Hi Prabath, Yes, I missed a point. Following code will break,
Group devTeam = ...; devTeam.updateRoles(Collections.singletonList(adminRole)); But why do we really need this. In C4 world we would have made the devTeam a role as well and directly assign permission to it ? I assume that's how 'team' concept was implemented in C4 AppFac. Why change if it worked? On Tue, May 24, 2016 at 4:03 PM, Prabath Siriwardana <[email protected]> wrote: > Hi Manu, > > That's not right... What user can do (authorization) is decided based on > the permissions attached to roles that user inherits... A user inherits > roles by a direct role assignment or from a group that user belongs to... > > Thanks & regards, > -Prabath > > On Tue, May 24, 2016 at 12:49 PM, Manuranga Perera <[email protected]> wrote: > >> Thanks Darshana. >> So if I s/Group/Role/ in my code, it will sill work the same. In that >> case is it worth to implement a new concept called Group? >> >> On Tue, May 24, 2016 at 12:35 PM, Darshana Gunawardana <[email protected] >> > wrote: >> >>> Hi Manu, >>> >>> On Tue, May 24, 2016 at 9:03 PM, Manuranga Perera <[email protected]> wrote: >>> >>>> Hi Darshana, >>>> Can you please explain about the difference between Group and Role. In >>>> the permission meeting Sanjiva said they are different but I don't see it >>>> from the code. >>>> >>>> From semantic point of view >>>> User has both getGroups and getRoles >>>> Both Group and Role has getUsers >>>> >>> >>> If we check from the Permission perspective, Permission have direct >>> mapping with Roles only. In other words Users\Groups get necessary >>> privileges only via Roles its assigned to. >>> >>> You can find this behaviour in the code from the Role bean which have >>> getPermissions() method [1] where Groups doesn't have such method. >>> >>> Basically, >>> > Group is a collection of users. >>> > Role is a collection of permissions. >>> >>> IdentityStore is managing, >>> > Users >>> > Groups >>> > User-Group mapping >>> >>> AuthorizationStore is managing, >>> > Roles >>> > Permissions >>> > Role-Permission mapping >>> > Role-Group mapping >>> > Role-User mapping >>> >>> If we take "User bean"[2], it should have all necessary methods needed >>> to done on a "User" and User bean internally make use of relevant store >>> methods to produce its result. >>> >>> [1] >>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/bean/Role.java#L83 >>> [2] >>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/bean/User.java >>> >>> Thanks, >>> >>>> >>>> From implementation point of view >>>> getGroup code in IdentityStore is almost identical to getRole code >>>> in AuthorizationStore >>>> >>>> >>>> On Tue, May 24, 2016 at 2:35 AM, Darshana Gunawardana < >>>> [email protected]> wrote: >>>> >>>>> Hi Jayanga, >>>>> >>>>> Almost all APIs need to provide entryID and the relevant storeID. For >>>>> example, >>>>> >>>>> - IdentityStore has getUserAttributeValues(String userID, String >>>>> userStoreId); >>>>> - IdentityStore has getUsersOfGroup(String groupID, String >>>>> userStoreId) >>>>> - AuthorizationStore has getGroupsOfRole(String roleId, String >>>>> authorizationStoreId); >>>>> >>>>> If we take getUserAttributeValues()as an example, the API consumer >>>>> should have, >>>>> I. retrieve relevant User object before calling >>>>> getUserAttributeValues() method >>>>> II. extract userID and userStoreId from the User object >>>>> III. pass those values to getUserAttributeValues() method >>>>> >>>>> Wouldn't it be more convenient for developers and more cleaner the >>>>> API, if the API accept the entry object directly rather than entryID and >>>>> storeID seperately? >>>>> >>>>> Thanks, >>>>> >>>>> On Wed, May 4, 2016 at 12:45 PM, Omindu Rathnaweera <[email protected]> >>>>> wrote: >>>>> >>>>>> The following snippet shows how authentication and authorization can >>>>>> be done using the user APIs. We use a similar approach in jaas as well >>>>>> [1][2]. >>>>>> >>>>>> NameCallback usernameCallback = new NameCallback("username"); >>>>>>> PasswordCallback passwordCallback = new PasswordCallback("password", >>>>>>> false); >>>>>>> usernameCallback.setName("admin"); >>>>>>> passwordCallback.setPassword(new char[]{'a', 'd', 'm', 'i', 'n'}; >>>>>>> Callback[] callbacks = {usernameCallback, passwordCallback}; >>>>>>> try { >>>>>>> //Authentication >>>>>>> AuthenticationContext authenticationContext = >>>>>>> CarbonSecurityDataHolder.getInstance().getCarbonRealmService() >>>>>>> .getCredentialStore().authenticate(callbacks); >>>>>>> user = authenticationContext.getUser(); >>>>>>> //Authorization >>>>>>> user.isAuthorized(new Permission(carbonPermission.getName(), >>>>>>> carbonPermission.getActions())); >>>>>>> } catch (AuthenticationFailure authenticationFailure) { >>>>>>> throw new LoginException("Authentication failure."); >>>>>>> } >>>>>> >>>>>> >>>>>> [1] - >>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/jaas/modules/UsernamePasswordLoginModule.java#L108-L114 >>>>>> [2] - >>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/jaas/CarbonPrincipal.java#L76-L82 >>>>>> >>>>>> Regards, >>>>>> Omindu. >>>>>> >>>>>> On Tue, May 3, 2016 at 7:40 PM, Kishanthan Thangarajah < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Can you provide a code sample on how the user authorization is done >>>>>>> (the flow) based on the above explanation? >>>>>>> >>>>>>> On Tue, May 3, 2016 at 2:31 PM, Jayanga Kaushalya <[email protected] >>>>>>> > wrote: >>>>>>> >>>>>>>> Hi Kishanthan, >>>>>>>> >>>>>>>> Respective store ids are available through the respective beans. >>>>>>>> For example User bean has the identity store id and the credential >>>>>>>> store >>>>>>>> id. To call an API which requires a store id, you needs to have the >>>>>>>> respective bean first. For example by authenticating an user via >>>>>>>> calling >>>>>>>> authenticate method will return an User bean with it's identity store >>>>>>>> id >>>>>>>> and the credential store id. Or otherwise by calling getUser(username) >>>>>>>> method you can get the User bean. Most of the operations which >>>>>>>> requires an >>>>>>>> store id can be directly called from the bean it self. For example >>>>>>>> isUserAuthorized can be called like User.isAuthorized(Permission). >>>>>>>> >>>>>>>> Thanks! >>>>>>>> >>>>>>>> *Jayanga Kaushalya* >>>>>>>> Software Engineer >>>>>>>> Mobile: +94777860160 >>>>>>>> WSO2 Inc. | http://wso2.com >>>>>>>> lean.enterprise.middleware >>>>>>>> >>>>>>>> On Tue, May 3, 2016 at 11:56 AM, Kishanthan Thangarajah < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Most of the API methods we could see that we need to pass the >>>>>>>>> identityStoreId like below. >>>>>>>>> >>>>>>>>> public boolean isUserAuthorized(String userId, Permission >>>>>>>>> permission, String identityStoreId) >>>>>>>>> >>>>>>>>> How do we identify this store-id before calling? >>>>>>>>> >>>>>>>>> On Sat, Apr 30, 2016 at 10:12 PM, Jayanga Kaushalya < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi Darshana, >>>>>>>>>> >>>>>>>>>> Yes, those links are correct. We have changed the package name >>>>>>>>>> from org.wso2.carbon.security to org.wso2.carbon.security.caas since >>>>>>>>>> that >>>>>>>>>> is the name we are going to use in future. >>>>>>>>>> >>>>>>>>>> Thanks! >>>>>>>>>> >>>>>>>>>> *Jayanga Kaushalya* >>>>>>>>>> Software Engineer >>>>>>>>>> Mobile: +94777860160 >>>>>>>>>> WSO2 Inc. | http://wso2.com >>>>>>>>>> lean.enterprise.middleware >>>>>>>>>> >>>>>>>>>> On Sat, Apr 30, 2016 at 6:49 PM, Darshana Gunawardana < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> I assume these should be the correct links. @Jayanga please >>>>>>>>>>> correct me if I'm wrong. >>>>>>>>>>> >>>>>>>>>>> [1] >>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/service/RealmService.java >>>>>>>>>>> [2] >>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/common/CarbonRealmServiceImpl.java >>>>>>>>>>> [3] >>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/store/AuthorizationStore.java >>>>>>>>>>> [4] >>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/store/CredentialStore.java >>>>>>>>>>> [5] >>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/store/IdentityStore.java >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> Darshana >>>>>>>>>>> >>>>>>>>>>> On Fri, Apr 29, 2016 at 11:36 PM, Kishanthan Thangarajah < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Can you send the correct git-hub links to these API's? Provided >>>>>>>>>>>> links are either wrong or packages/modules have been renamed. >>>>>>>>>>>> >>>>>>>>>>>> On Fri, Apr 29, 2016 at 6:35 PM, Jayanga Kaushalya < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi all, >>>>>>>>>>>>> >>>>>>>>>>>>> User core related authentication and authorization operations >>>>>>>>>>>>> can be accessed through RealmService. Bellow diagram explains the >>>>>>>>>>>>> brief >>>>>>>>>>>>> outlook of the Realm service and respective stores. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> *RealmService* >>>>>>>>>>>>> >>>>>>>>>>>>> Realm service is the User Core API which is exposed to >>>>>>>>>>>>> external users. Each store can be accessed through the realm >>>>>>>>>>>>> service. API >>>>>>>>>>>>> is available in [1] >>>>>>>>>>>>> >>>>>>>>>>>>> *CarbonRealmServiceImpl* >>>>>>>>>>>>> >>>>>>>>>>>>> Implementation of the realm service. API is available in [2] >>>>>>>>>>>>> >>>>>>>>>>>>> *IdentityStore* >>>>>>>>>>>>> >>>>>>>>>>>>> Identity store contains all identity management related read >>>>>>>>>>>>> only operations. All CRUD operations related to identity >>>>>>>>>>>>> management will be >>>>>>>>>>>>> available through extended version of the user core and which >>>>>>>>>>>>> will be >>>>>>>>>>>>> available through carbon identity repository. >>>>>>>>>>>>> API details are available in the [5]. >>>>>>>>>>>>> >>>>>>>>>>>>> *CredentialStore* >>>>>>>>>>>>> >>>>>>>>>>>>> Credential store contains all credential management related >>>>>>>>>>>>> read only operations. All CRUD operations related to the >>>>>>>>>>>>> credential >>>>>>>>>>>>> management will be available through extended version of the user >>>>>>>>>>>>> core and >>>>>>>>>>>>> which will be available through carbon identity repository. >>>>>>>>>>>>> API details are available in the [4] >>>>>>>>>>>>> >>>>>>>>>>>>> *AuthorizationStore* >>>>>>>>>>>>> >>>>>>>>>>>>> All authorization related CRUD operations will be available >>>>>>>>>>>>> through the authorization store. API details are available in the >>>>>>>>>>>>> [3] >>>>>>>>>>>>> >>>>>>>>>>>>> [1] >>>>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/service/RealmService.java >>>>>>>>>>>>> >>>>>>>>>>>>> [2] >>>>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/common/CarbonRealmServiceImpl.java >>>>>>>>>>>>> [3] >>>>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/store/AuthorizationStore.java >>>>>>>>>>>>> [4] >>>>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/store/CredentialStore.java >>>>>>>>>>>>> [5] >>>>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/store/IdentityStore.java >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> *Jayanga Kaushalya* >>>>>>>>>>>>> Software Engineer >>>>>>>>>>>>> Mobile: +94777860160 >>>>>>>>>>>>> WSO2 Inc. | http://wso2.com >>>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>>> >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> Architecture mailing list >>>>>>>>>>>>> [email protected] >>>>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> *Kishanthan Thangarajah* >>>>>>>>>>>> Associate Technical Lead, >>>>>>>>>>>> Platform Technologies Team, >>>>>>>>>>>> WSO2, Inc. >>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>> >>>>>>>>>>>> Mobile - +94773426635 >>>>>>>>>>>> Blog - *http://kishanthan.wordpress.com >>>>>>>>>>>> <http://kishanthan.wordpress.com>* >>>>>>>>>>>> Twitter - *http://twitter.com/kishanthan >>>>>>>>>>>> <http://twitter.com/kishanthan>* >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Architecture mailing list >>>>>>>>>>>> [email protected] >>>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Regards, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> *Darshana Gunawardana*Senior Software Engineer >>>>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>>>> >>>>>>>>>>> *E-mail: [email protected] <[email protected]>* >>>>>>>>>>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . >>>>>>>>>>> Middleware >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Architecture mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Kishanthan Thangarajah* >>>>>>>>> Associate Technical Lead, >>>>>>>>> Platform Technologies Team, >>>>>>>>> WSO2, Inc. >>>>>>>>> lean.enterprise.middleware >>>>>>>>> >>>>>>>>> Mobile - +94773426635 >>>>>>>>> Blog - *http://kishanthan.wordpress.com >>>>>>>>> <http://kishanthan.wordpress.com>* >>>>>>>>> Twitter - *http://twitter.com/kishanthan >>>>>>>>> <http://twitter.com/kishanthan>* >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Kishanthan Thangarajah* >>>>>>> Associate Technical Lead, >>>>>>> Platform Technologies Team, >>>>>>> WSO2, Inc. >>>>>>> lean.enterprise.middleware >>>>>>> >>>>>>> Mobile - +94773426635 >>>>>>> Blog - *http://kishanthan.wordpress.com >>>>>>> <http://kishanthan.wordpress.com>* >>>>>>> Twitter - *http://twitter.com/kishanthan >>>>>>> <http://twitter.com/kishanthan>* >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Omindu Rathnaweera >>>>>> Software Engineer, WSO2 Inc. >>>>>> Mobile: +94 771 197 211 >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Regards, >>>>> >>>>> >>>>> *Darshana Gunawardana*Senior Software Engineer >>>>> WSO2 Inc.; http://wso2.com >>>>> >>>>> *E-mail: [email protected] <[email protected]>* >>>>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> With regards, >>>> *Manu*ranga Perera. >>>> >>>> phone : 071 7 70 20 50 >>>> mail : [email protected] >>>> >>> >>> >>> >>> -- >>> Regards, >>> >>> >>> *Darshana Gunawardana*Senior Software Engineer >>> WSO2 Inc.; http://wso2.com >>> >>> *E-mail: [email protected] <[email protected]>* >>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware >>> >> >> >> >> -- >> With regards, >> *Manu*ranga Perera. >> >> phone : 071 7 70 20 50 >> mail : [email protected] >> > > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 > > http://facilelogin.com > -- With regards, *Manu*ranga Perera. phone : 071 7 70 20 50 mail : [email protected]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
