Caretaker Pattern

Described in ParadigmRegained.

A variant on the HandleBodyPattern (a.k.a. WrapperPattern); grants a capability by transparently forwarding messages to a specified receiver (the body), for the purpose of making the capability revocable (for example by later setting its reference to the wrapped receiver to null).

Normally the caretaker has an interface separate from its forwarding interface, that is used to trigger the revocation.

If the system uses permission flags, the caretaker can restrict which permissions are allowed rather than supporting only all-or-nothing revocation. This effectively combines the caretaker with the handle object in FacetPattern.

The authors of ParadigmRegained (the esteemed MarkMiller? and JonathanShapiro?) consider CaretakerPattern to invalidate the argument that capability revocation is infeasible.

Originally discussed in D. D. Redell, Naming and Protection in Extendible Operating Systems, Project MAC TR-140, MIT, November 1974. (Ph. D. thesis.)


I've used a variation on the CaretakerPattern...where the purpose is not capability revocation, but client ID. In a project I worked on, there was an architecture similar to ModelViewController, with multiple controllers. It was useful to know which controller was invoking the model; however the model already had a published API that I didn't want to change (at least not in the application code). So I created a set of "client ID" objects which were essentially proxies for the model; each controller had a unique "client ID" object and invoked the API through that. The client ID object, when delegating to the actual model, included a pointer to itself in the API call; so that the model knew which controller was calling it. Different controllers had different access levels, and this also allowed filtering of the callbacks to the associated views.

Not sure if that pattern deserves its own name or not.

This approach is also used in capability systems, when you want an object to be separately revocable for different clients.


Is there generally considered to exist a subclass of the CaretakerPattern, called DataAccessObject?


Comment moved to RevokableCapabilities -- has nothing to do with CaretakerPattern that I can see. -- RK


See also: CapabilitySecurityModel, CapabilityOrientedProgramming


CategorySecurityPatterns

EditText of this page (last edited July 5, 2012) or FindPage with title or text search