I've just added resource authorization, including support for access levels, to a custom security manager. The manager previously granted full access to any and all resources it was asked to authorize. Creating dynamic services to test the plugin revealed some difficulties applying security.
- Does it make sense to enable user authentication in the absence of statically configured location resources? Most of my tests involve feature authorization, and feature resources do not need to be statically configured. Feature authorization doesn't work unless preceded by location authorization.
- If at least one statically configured resource must be configured to trigger user authentication, does it make sense to trigger authentication based on the presence of a resource in any of the three auth maps? I already have to have a statically defined DESDL binding, and I would much rather create a feature or setting resource placeholder and allow each dynamic binding to define its own authorization requirements.
- Should the security manager be given access to the dynamic binding definition? It currently has access to the static configuration, primarily to construct the auth maps. If it could see even part of a dynamic configuration, the dynamic definition could define the entire security configuration for the binding. Without this, each of my five location authorization test bindings required a statically configured binding assigned to a specific, unique port. This is not dynamic.
- Should the dynamic binding be able to manage its own security manager? I believe that dynamic services will eventually need to create their own security managers based on dynamic configuration. Otherwise, services are only as dynamic as the static configuration allows them to be.