directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Pike <clp...@psu.edu>
Subject Re: All or Anonymous User Roles
Date Thu, 10 Dec 2015 21:12:48 GMT
Assuming I understand what your saying, that sounds great.

So they would be similar to the current Temporal Constraints, but really just check boxes,
one for Anon and another for Auth. So when a session was activated for an authed user, any
roles (and therefore permissions) with the isAuthenticated=true flag  would be active?



----- Original Message -----
From: "Shawn McKinney" <smckinney@apache.org>
To: fortress@directory.apache.org
Sent: Thursday, December 10, 2015 3:40:05 PM
Subject: Re: All or Anonymous User Roles

> On Dec 10, 2015, at 12:28 PM, Shawn McKinney <smckinney@apache.org> wrote:
> 
> 
> Of course this doesn’t solve the provisioning use case we discussed earlier, i.e. assigning
one or the other role.  But wait, maybe it does… could we always assign both and then just
activate one or the other?  Thinking…. 

Here’s an idea:

We create a new role validation constraint that activates/deactivates a role based on whether
the session is bound.  That way we assign both roles: AuthUser and AnonUser.  AuthUser activates
iff isAuthenticated=true.  AnonUser activates iff isAuthenticated=false.  

You can then have permissions granted to these roles as needed.

WDYT?

Shawn

Mime
View raw message