Hi Ishara, Another possibility for supporting multiple auth types with what you have proposed is to have a collection Authenticator interfaces(using a Map possibly) at the RestAPISecurityInterceptor level. Depending on some condition you could selectively choose what implementation to use at runtime.
On 9 December 2016 at 07:32, Ishara Cooray <[email protected]> wrote: > Please find my comments in line. > > Yes for the moment lets use this approach. Lets have 2 interceptors for > authenticate and authorization. From that lets provide way to add pluggable > authenticators and authorizers. > I guess you mean having two interfaces for authenticate and > authorization.What if we have two methods in one interface?Otherwise we > will have to maintain two configurations. > > Also we may be able to route request through multiple authenticators > according to predefined order(when we need to support multiple auth types > at once). > +1 > > Also its better both identity and APIM can use same approach as we all are > doing same thing. > Identity team is writing JAAS Login Modules > @Thanuja, > Do you have any input here > > Thanks & Regards, > Ishara Cooray > Senior Software Engineer > Mobile : +9477 262 9512 <+94%2077%20262%209512> > WSO2, Inc. | http://wso2.com/ > Lean . Enterprise . Middleware > > On Thu, Dec 8, 2016 at 9:06 PM, Sanjeewa Malalgoda <[email protected]> > wrote: > >> Yes for the moment lets use this approach. Lets have 2 interceptors for >> authenticate and authorization. From that lets provide way to add pluggable >> authenticators and authorizers. >> Also we may be able to route request through multiple authenticators >> according to predefined order(when we need to support multiple auth types >> at once). >> Also its better both identity and APIM can use same approach as we all >> are doing same thing. >> >> >> Thanks, >> sanjeewa. >> >> On Thu, Dec 8, 2016 at 6:59 PM, Ishara Cooray <[email protected]> wrote: >> >>> To overcome the above limitation where we cannot plug custom >>> authentication, i came up with the below approach. >>> >>> Having one interceptor and delegate authentication to an interface. >>> Implementation of the interface is configurable so that we can plug custom >>> authentication as well. >>> >>> [image: Inline image 1] >>> >>> One limitation here is we can have only one auth type active at a time. >>> >>> Hi Sanjeewa, >>> >>> Shall we continue with this approach until we get a proper fix from >>> msf4j? >>> >>> >>> >>> Thanks & Regards, >>> Ishara Cooray >>> Senior Software Engineer >>> Mobile : +9477 262 9512 <077%20262%209512> >>> WSO2, Inc. | http://wso2.com/ >>> Lean . Enterprise . Middleware >>> >>> On Thu, Dec 8, 2016 at 11:23 AM, Ishara Cooray <[email protected]> wrote: >>> >>>> Hi Thilina, >>>>> >>>>> And also if there are multiple interceptors and one interceptor >>>>> returns false from its' preCaall then the invocation chain will not >>>>> continue further. >>>>> >>>>> So Is this implies if preCall returns 'true' then the invocation chain >>>>> will continue further? >>>>> >>>> >>>> Yes >>>> >>>> I was thinking to return 'true' if particular auth header type(Basic, >>>> Bearer) is not found in an interceptor, so that it will check the other >>>> available interceptors. >>>> But i guess this approach may also fail if the request header type is >>>> not provided may be by mistake. >>>> Because all the interceptors will return true and will it be taken as a >>>> valid authorization? >>>> >>>> >>>> Thanks & Regards, >>>> Ishara Cooray >>>> Senior Software Engineer >>>> Mobile : +9477 262 9512 <+94%2077%20262%209512> >>>> WSO2, Inc. | http://wso2.com/ >>>> Lean . Enterprise . Middleware >>>> >>>> On Wed, Dec 7, 2016 at 5:25 PM, Afkham Azeez <[email protected]> wrote: >>>> >>>>> >>>>> >>>>> On Wed, Dec 7, 2016 at 5:17 PM, Ishara Cooray <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Thilina, >>>>>> >>>>>> And also if there are multiple interceptors and one interceptor >>>>>> returns false from its' preCaall then the invocation chain will not >>>>>> continue further. >>>>>> >>>>>> So Is this implies if preCall returns 'true' then the invocation >>>>>> chain will continue further? >>>>>> >>>>> >>>>> Yes >>>>> >>>>> >>>>>> If that is the case we can return true in our overridden preCall >>>>>> method so that it goes to next Interceptor. >>>>>> >>>>>> >>>>>> Thanks & Regards, >>>>>> Ishara Cooray >>>>>> Senior Software Engineer >>>>>> Mobile : +9477 262 9512 <077%20262%209512> >>>>>> WSO2, Inc. | http://wso2.com/ >>>>>> Lean . Enterprise . Middleware >>>>>> >>>>>> On Wed, Dec 7, 2016 at 2:33 PM, Afkham Azeez <[email protected]> wrote: >>>>>> >>>>>>> How about supporting JAXRS filters? >>>>>>> >>>>>>> On Wed, Dec 7, 2016 at 12:52 PM, Thusitha Thilina Dayaratne < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi Ishara, >>>>>>>> >>>>>>>> As you have mentioned, with the current architecture we can't set >>>>>>>> the specific interceptor for a particular service but rather to all >>>>>>>> services in the registry. And also if there are multiple interceptors >>>>>>>> and >>>>>>>> one interceptor returns false from its' preCaall then the invocation >>>>>>>> chain >>>>>>>> will not continue further. >>>>>>>> >>>>>>>> IMHO we have few options >>>>>>>> >>>>>>>> - We can implement a way to register specific interceptors to >>>>>>>> specific services >>>>>>>> - We can support JAX-RS Filters >>>>>>>> - We can provide a way to skip some interceptors for specific >>>>>>>> services >>>>>>>> >>>>>>>> @Azeez WDYT? >>>>>>>> >>>>>>>> Thanks >>>>>>>> Thusitha >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Dec 7, 2016 at 10:56 AM, Ishara Cooray <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> HI, >>>>>>>>> >>>>>>>>> We are using MSF4J interceptor for securing REST APIs in API >>>>>>>>> Manager. [1] As for now Interceptor registration happens at the class >>>>>>>>> level >>>>>>>>> @Component annotation as below. >>>>>>>>> >>>>>>>>> @Component( >>>>>>>>> name = "org.wso2.carbon.apimgt.rest.a >>>>>>>>> pi.common.interceptors.OAUTH2SecurityInterceptor", >>>>>>>>> service = Interceptor.class, >>>>>>>>> immediate = true >>>>>>>>> ) >>>>>>>>> The limitations here are >>>>>>>>> >>>>>>>>> 1. it is not possible to have more than one interceptor that >>>>>>>>> will dynamically pick when an api call is received(Because the >>>>>>>>> order >>>>>>>>> matters and we are not certain which interceptor will take into >>>>>>>>> effect ). >>>>>>>>> 2. We cannot explicitly configure to use Custom interceptors >>>>>>>>> because of the above[1] reason. >>>>>>>>> >>>>>>>>> Do we have any plans for these limitations? >>>>>>>>> >>>>>>>>> Thanks & Regards, >>>>>>>>> Ishara Cooray >>>>>>>>> Senior Software Engineer >>>>>>>>> Mobile : +9477 262 9512 <+94%2077%20262%209512> >>>>>>>>> WSO2, Inc. | http://wso2.com/ >>>>>>>>> Lean . Enterprise . Middleware >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Dev mailing list >>>>>>>>> [email protected] >>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thusitha Dayaratne >>>>>>>> Software Engineer >>>>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>>>> >>>>>>>> Mobile +94712756809 <071%20275%206809> >>>>>>>> Blog alokayasoya.blogspot.com >>>>>>>> About http://about.me/thusithathilina >>>>>>>> <http://wso2.com/signature> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Afkham Azeez* >>>>>>> Senior Director, Platform Architecture; WSO2, Inc.; http://wso2.com >>>>>>> Member; Apache Software Foundation; http://www.apache.org/ >>>>>>> * <http://www.apache.org/>* >>>>>>> *email: **[email protected]* <[email protected]> >>>>>>> * cell: +94 77 3320919 <+94%2077%20332%200919>blog: * >>>>>>> *http://blog.afkham.org* <http://blog.afkham.org> >>>>>>> *twitter: **http://twitter.com/afkham_azeez* >>>>>>> <http://twitter.com/afkham_azeez> >>>>>>> *linked-in: **http://lk.linkedin.com/in/afkhamazeez >>>>>>> <http://lk.linkedin.com/in/afkhamazeez>* >>>>>>> >>>>>>> *Lean . Enterprise . Middleware* >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Afkham Azeez* >>>>> Senior Director, Platform Architecture; WSO2, Inc.; http://wso2.com >>>>> Member; Apache Software Foundation; http://www.apache.org/ >>>>> * <http://www.apache.org/>* >>>>> *email: **[email protected]* <[email protected]> >>>>> * cell: +94 77 3320919 <+94%2077%20332%200919>blog: * >>>>> *http://blog.afkham.org* <http://blog.afkham.org> >>>>> *twitter: **http://twitter.com/afkham_azeez* >>>>> <http://twitter.com/afkham_azeez> >>>>> *linked-in: **http://lk.linkedin.com/in/afkhamazeez >>>>> <http://lk.linkedin.com/in/afkhamazeez>* >>>>> >>>>> *Lean . Enterprise . Middleware* >>>>> >>>> >>>> >>> >> >> >> -- >> >> *Sanjeewa Malalgoda* >> WSO2 Inc. >> Mobile : +94713068779 <+94%2071%20306%208779> >> >> <http://sanjeewamalalgoda.blogspot.com/>blog >> :http://sanjeewamalalgoda.blogspot.com/ >> <http://sanjeewamalalgoda.blogspot.com/> >> >> >> > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Regards, Uvindra Mobile: 777733962
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
