more description on security model

commit: fba72f0b9c9343abaedfc9391e3a7ffaa5fccef2 [log] [tgz]
author: Shawn McKinney <smckinney@apache.org> Thu Apr 25 14:18:23 2019 -0500
committer: Shawn McKinney <smckinney@apache.org> Thu Apr 25 14:18:23 2019 -0500
tree: fafa49cfbe8c6a4a0d2226ff5a99c37136338d03
parent: d2e1e5a1fba33b545f9f56f46c987579d9ed4f70 [diff]
diff --git a/README-SECURITY-MODEL.md b/README-SECURITY-MODEL.md
index f398ced..aaa1618 100644
--- a/README-SECURITY-MODEL.md
+++ b/README-SECURITY-MODEL.md

@@ -39,8 +39,9 @@
 
 ### A Typical Deployment
 
-   (**Client**)<--https-->(**FortressRest**)<--in-process-->(**FortressCore**)<--ldaps-->(**DirectoryServer**)
+   (**Client**)<--https-->(**FortressRest**)<in-process>(**FortressCore**)<--ldaps-->(**DirectoryServer**)
 
+ * Consists of three tiers: 1. **Client**, 2. Servlet Container hosting **FortressRest**, and 3. **DirectoryServer** that stores the policy information.
  * The **Client** is any HTTP interface that supports the Apache Fortress message formats.
  * **FortressRest** is a web application archive (.war) that deploys into a Servlet Container, i.e. Apache Tomcat.
  * **FortressCore** is a set of APIs that get embedded inside of Java apps (like FortressRest).
@@ -48,9 +49,9 @@
 
 ### High-level Security Flow
  * The user credentials are introduced into the call chain by the Client as a standard HTTP basic auth header.
- * Passed into the FortressRest for authentication and coarse-grained authorization before service dispatch.
- * Medium-grained authorization also performed inside Fortress Rest as the service dispatches.
- * Finally, the credentials are converted to an RBAC session and passed into the FortressCore for fine-grained checks (if enabled).
+ * Passed into the Servlet Container for authentication and coarse-grained authorization before dispatch to FortressRest.
+ * Medium-grained authorization performed inside FortressRest as the service dispatches.
+ * Finally, if ARBAC enabled (more later), the credentials are converted to an RBAC session and passed into the FortressCore for fine-grained checks.
 
 ### Apache Fortress Rest security model includes:
 
@@ -101,7 +102,7 @@
  is.arbac02=true
  ```
 
-a. When enabled, all service invocations perform an ADMIN permission check by invoking [DelAccessMgr.checkAccess](https://directory.apache.org/fortress/gen-docs/latest/apidocs/org/apache/directory/fortress/core/DelAccessMgr.html#checkAccess-org.apache.directory.fortress.core.model.Session-org.apache.directory.fortress.core.model.Permission-) down in the API layer.
+a. When enabled, all service invocations perform an ADMIN permission verification by invoking [DelAccessMgr.checkAccess](https://directory.apache.org/fortress/gen-docs/latest/apidocs/org/apache/directory/fortress/core/DelAccessMgr.html#checkAccess-org.apache.directory.fortress.core.model.Session-org.apache.directory.fortress.core.model.Permission-) down in the API layer.
  
  For example, the permission with an objectName: **org.apache.directory.fortress.core.impl.AdminMgrImpl** and operation name: **addUser** is automatically checked
  during the call to the **userAdd** service.
commit	fba72f0b9c9343abaedfc9391e3a7ffaa5fccef2	[log] [tgz]
author	Shawn McKinney <smckinney@apache.org>	Thu Apr 25 14:18:23 2019 -0500
committer	Shawn McKinney <smckinney@apache.org>	Thu Apr 25 14:18:23 2019 -0500
tree	fafa49cfbe8c6a4a0d2226ff5a99c37136338d03
parent	d2e1e5a1fba33b545f9f56f46c987579d9ed4f70 [diff]