Kerberized authorization service
Russ Allbery
rra at stanford.edu
Mon Feb 11 13:27:22 EST 2008
John Hascall <john at iastate.edu> writes:
> Russ Allbery <rra at stanford.edu> writes:
>> Stanford currently very much loses on this, in a wide variety of ways.
>> We really only have one authorization system that copes correctly with
>> role status changes (provided that it's used properly), and it only
>> knows how to talk to the financial system and isn't (currently) usable
>> as a general authorization solution. There is some active work in the
>> Internet2 arena on this, but not to the point where I think people are
>> deploying it.
>
> The problem with the Internet2's work in this area
> (i.e., Signet and Grouper) is that
> they seem like they've never met a problem
> that they didn't think the answer to it was:
>
> while (problem) {
> Throw the most complicated XML and Java possible at it.
> }
>
> (And they forgot to catch deathByBloatAndComplexityException)
Yeah, I should probably not get started on that. (Signet is essentially
the next generation of Authority Manager, which is the above-mentioned
application that talks to the financial system.)
Our middleware group is very fond of Java and XML.
I'm, er, not so much. (Although XML does have its place.)
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list