On Thu, Jun 30, 2011 at 5:25 PM, Tharindu Mathew <[email protected]> wrote:
> > > On Thu, Jun 30, 2011 at 5:00 PM, Senaka Fernando <[email protected]> wrote: > >> >> >> On Thu, Jun 30, 2011 at 3:35 PM, Samisa Abeysinghe <[email protected]>wrote: >> >>> >>> >>> On Thu, Jun 30, 2011 at 3:08 PM, Senaka Fernando <[email protected]>wrote: >>> >>>> >>>> >>>> On Thu, Jun 30, 2011 at 2:40 PM, Samisa Abeysinghe <[email protected]>wrote: >>>> >>>>> https://wso2.org/jira/browse/CARBON-10941 >>>>> >>>>> https://wso2.org/jira/browse/CARBON-10942 >>>>> >>>> >>>> Thanks. What about https://wso2.org/jira/browse/CARBON-10934? We do not >>>> need to engage security by default right? I mean isn't HTTPS enough? >>>> Because >>>> other admin services run on HTTPS too. >>>> >>> >>> HTTPS + session right? So we need username/token. Not just HTTPS. >>> >> If it is done this way, then this service can easily be exposed as a REST API without any change. You can use Basic Auth. for authentication. > So this is essentially making it normal (non-admin) web service and > enabling username/token over HTTPS right? > > This would make it more interoperable. But this will deviate from the > Carbon way and make it the standard WS way. Off topic, I wonder why we don't > do this for our normal admin services. > This has some performance implications. If we are to do this, then it has to be happened for each and every admin service which makes the management console really slow. And this does not scale well in a case like Stratos as it introduces some more overhead to Rampart. In the current implementation, the call for AuthenticationAdmin happens only once(during the authentication) and the resulted authenticated cookie will be used for the subsequent admin service calls. > > Anyway to do this, we just need to remove the admin services entry in the > services.xml and drop a UT policy as the *ws-api-sec-policy.xml* > And it is required to specifically configure the HTTPS as the only available transport for this service through the services.xml. Otherwise it will be exposed over all the transports. Thanks, Thilina -- Thilina Buddhika Associate Technical Lead WSO2 Inc. ; http://wso2.com lean . enterprise . middleware phone : +94 77 44 88 727 blog : http://blog.thilinamb.com
_______________________________________________ Carbon-dev mailing list [email protected] http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
