On a flight from Rome to Warsaw: apparently the droning noise of the plane (or what's left of it after this ) inspires me, and now I finally have the means of pulling out live writer from a pocket and start writing. This time I'd like to explore with you some further consequences of the shift toward claims, and specifically some novel ways of thinking about authorization. The seeds of this discussion are already in the Tao of Claims , but its sheer length makes them accessible only to the very patient reader :-) If you take the time to have a chat with somebody involved in writing software that deal with authorization, you'll likely discover they are driven by 2 main tropisms: 1) stopping unauthorized calls as early as possible in the invocation pipeline and 2) empowering as much as possible the infrastructure guys to specify authorization policies as deployment time options. Both are perfectly sound principles, rooted in the reality of enterprise life: you want to consume as little resources as possible, and you want to be able to translate the company caste system of roles & groups in actual privileges in resource handling. IMHO, however, the view of authorization that those heuristics imply is somewhat crippled and does not exploit the claims system to its full potential. My point is basically rooted on two basic consideration: a) the outcome of an authorization operation is not necessarily just a boolean "yes you can call"/"no you can't call this method";
Read More...