308
edits
Changes
→Pros and cons
= Pros and cons =
The main benefit of this model is that at first glance it promises more conservative behavior than the [Security:Security_Checks_In_Glue] model. The failure cases are mostly cases where permission is denied when it should be granted.
There obvious drawback is that you have to keep track of who "the caller" is (the subject principal) at all times. There are several parts to this. First of all, the subject principal needs to be propagated through various parts of the code. Second, the current subject principal needs to be switched as needed (e.g. when code is no longer acting on behalf of the current subject). Clearly defining when to switch principals is hard; it seems like it would be easy to have errors both of omission (not switching principal when one should; breaks web compat) and commission (switching principal when one should not; causes security bugs).
I question whether the perceived benefit of this model is in fact realized, given the complexity of changing the subject principal at just the right time.
= Implementation notes =
