On Fri, Dec 9, 2016 at 2:15 PM, Sanjeewa Malalgoda <[email protected]> wrote:
> Hi All, > Please find inline comments. > > On Fri, Dec 9, 2016 at 12:49 PM, Sagara Gunathunga <[email protected]> > wrote: > >> >> >> On Thu, Dec 8, 2016 at 6:59 PM, Ishara Cooray <[email protected]> wrote: >> >>> To overcome the above limitation where we cannot plug custom >>> authentication, i came up with the below approach. >>> >>> Having one interceptor and delegate authentication to an interface. >>> Implementation of the interface is configurable so that we can plug custom >>> authentication as well. >>> >>> [image: Inline image 1] >>> >>> One limitation here is we can have only one auth type active at a time. >>> >>> Hi Sanjeewa, >>> >>> Shall we continue with this approach until we get a proper fix from >>> msf4j? >>> >> >> It's ok to use above approach as a temporary workaround till we get >> proper solution from MSF4J, but please make sure to implement only required >> features in a simple manner because you have to discard this and have to >> use proper MSF4J approach before any release. >> >> By looking at issues faced by API-M and IS teams we have few issues to >> solve, >> >> >> 1. Ability to apply/skip Interceptors in global and per-service levels >> 2. Ability to define the order of Interceptors >> 3. Ability to intercept response messages >> > Ability to build security and user context in a way we can access it from > service implementation. > Most of the other platforms allowed to do that and people who work on > service implementation can get real advantage of that. > >> >> The good news is JAX-RS 2.0 spec is already solved these issues and we >> can adopt their concepts easily to MSF4J programming model. Please refer >> solution for each issue below. >> >> >> *1. Ability to intercept response messages * >> >> JAX-RS defines 2 interfaces as ContainerRequestFilter[1] and >> ContainerResponseFilter[2] to intercept request and response messages, IMO >> these 2 interfaces are much clean and standard then current MSF4J >> Interceptor[3] concept where response intercepting is not simple. >> >> >> *2. Ability to apply/skip Interceptors in global and per-service >> levels * >> >> Annotation driven NameBinding[4] concept defined for JAX-RS Filters is >> very flexible and easy to use as well. This NameBinding[4] feature enables >> to apply JAX-RS Filters at global, per-Resource or even per-sub-Resource >> level. >> >> *3. Define the order of Interceptors * >> >> JAX-RS defines several message processing extension points such as Pre, >> PreMatch, Post, it's possible to apply Filters during some of these message >> processing stages, as an example refer PreMatching[5] annotation. >> >> Further, to define fine grained order of Filters JAX-RS reuse Java's >> standard Priority[1] annotation, through this annotation numeric priority >> value can be define per Filters basis. JAX-RS already provide set of >> pre-defined Priories here[6] >> > Ability to engage in different phases is definitely a good feature. But > there can be situations where we need to engage multiple interceptors at > same phase with order of execution. As example i need to engage both > authenticate and authorization interceptors in pre invoke phase but > authenticator first and then authorizer as 2nd interceptor. In that case we > need to mention phase and order within phase in some way. It seems CXF and > other run times already handled this in different ways. > This requirement is well handled by the JAX-RS concept I described above. Thanks ! > > > [1]http://cxf.apache.org/docs/interceptors.html > > Thanks, > sanjeewa. > >> >> >> I have setup a meeting in next Wednesday, if we can cater current >> requirements using above concepts let's go ahead with JAX-RS Filters. >> >> >> [1] - https://jax-rs-spec.java.net/nonav/2.0-SNAPSHOT/apidocs/ >> index.html?javax/ws/rs/container/ContainerRequestFilter.html >> [2] - https://jax-rs-spec.java.net/nonav/2.0-SNAPSHOT/apidocs/ >> javax/ws/rs/container/ContainerResponseFilter.html >> [3] - https://github.com/wso2/msf4j/blob/master/core/src/main/ >> java/org/wso2/msf4j/Interceptor.java >> [4] - https://jax-rs-spec.java.net/nonav/2.0-SNAPSHOT/apidocs/ >> index.html?javax/ws/rs/NameBinding.html >> [5] - https://jax-rs-spec.java.net/nonav/2.0-SNAPSHOT/apidocs/ >> index.html?javax/ws/rs/container/PreMatching.html >> [6] - https://jax-rs-spec.java.net/nonav/2.0/apidocs/javax/ws/ >> rs/Priorities.html >> >> Thanks ! >> >>> >>> >>> >>> Thanks & Regards, >>> Ishara Cooray >>> Senior Software Engineer >>> Mobile : +9477 262 9512 <+94%2077%20262%209512> >>> WSO2, Inc. | http://wso2.com/ >>> Lean . Enterprise . Middleware >>> >>> On Thu, Dec 8, 2016 at 11:23 AM, Ishara Cooray <[email protected]> wrote: >>> >>>> Hi Thilina, >>>>> >>>>> And also if there are multiple interceptors and one interceptor >>>>> returns false from its' preCaall then the invocation chain will not >>>>> continue further. >>>>> >>>>> So Is this implies if preCall returns 'true' then the invocation chain >>>>> will continue further? >>>>> >>>> >>>> Yes >>>> >>>> I was thinking to return 'true' if particular auth header type(Basic, >>>> Bearer) is not found in an interceptor, so that it will check the other >>>> available interceptors. >>>> But i guess this approach may also fail if the request header type is >>>> not provided may be by mistake. >>>> Because all the interceptors will return true and will it be taken as a >>>> valid authorization? >>>> >>>> >>>> Thanks & Regards, >>>> Ishara Cooray >>>> Senior Software Engineer >>>> Mobile : +9477 262 9512 <+94%2077%20262%209512> >>>> WSO2, Inc. | http://wso2.com/ >>>> Lean . Enterprise . Middleware >>>> >>>> On Wed, Dec 7, 2016 at 5:25 PM, Afkham Azeez <[email protected]> wrote: >>>> >>>>> >>>>> >>>>> On Wed, Dec 7, 2016 at 5:17 PM, Ishara Cooray <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Thilina, >>>>>> >>>>>> And also if there are multiple interceptors and one interceptor >>>>>> returns false from its' preCaall then the invocation chain will not >>>>>> continue further. >>>>>> >>>>>> So Is this implies if preCall returns 'true' then the invocation >>>>>> chain will continue further? >>>>>> >>>>> >>>>> Yes >>>>> >>>>> >>>>>> If that is the case we can return true in our overridden preCall >>>>>> method so that it goes to next Interceptor. >>>>>> >>>>>> >>>>>> Thanks & Regards, >>>>>> Ishara Cooray >>>>>> Senior Software Engineer >>>>>> Mobile : +9477 262 9512 <077%20262%209512> >>>>>> WSO2, Inc. | http://wso2.com/ >>>>>> Lean . Enterprise . Middleware >>>>>> >>>>>> On Wed, Dec 7, 2016 at 2:33 PM, Afkham Azeez <[email protected]> wrote: >>>>>> >>>>>>> How about supporting JAXRS filters? >>>>>>> >>>>>>> On Wed, Dec 7, 2016 at 12:52 PM, Thusitha Thilina Dayaratne < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi Ishara, >>>>>>>> >>>>>>>> As you have mentioned, with the current architecture we can't set >>>>>>>> the specific interceptor for a particular service but rather to all >>>>>>>> services in the registry. And also if there are multiple interceptors >>>>>>>> and >>>>>>>> one interceptor returns false from its' preCaall then the invocation >>>>>>>> chain >>>>>>>> will not continue further. >>>>>>>> >>>>>>>> IMHO we have few options >>>>>>>> >>>>>>>> - We can implement a way to register specific interceptors to >>>>>>>> specific services >>>>>>>> - We can support JAX-RS Filters >>>>>>>> - We can provide a way to skip some interceptors for specific >>>>>>>> services >>>>>>>> >>>>>>>> @Azeez WDYT? >>>>>>>> >>>>>>>> Thanks >>>>>>>> Thusitha >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Dec 7, 2016 at 10:56 AM, Ishara Cooray <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> HI, >>>>>>>>> >>>>>>>>> We are using MSF4J interceptor for securing REST APIs in API >>>>>>>>> Manager. [1] As for now Interceptor registration happens at the class >>>>>>>>> level >>>>>>>>> @Component annotation as below. >>>>>>>>> >>>>>>>>> @Component( >>>>>>>>> name = "org.wso2.carbon.apimgt.rest.a >>>>>>>>> pi.common.interceptors.OAUTH2SecurityInterceptor", >>>>>>>>> service = Interceptor.class, >>>>>>>>> immediate = true >>>>>>>>> ) >>>>>>>>> The limitations here are >>>>>>>>> >>>>>>>>> 1. it is not possible to have more than one interceptor that >>>>>>>>> will dynamically pick when an api call is received(Because the >>>>>>>>> order >>>>>>>>> matters and we are not certain which interceptor will take into >>>>>>>>> effect ). >>>>>>>>> 2. We cannot explicitly configure to use Custom interceptors >>>>>>>>> because of the above[1] reason. >>>>>>>>> >>>>>>>>> Do we have any plans for these limitations? >>>>>>>>> >>>>>>>>> Thanks & Regards, >>>>>>>>> Ishara Cooray >>>>>>>>> Senior Software Engineer >>>>>>>>> Mobile : +9477 262 9512 <+94%2077%20262%209512> >>>>>>>>> WSO2, Inc. | http://wso2.com/ >>>>>>>>> Lean . Enterprise . Middleware >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Dev mailing list >>>>>>>>> [email protected] >>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thusitha Dayaratne >>>>>>>> Software Engineer >>>>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>>>> >>>>>>>> Mobile +94712756809 <071%20275%206809> >>>>>>>> Blog alokayasoya.blogspot.com >>>>>>>> About http://about.me/thusithathilina >>>>>>>> <http://wso2.com/signature> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Afkham Azeez* >>>>>>> Senior Director, Platform Architecture; WSO2, Inc.; http://wso2.com >>>>>>> Member; Apache Software Foundation; http://www.apache.org/ >>>>>>> * <http://www.apache.org/>* >>>>>>> *email: **[email protected]* <[email protected]> >>>>>>> * cell: +94 77 3320919 <+94%2077%20332%200919>blog: * >>>>>>> *http://blog.afkham.org* <http://blog.afkham.org> >>>>>>> *twitter: **http://twitter.com/afkham_azeez* >>>>>>> <http://twitter.com/afkham_azeez> >>>>>>> *linked-in: **http://lk.linkedin.com/in/afkhamazeez >>>>>>> <http://lk.linkedin.com/in/afkhamazeez>* >>>>>>> >>>>>>> *Lean . Enterprise . Middleware* >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Afkham Azeez* >>>>> Senior Director, Platform Architecture; WSO2, Inc.; http://wso2.com >>>>> Member; Apache Software Foundation; http://www.apache.org/ >>>>> * <http://www.apache.org/>* >>>>> *email: **[email protected]* <[email protected]> >>>>> * cell: +94 77 3320919 <+94%2077%20332%200919>blog: * >>>>> *http://blog.afkham.org* <http://blog.afkham.org> >>>>> *twitter: **http://twitter.com/afkham_azeez* >>>>> <http://twitter.com/afkham_azeez> >>>>> *linked-in: **http://lk.linkedin.com/in/afkhamazeez >>>>> <http://lk.linkedin.com/in/afkhamazeez>* >>>>> >>>>> *Lean . Enterprise . Middleware* >>>>> >>>> >>>> >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Sagara Gunathunga >> >> Associate Director / Architect; WSO2, Inc.; http://wso2.com >> V.P Apache Web Services; http://ws.apache.org/ >> Linkedin; http://www.linkedin.com/in/ssagara >> Blog ; http://ssagara.blogspot.com >> >> > > > -- > > *Sanjeewa Malalgoda* > WSO2 Inc. > Mobile : +94713068779 <+94%2071%20306%208779> > > <http://sanjeewamalalgoda.blogspot.com/>blog :http://sanjeewamalalgoda. > blogspot.com/ <http://sanjeewamalalgoda.blogspot.com/> > > > -- Sagara Gunathunga Associate Director / Architect; WSO2, Inc.; http://wso2.com V.P Apache Web Services; http://ws.apache.org/ Linkedin; http://www.linkedin.com/in/ssagara Blog ; http://ssagara.blogspot.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
