Hi Prabath, On Sat, Oct 22, 2016 at 2:33 AM, Prabath Siriwardana <[email protected]> wrote:
> Thanks! > > Few questions related to the certificate-based handler... > > 1. Why do we expect username to be passed along with the request and it's > a must...? > Yes. Username is not a must. As I have explained in my other mail, only if we are going to do username based authorization then username is a must. In that case it will fail at the authorization handler level. At this level it will pass because the certificate is valid. > 2. Also, we are not checking whether we have the original certificate - we > only rely on the TLS mutual auth validation at the container level - which > only checks whether the cert is trusted (signed by a trusted CA). That > means anyone having a certificate from a trusted CA can invoke the API. > Yes, we need validate that it's in our trust store also. > > [1]: https://github.com/wso2-extensions/identity-carbon-auth > -rest/blob/master/components/org.wso2.carbon.identity.auth.s > ervice/src/main/java/org/wso2/carbon/identity/auth/service/ > handler/impl/ClientCertificateBasedAuthenticationHandler.java > > Thanks & regards, > -Prabath > > > On Thu, Oct 20, 2016 at 7:36 PM, Harsha Thirimanna <[email protected]> > wrote: > >> Here is the git repo for the authentication layer >> >> https://github.com/wso2-extensions/identity-carbon-auth-rest >> >> >> *Harsha Thirimanna* >> Associate Tech Lead | WSO2 >> >> Email: [email protected] >> Mob: +94715186770 >> Blog: http://harshathirimanna.blogspot.com/ >> Twitter: http://twitter.com/harshathirimann >> Linked-In: linked-in: http://www.linkedin.com/pub/ha >> rsha-thirimanna/10/ab8/122 >> <http://wso2.com/signature> >> >> On Fri, Oct 21, 2016 at 7:28 AM, Prabath Siriwardana <[email protected]> >> wrote: >> >>> Can you please share the git repo where we have the code for the >>> 'authentication layer'....? >>> >>> Thanks & regards, >>> -Prabath >>> >>> On Thu, Oct 20, 2016 at 12:19 AM, Harsha Thirimanna <[email protected]> >>> wrote: >>> >>>> If there any REST API that already secured within itself the feature, >>>> then we have to remove it and use this. As ex : DCR. in DCR we expect user >>>> in request payload for now and that APIs are not secured. After apply this >>>> we can remove the user from request payload and rely on this. And same as >>>> we may have to check other REST APIs whether those are rely on any other >>>> secure mechanism. >>>> >>>> @Isura, Can you please confirm in identity management REST API like >>>> inforecovery ? >>>> >>>> @Ayesha, >>>> Ishara already test the DCR and you can fix that removing user in >>>> payload, apply this and test. >>>> >>>> *Harsha Thirimanna* >>>> Associate Tech Lead | WSO2 >>>> >>>> Email: [email protected] >>>> Mob: +94715186770 >>>> Blog: http://harshathirimanna.blogspot.com/ >>>> Twitter: http://twitter.com/harshathirimann >>>> Linked-In: linked-in: http://www.linkedin.com/pub/ha >>>> rsha-thirimanna/10/ab8/122 >>>> <http://wso2.com/signature> >>>> >>>> On Thu, Oct 20, 2016 at 12:34 PM, Ishara Karunarathna <[email protected] >>>> > wrote: >>>> >>>>> Hi Ayesha, >>>>> >>>>> This feature provide a authentication layer in front of any unsecured >>>>> REST APIs. So do we need to test this with all the REST APIs ? >>>>> >>>>> -Ishara >>>>> >>>>> >>>>> On Thu, Oct 20, 2016 at 12:05 PM, Ayesha Dissanayaka <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> I have started testing the"Generic Authentication Mechanism to all >>>>>> the REST APIs" feature [1] in IS-5.3.0. >>>>>> Please mention details on REST APIs in IS services which needs to be >>>>>> secured, so that I can test those APIs with this feature. >>>>>> >>>>>> [1] https://wso2.org/jira/browse/IDENTITY-4742 >>>>>> >>>>>> Thanks! >>>>>> -Ayesha >>>>>> >>>>>> -- >>>>>> *Ayesha Dissanayaka* >>>>>> Software Engineer, >>>>>> WSO2, Inc : http://wso2.com >>>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>>>>> 20, Palmgrove Avenue, Colombo 3 >>>>>> E-Mail: [email protected] <[email protected]> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Ishara Karunarathna >>>>> Associate Technical Lead >>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>> >>>>> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >>>>> +94717996791 >>>>> >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Thanks & Regards, >>> Prabath >>> >>> Twitter : @prabath >>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >>> >>> Mobile : +1 650 625 7950 >>> >>> http://facilelogin.com >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 > > http://facilelogin.com > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Thanks & Regards, *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
