Hi all, Mutual SSLAuthenticator is implemented and tested with AS.
thanks, dimuthu On Fri, Aug 16, 2013 at 11:33 AM, Afkham Azeez <[email protected]> wrote: > > > > On Fri, Aug 16, 2013 at 11:26 AM, Dimuthu Leelarathne > <[email protected]>wrote: > >> Hi Azeez, >> >> >> On Fri, Aug 16, 2013 at 11:16 AM, Afkham Azeez <[email protected]> wrote: >> >>> If the tenant somehow manages to override the behavior of the "admin" >>> services in their spaces, can it cause any adverse effects to other tenants >>> or the system? Will that cause them to override the default policies >>> enforced in the system? >>> >>> >> I don't see that happening because we are talking about services within a >> tenant, perhaps I am missing a point. >> > > Who initially deploys these admin services into the tenant space? > > If the tenant replaces these services with a different implementation, but > using the same service EPRs, will it cause a security issue? > > >> >> thanks, >> dimuthu >> >> >> >>> Azeez >>> >>> >>> On Wed, Aug 14, 2013 at 9:26 AM, Dimuthu Leelarathne >>> <[email protected]>wrote: >>> >>>> Hi, >>>> >>>> AF BPELs are running in the super tenant space. Now the question is, >>>> whether BPEL should invoke admin services deployed in respective tenant >>>> space or super tenant space. >>>> >>>> Here is sample of the admin services [1] From that we can see that some >>>> admin services should be in super tenant space and others in respective >>>> tenant space. >>>> >>>> So now comes the question, how can a BPEL running in admin space invoke >>>> an admin service in tenant space? >>>> >>>> Here is the answer that can be seen so far. >>>> >>>> 1 - Write the mutual auth authenticator for carbon framework. This >>>> would check whether the call is coming over a 2 way SSL connection and let >>>> the user through. The authorization happen as the real user. This is >>>> discussed in the mail thread titled "Multi-tenant AF user model" >>>> architecture@ >>>> 2 - Extend the UnifiedEndPoint handler to inject the invoking person's >>>> name in to a header (SOAP or HTTP) >>>> >>>> And another separate point, the admin services marked in yellow should >>>> have an explicit permission check before performing any action to check >>>> whether the user has permission to do particular action for the >>>> application. >>>> >>>> WDYT? >>>> >>>> thanks, >>>> dimuthu >>>> >>>> >>>> >>>> >>>> -- >>>> Dimuthu Leelarathne >>>> Architect & Product Lead of App Factory >>>> >>>> WSO2, Inc. (http://wso2.com) >>>> email: [email protected] >>>> Mobile : 0773661935 >>>> >>>> Lean . Enterprise . Middleware >>>> >>> >>> >>> >>> -- >>> *Afkham Azeez* >>> Director of Architecture; WSO2, Inc.; http://wso2.com >>> Member; Apache Software Foundation; http://www.apache.org/ >>> * <http://www.apache.org/>** >>> email: **[email protected]* <[email protected]>* cell: +94 77 3320919 >>> blog: **http://blog.afkham.org* <http://blog.afkham.org>* >>> twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez> >>> * >>> linked-in: **http://lk.linkedin.com/in/afkhamazeez* >>> >>> * >>> * >>> *Lean . Enterprise . Middleware* >>> >> >> >> >> -- >> Dimuthu Leelarathne >> Architect & Product Lead of App Factory >> >> WSO2, Inc. (http://wso2.com) >> email: [email protected] >> Mobile : 0773661935 >> >> Lean . Enterprise . Middleware >> > > > > -- > *Afkham Azeez* > Director of Architecture; WSO2, Inc.; http://wso2.com > Member; Apache Software Foundation; http://www.apache.org/ > * <http://www.apache.org/>** > email: **[email protected]* <[email protected]>* cell: +94 77 3320919 > blog: **http://blog.afkham.org* <http://blog.afkham.org>* > twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez> > * > linked-in: **http://lk.linkedin.com/in/afkhamazeez* > * > * > *Lean . Enterprise . Middleware* > -- Dimuthu Leelarathne Architect & Product Lead of App Factory WSO2, Inc. (http://wso2.com) email: [email protected] Mobile : 0773661935 Lean . Enterprise . Middleware
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
