Re: groups method for Pricipal class needed

David Brownell (David.Brownell@Eng)
Tue, 19 Aug 1997 19:56:29 -0700

Date: Tue, 19 Aug 1997 19:56:29 -0700
From: David.Brownell@Eng (David Brownell)
Message-Id: <199708200256.TAA22544@argon.eng.sun.com>
To: java-security@web2.javasoft.com, proberts@abaton.com
Subject: Re: groups method for Pricipal class needed

> Date: Mon, 18 Aug 1997 11:12:34 -0500
> From: proberts@abaton.com (Paul Roberts)
> To: java-security@web2.javasoft.com
> Subject: groups method for Pricipal class needed
>
> One of the security white papers covers the rules for how permissions
> are calculated. It essentially is a union of the permissions for the
> individual principal and any group to which they belong.

... modulo blacklisting, which complicates things quite a lot. You can
also need to establish that the principal is NOT a member of a group,
to establish that a permission's not been denied to that principal.

> The only way I
> see to determine if a principal is a member of the group is the isMember
> method in the Group class. That does not seem like an efficient way to
> determine a principal's group memberships.
>
> Given how the net permissions are calculated, it makes sense to me that
> a method to get all the groups of which a principal is a member should
> be added to the interface for java.security.Principal.
>
> ...or have I missed something?

Perhaps that the java.security.Acl.checkPermission() is expected to be
called more often than Acl.getPermissions(); it can be faster since it
only needs to be concerned with ACL entries relating to a single
Permission, rather than all the Permissions mentioned in the ACL.

Some common implementations of group membership wouldn't make a
"getGroups" method be an efficient operation whatsoever. Also, what
about groups that include other groups? In any case, if you happen
to have an efficient implementation of that, you could use it to
implement isMember.

On a related point, you'll notice there's currently no "java.*" API to
enumerate the groups (or principals) in any scope (domain, realm,
whatever you prefer to call it). The JavaServer (tm) Toolkit includes
"realm" APIs that allow this, though it doesn't currently include an
API that'd let you enumerate the groups associated with a user.

- Dave

> -Paul
>
>