Hi folks,

In my battle against 1z0-865 assignment, I've another question about assumptions.

My assignment explicitly says that security is a concern, in assignment's business model is not provided an user entity or anything about security. But my use cases mentions about login.

So, I've developed a simple authentication using an User entity, but I don't believe that rewrites the wheel and solely that would provide security for me.

I was thinking if can I assume that there's an enterprise authentication system, which I can connect and retrieve authentication and authorization, instead of stay with my current model (AuthenticationService, UserDAO, User).

Can I assume that there's an external authentication and authorization system? What's better to do?

Best,

Sergio.

If your assignment gives some indication the business is large enough to have one, that makes sense. (and most should be). If not, you can always do a basic LDAP one.

You wouldn't see anything in the provided entity list about security because it isn't a business entity. It is a technical feature that is important.

Jeanne Boyarsky wrote:If your assignment gives some indication the business is large enough to have one, that makes sense. (and most should be). If not, you can always do a basic LDAP one.

You wouldn't see anything in the provided entity list about security because it isn't a business entity. It is a technical feature that is important.

Thanks for your answer Jeanne!

I'll assume a CAS server to provide security.

Best,

Sergio.

Hi Sergio,

Does your assignment mention entites that can extend abstract User, like Employee or Customer ?
If so, then you can implement a common parent JPA entity User for db-based authentication.

Mike Degteariov wrote:Hi Sergio,

Does your assignment mention entites that can extend abstract User, like Employee or Customer ?
If so, then you can implement a common parent JPA entity User for db-based authentication.

Hi Mike,

Thanks for your reply! .

My assignment says "login of purchasing agents" and says that "security is a key requirement". As it is a company broker of gems, it doesn't seems to me there's a good security approach use a simple db login based, because there're other systems (recently, this company bought a inventory system made in Java).

Hi Sergio,

One of responsibilities of the architect is to gather all business requirements and translate them to the architecture.

The architecture created will then be given to development teams to implement.

I guess my question is: do you business requirements contain the information about external authentication mechanism that you should use ?

If the answer is yes, then yes, you are done.

But if the answer is no, how can you assume that the system is there when, in fact, it is not there ? Where those who will have to implement your solution will take the authentication system that does not exist ?