CSIV2 — Inability to specify per method target security requirements

The CSIv2 mechanism definition schema, soes not provide a way to
associate mechanisms with subsets of the methods of an object.

Discussion

EJB method-permissions may be associated with subsets of methods, such
that a class of EJB objects may have some protected and some unprotected
methods. Where by protection I mean, the caller must be authenticated
and be in a authorized role, to access the method. Some methods of an
EJB may be available to unauthenticated callers, while others may limit
access to only specific authenticated callers.

Given a mixed protection object, how would one define its IOR such that
it could be affectively accessed by its clients without

1. eliminating unauthenticated access to the object

that is, mark the target as authentication required

2. causing unnecessary authentications and usurping the
clients perogative to only authenticate when it is required to or
chooses to.

that is, mark the target as authentication supported and tell the
client to authenticate if it can

3. causing failed attempts because the client does not know that
the target requires authentication

that is, mark the target as authentication supported and let the
client authenticate if it wants to

Would it be appropriate to add information to the IOR, that indicates
that whether the object will check permissions, such that a client
normally operating in mode 3, would know when it would probably do
better in mode 2?

Should a CSIv2 IOR which principally defines (authentication and msg
protection mechanisms) carry additional information about the
authorization policy of the object? There is obviously some precedent
for doing so in the privilege authorities field.

Close issue with no change as this does not apply to CSIv2