We are developing a Event Notification Service. The application at a high level looks like below:
Our developene scope involves widget and the ENS.
"ENS" acts as a central point of collection for certain types of events that are of interest to users. Any user who wants to know when these types of events occur registers with ENS, which identifies events in order and matches notifications with subscriptions.
The user who wants to subscibe should be a valid user of the intergrated application(db, sap system etc)
The sequence of events:
ENS are the web-services.
ENS polls the SAP(and other applications) and this is where the problem is becoming more complex. In SAP there is data-level authorization. So not all users are allowed to see all the events/data.
If the SAP has PUSHed the data, along with the User info who has authorized to see, then no issues at all.
Case 1: Scheduler is initiated by the ENS
1. User subscribes to a subscription. At the time of subscription, user is checked for his authorization in the SAP system. If OK, then he will be allowed for Subscription.
2. The scheduler runs at the scheduled time.
3. The scheduler identifies the users who are subscribed.
4. The scheduler uses the stored credentials of the users(stroed in ENS) to POLL if the event occured.
5. Notify users if there are changes.
Disadvs here:
* User credentials are stored somewhere external - Security team might not accept it
* Reduntant hits if more than one user is subscribed for the same piece of information
Case 2: Scheduler is intitated by the WIDGET. User creds will be stored in the users local machine only. Diadv:
* If the subscription is daily, and if the user system/widget is not up. The user might miss the notifications that happened on say, weekends.
* Reduntant hits to the server if more than one user is subscribed for the same piece of information.
my question/doubts:
What is the best pracitces in storing the Users db, sap etc credentials.
How often should the user be authenticated? Should be everytime the messages are delivered?(if I use this strategy, it will affect the source system)