Jakarta Authorization is required to be implemented by users providing their own authorization module.

There is however a mismatch between the requirements placed on the vendor (the Jakarta Authorization implementor), and the user providing the module. This is mostly because of the state machine requirement. It's something that has to be exactly implemented as the spec requires it, and has to be done again and again by every user.

We had earlier discussions that this makes little sense.

The state machine can be implemented by the vendor, and just call the user provided PolicyConfiguration. E.g. Exousia implements this statemachine as follows:

https://github.com/eclipse-ee4j/exousia/blob/1.0/impl/src/main/java/org/glassfish/exousia/modules/def/DefaultPolicyConfigurationStateMachine.java

A simplification we could introduce is perhaps to either standardize the state machine as shown above and add it to the API (its code is perhaps simple and straightforward enough) or add a new handler so that custom implementations of the PolicyConfigurationFactory can use this to wrap a PolicyConfiguration that doesn't have to take care about the state machine requirements then.

E.g.

public class DefaultPolicyConfigurationFactory
    extends PolicyConfigurationFactory {

    @Override
    public PolicyConfiguration getPolicyConfiguration(
        String contextID,
        boolean remove)
        throws PolicyContextException {
       
       Function<PolicyConfiguration, PolicyConfiguration> stmWrapper =
           PolicyContext.getContext("someKey");

       PolicyConfiguration myWithStm = 
           stmWrapper.apply(new My(contextID));

      ...
}

Thoughts?

Kind regards,
Arjan Tijms







Back to the top