On Thu, Jun 30, 2011 at 10:14 PM, Thilina Buddhika <[email protected]>wrote:
> > > On Thu, Jun 30, 2011 at 5:25 PM, Tharindu Mathew <[email protected]>wrote: > >> >> >> On Thu, Jun 30, 2011 at 5:00 PM, Senaka Fernando <[email protected]> wrote: >> >>> >>> >>> On Thu, Jun 30, 2011 at 3:35 PM, Samisa Abeysinghe <[email protected]>wrote: >>> >>>> >>>> >>>> On Thu, Jun 30, 2011 at 3:08 PM, Senaka Fernando <[email protected]>wrote: >>>> >>>>> >>>>> >>>>> On Thu, Jun 30, 2011 at 2:40 PM, Samisa Abeysinghe <[email protected]>wrote: >>>>> >>>>>> https://wso2.org/jira/browse/CARBON-10941 >>>>>> >>>>>> https://wso2.org/jira/browse/CARBON-10942 >>>>>> >>>>> >>>>> Thanks. What about https://wso2.org/jira/browse/CARBON-10934? We do >>>>> not need to engage security by default right? I mean isn't HTTPS enough? >>>>> Because other admin services run on HTTPS too. >>>>> >>>> >>>> HTTPS + session right? So we need username/token. Not just HTTPS. >>>> >>> > If it is done this way, then this service can easily be exposed as a REST > API without any change. You can use Basic Auth. for authentication. > > >> So this is essentially making it normal (non-admin) web service and >> enabling username/token over HTTPS right? >> >> This would make it more interoperable. But this will deviate from the >> Carbon way and make it the standard WS way. Off topic, I wonder why we don't >> do this for our normal admin services. >> > > This has some performance implications. If we are to do this, then it has > to be happened for each and every admin service which makes the management > console really slow. And this does not scale well in a case like Stratos as > it introduces some more overhead to Rampart. > > In the current implementation, the call for AuthenticationAdmin happens > only once(during the authentication) and the resulted authenticated cookie > will be used for the subsequent admin service calls. > > >> >> Anyway to do this, we just need to remove the admin services entry in the >> services.xml and drop a UT policy as the *ws-api-sec-policy.xml* >> > > And it is required to specifically configure the HTTPS as the only > available transport for this service through the services.xml. Otherwise it > will be exposed over all the transports. > OK, it seems that WS-API will just work in .NET as it is, and also that it can be exposed as a REST/HTTP service. We need to try this out sometime, and then come up with some documentation on how this can be done. Also, the step for introducing WS-Security seems to be fine, since after all the client cannot always stick to the default policy. Thanks, Senaka. > > Thanks, > Thilina > > -- > Thilina Buddhika > > Associate Technical Lead > WSO2 Inc. ; http://wso2.com > lean . enterprise . middleware > > phone : +94 77 44 88 727 > blog : http://blog.thilinamb.com > > _______________________________________________ > Carbon-dev mailing list > [email protected] > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > > -- *Senaka Fernando* Product Manager - WSO2 Governance Registry; Associate Technical Lead; WSO2 Inc.; http://wso2.com* Member; Apache Software Foundation; http://apache.org E-mail: senaka AT wso2.com **P: +1 408 754 7388; ext: 51736*; *M: +94 77 322 1818 Linked-In: http://linkedin.com/in/senakafernando *Lean . Enterprise . Middleware
_______________________________________________ Carbon-dev mailing list [email protected] http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
