Hi, What could be the status of this? Do we have a time line defined?
Thanks & Regards, Ishara Cooray Senior Software Engineer Mobile : +9477 262 9512 WSO2, Inc. | http://wso2.com/ Lean . Enterprise . Middleware On Fri, Dec 9, 2016 at 2:18 PM, Sagara Gunathunga <[email protected]> wrote: > > > On Fri, Dec 9, 2016 at 2:15 PM, Sanjeewa Malalgoda <[email protected]> > wrote: > >> Hi All, >> Please find inline comments. >> >> On Fri, Dec 9, 2016 at 12:49 PM, Sagara Gunathunga <[email protected]> >> wrote: >> >>> >>> >>> On Thu, Dec 8, 2016 at 6:59 PM, Ishara Cooray <[email protected]> wrote: >>> >>>> To overcome the above limitation where we cannot plug custom >>>> authentication, i came up with the below approach. >>>> >>>> Having one interceptor and delegate authentication to an interface. >>>> Implementation of the interface is configurable so that we can plug custom >>>> authentication as well. >>>> >>>> [image: Inline image 1] >>>> >>>> One limitation here is we can have only one auth type active at a time. >>>> >>>> Hi Sanjeewa, >>>> >>>> Shall we continue with this approach until we get a proper fix from >>>> msf4j? >>>> >>> >>> It's ok to use above approach as a temporary workaround till we get >>> proper solution from MSF4J, but please make sure to implement only required >>> features in a simple manner because you have to discard this and have to >>> use proper MSF4J approach before any release. >>> >>> By looking at issues faced by API-M and IS teams we have few issues to >>> solve, >>> >>> >>> 1. Ability to apply/skip Interceptors in global and per-service levels >>> 2. Ability to define the order of Interceptors >>> 3. Ability to intercept response messages >>> >> Ability to build security and user context in a way we can access it from >> service implementation. >> Most of the other platforms allowed to do that and people who work on >> service implementation can get real advantage of that. >> >>> >>> The good news is JAX-RS 2.0 spec is already solved these issues and we >>> can adopt their concepts easily to MSF4J programming model. Please refer >>> solution for each issue below. >>> >>> >>> *1. Ability to intercept response messages * >>> >>> JAX-RS defines 2 interfaces as ContainerRequestFilter[1] and >>> ContainerResponseFilter[2] to intercept request and response messages, IMO >>> these 2 interfaces are much clean and standard then current MSF4J >>> Interceptor[3] concept where response intercepting is not simple. >>> >>> >>> *2. Ability to apply/skip Interceptors in global and per-service >>> levels * >>> >>> Annotation driven NameBinding[4] concept defined for JAX-RS Filters is >>> very flexible and easy to use as well. This NameBinding[4] feature enables >>> to apply JAX-RS Filters at global, per-Resource or even per-sub-Resource >>> level. >>> >>> *3. Define the order of Interceptors * >>> >>> JAX-RS defines several message processing extension points such as Pre, >>> PreMatch, Post, it's possible to apply Filters during some of these message >>> processing stages, as an example refer PreMatching[5] annotation. >>> >>> Further, to define fine grained order of Filters JAX-RS reuse Java's >>> standard Priority[1] annotation, through this annotation numeric priority >>> value can be define per Filters basis. JAX-RS already provide set of >>> pre-defined Priories here[6] >>> >> Ability to engage in different phases is definitely a good feature. But >> there can be situations where we need to engage multiple interceptors at >> same phase with order of execution. As example i need to engage both >> authenticate and authorization interceptors in pre invoke phase but >> authenticator first and then authorizer as 2nd interceptor. In that case we >> need to mention phase and order within phase in some way. It seems CXF and >> other run times already handled this in different ways. >> > > This requirement is well handled by the JAX-RS concept I described above. > > Thanks ! > >> >> >> [1]http://cxf.apache.org/docs/interceptors.html >> >> Thanks, >> sanjeewa. >> >>> >>> >>> I have setup a meeting in next Wednesday, if we can cater current >>> requirements using above concepts let's go ahead with JAX-RS Filters. >>> >>> >>> [1] - https://jax-rs-spec.java.net/nonav/2.0-SNAPSHOT/apidocs/in >>> dex.html?javax/ws/rs/container/ContainerRequestFilter.html >>> [2] - https://jax-rs-spec.java.net/nonav/2.0-SNAPSHOT/apidocs/ja >>> vax/ws/rs/container/ContainerResponseFilter.html >>> [3] - https://github.com/wso2/msf4j/blob/master/core/src/main/ja >>> va/org/wso2/msf4j/Interceptor.java >>> [4] - https://jax-rs-spec.java.net/nonav/2.0-SNAPSHOT/apidocs/in >>> dex.html?javax/ws/rs/NameBinding.html >>> [5] - https://jax-rs-spec.java.net/nonav/2.0-SNAPSHOT/apidocs/in >>> dex.html?javax/ws/rs/container/PreMatching.html >>> [6] - https://jax-rs-spec.java.net/nonav/2.0/apidocs/javax/ws/rs >>> /Priorities.html >>> >>> Thanks ! >>> >>>> >>>> >>>> >>>> Thanks & Regards, >>>> Ishara Cooray >>>> Senior Software Engineer >>>> Mobile : +9477 262 9512 <+94%2077%20262%209512> >>>> WSO2, Inc. | http://wso2.com/ >>>> Lean . Enterprise . Middleware >>>> >>>> On Thu, Dec 8, 2016 at 11:23 AM, Ishara Cooray <[email protected]> >>>> wrote: >>>> >>>>> Hi Thilina, >>>>>> >>>>>> And also if there are multiple interceptors and one interceptor >>>>>> returns false from its' preCaall then the invocation chain will not >>>>>> continue further. >>>>>> >>>>>> So Is this implies if preCall returns 'true' then the invocation >>>>>> chain will continue further? >>>>>> >>>>> >>>>> Yes >>>>> >>>>> I was thinking to return 'true' if particular auth header type(Basic, >>>>> Bearer) is not found in an interceptor, so that it will check the other >>>>> available interceptors. >>>>> But i guess this approach may also fail if the request header type is >>>>> not provided may be by mistake. >>>>> Because all the interceptors will return true and will it be taken as >>>>> a valid authorization? >>>>> >>>>> >>>>> Thanks & Regards, >>>>> Ishara Cooray >>>>> Senior Software Engineer >>>>> Mobile : +9477 262 9512 <+94%2077%20262%209512> >>>>> WSO2, Inc. | http://wso2.com/ >>>>> Lean . Enterprise . Middleware >>>>> >>>>> On Wed, Dec 7, 2016 at 5:25 PM, Afkham Azeez <[email protected]> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Wed, Dec 7, 2016 at 5:17 PM, Ishara Cooray <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Thilina, >>>>>>> >>>>>>> And also if there are multiple interceptors and one interceptor >>>>>>> returns false from its' preCaall then the invocation chain will not >>>>>>> continue further. >>>>>>> >>>>>>> So Is this implies if preCall returns 'true' then the invocation >>>>>>> chain will continue further? >>>>>>> >>>>>> >>>>>> Yes >>>>>> >>>>>> >>>>>>> If that is the case we can return true in our overridden preCall >>>>>>> method so that it goes to next Interceptor. >>>>>>> >>>>>>> >>>>>>> Thanks & Regards, >>>>>>> Ishara Cooray >>>>>>> Senior Software Engineer >>>>>>> Mobile : +9477 262 9512 <077%20262%209512> >>>>>>> WSO2, Inc. | http://wso2.com/ >>>>>>> Lean . Enterprise . Middleware >>>>>>> >>>>>>> On Wed, Dec 7, 2016 at 2:33 PM, Afkham Azeez <[email protected]> wrote: >>>>>>> >>>>>>>> How about supporting JAXRS filters? >>>>>>>> >>>>>>>> On Wed, Dec 7, 2016 at 12:52 PM, Thusitha Thilina Dayaratne < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi Ishara, >>>>>>>>> >>>>>>>>> As you have mentioned, with the current architecture we can't set >>>>>>>>> the specific interceptor for a particular service but rather to all >>>>>>>>> services in the registry. And also if there are multiple interceptors >>>>>>>>> and >>>>>>>>> one interceptor returns false from its' preCaall then the invocation >>>>>>>>> chain >>>>>>>>> will not continue further. >>>>>>>>> >>>>>>>>> IMHO we have few options >>>>>>>>> >>>>>>>>> - We can implement a way to register specific interceptors to >>>>>>>>> specific services >>>>>>>>> - We can support JAX-RS Filters >>>>>>>>> - We can provide a way to skip some interceptors for specific >>>>>>>>> services >>>>>>>>> >>>>>>>>> @Azeez WDYT? >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> Thusitha >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, Dec 7, 2016 at 10:56 AM, Ishara Cooray <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> HI, >>>>>>>>>> >>>>>>>>>> We are using MSF4J interceptor for securing REST APIs in API >>>>>>>>>> Manager. [1] As for now Interceptor registration happens at the >>>>>>>>>> class level >>>>>>>>>> @Component annotation as below. >>>>>>>>>> >>>>>>>>>> @Component( >>>>>>>>>> name = "org.wso2.carbon.apimgt.rest.a >>>>>>>>>> pi.common.interceptors.OAUTH2SecurityInterceptor", >>>>>>>>>> service = Interceptor.class, >>>>>>>>>> immediate = true >>>>>>>>>> ) >>>>>>>>>> The limitations here are >>>>>>>>>> >>>>>>>>>> 1. it is not possible to have more than one interceptor that >>>>>>>>>> will dynamically pick when an api call is received(Because the >>>>>>>>>> order >>>>>>>>>> matters and we are not certain which interceptor will take into >>>>>>>>>> effect ). >>>>>>>>>> 2. We cannot explicitly configure to use Custom interceptors >>>>>>>>>> because of the above[1] reason. >>>>>>>>>> >>>>>>>>>> Do we have any plans for these limitations? >>>>>>>>>> >>>>>>>>>> Thanks & Regards, >>>>>>>>>> Ishara Cooray >>>>>>>>>> Senior Software Engineer >>>>>>>>>> Mobile : +9477 262 9512 <+94%2077%20262%209512> >>>>>>>>>> WSO2, Inc. | http://wso2.com/ >>>>>>>>>> Lean . Enterprise . Middleware >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Dev mailing list >>>>>>>>>> [email protected] >>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Thusitha Dayaratne >>>>>>>>> Software Engineer >>>>>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>>>>> >>>>>>>>> Mobile +94712756809 <071%20275%206809> >>>>>>>>> Blog alokayasoya.blogspot.com >>>>>>>>> About http://about.me/thusithathilina >>>>>>>>> <http://wso2.com/signature> >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Architecture mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Afkham Azeez* >>>>>>>> Senior Director, Platform Architecture; WSO2, Inc.; http://wso2.com >>>>>>>> Member; Apache Software Foundation; http://www.apache.org/ >>>>>>>> * <http://www.apache.org/>* >>>>>>>> *email: **[email protected]* <[email protected]> >>>>>>>> * cell: +94 77 3320919 <+94%2077%20332%200919>blog: * >>>>>>>> *http://blog.afkham.org* <http://blog.afkham.org> >>>>>>>> *twitter: **http://twitter.com/afkham_azeez* >>>>>>>> <http://twitter.com/afkham_azeez> >>>>>>>> *linked-in: **http://lk.linkedin.com/in/afkhamazeez >>>>>>>> <http://lk.linkedin.com/in/afkhamazeez>* >>>>>>>> >>>>>>>> *Lean . Enterprise . Middleware* >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Afkham Azeez* >>>>>> Senior Director, Platform Architecture; WSO2, Inc.; http://wso2.com >>>>>> Member; Apache Software Foundation; http://www.apache.org/ >>>>>> * <http://www.apache.org/>* >>>>>> *email: **[email protected]* <[email protected]> >>>>>> * cell: +94 77 3320919 <+94%2077%20332%200919>blog: * >>>>>> *http://blog.afkham.org* <http://blog.afkham.org> >>>>>> *twitter: **http://twitter.com/afkham_azeez* >>>>>> <http://twitter.com/afkham_azeez> >>>>>> *linked-in: **http://lk.linkedin.com/in/afkhamazeez >>>>>> <http://lk.linkedin.com/in/afkhamazeez>* >>>>>> >>>>>> *Lean . Enterprise . Middleware* >>>>>> >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Sagara Gunathunga >>> >>> Associate Director / Architect; WSO2, Inc.; http://wso2.com >>> V.P Apache Web Services; http://ws.apache.org/ >>> Linkedin; http://www.linkedin.com/in/ssagara >>> Blog ; http://ssagara.blogspot.com >>> >>> >> >> >> -- >> >> *Sanjeewa Malalgoda* >> WSO2 Inc. >> Mobile : +94713068779 <+94%2071%20306%208779> >> >> <http://sanjeewamalalgoda.blogspot.com/>blog >> :http://sanjeewamalalgoda.blogspot.com/ >> <http://sanjeewamalalgoda.blogspot.com/> >> >> >> > > > -- > Sagara Gunathunga > > Associate Director / Architect; WSO2, Inc.; http://wso2.com > V.P Apache Web Services; http://ws.apache.org/ > Linkedin; http://www.linkedin.com/in/ssagara > Blog ; http://ssagara.blogspot.com > >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
