开发者

What LDAP information could be persisted in my application?

开发者 https://www.devze.com 2023-01-22 23:30 出处:网络
Consider a classic LDAP usage for authentication and consequent calls to check if the user 开发者_JAVA技巧has rights to access an object accessible to groups \"foo\", \"bar\" and \"baz\".

Consider a classic LDAP usage for authentication and consequent calls to check if the user 开发者_JAVA技巧has rights to access an object accessible to groups "foo", "bar" and "baz".

I am wondering if I am allowed to persist exact role names, i.e. "foo", "bar" and "baz" and then make CurrentUser.IsInRole("Foo") || CurrentUser.IsInRole("Bar") || CurrentUser.IsInRole("Baz") ? My answer is no since the role (group) name could be changed by the directory administrator at any time. But what to persist, an identifier of a kind?

I have stumbled upon a WebSphere configuration section at http://publib.boulder.ibm.com/infocenter/wpdoc/v510/index.jsp?topic=/com.ibm.wp.ent.doc/wpf/wmm_map.html, the bottom line is that the identifier attribute is configured per provider type. Is this accurate and does it solve the above problem (renamed objects)?

Many thanks!


Any directory admin that goes around changing role names needs his head examined frankly. You have to 'persist' something, not that 'persist' is really the correct term, and the CN is as good as anything else, much better than most. All the examples and samples I've ever seen used hard coded role names.

0

精彩评论

暂无评论...
验证码 换一张
取 消