On Thu, Jun 30, 2011 at 10:14 PM, Thilina Buddhika <[email protected]>wrote:
> > > On Thu, Jun 30, 2011 at 5:25 PM, Tharindu Mathew <[email protected]>wrote: > >> >> >> On Thu, Jun 30, 2011 at 5:00 PM, Senaka Fernando <[email protected]> wrote: >> >>> >>> >>> On Thu, Jun 30, 2011 at 3:35 PM, Samisa Abeysinghe <[email protected]>wrote: >>> >>>> >>>> >>>> On Thu, Jun 30, 2011 at 3:08 PM, Senaka Fernando <[email protected]>wrote: >>>> >>>>> >>>>> >>>>> On Thu, Jun 30, 2011 at 2:40 PM, Samisa Abeysinghe <[email protected]>wrote: >>>>> >>>>>> https://wso2.org/jira/browse/CARBON-10941 >>>>>> >>>>>> https://wso2.org/jira/browse/CARBON-10942 >>>>>> >>>>> >>>>> Thanks. What about https://wso2.org/jira/browse/CARBON-10934? We do >>>>> not need to engage security by default right? I mean isn't HTTPS enough? >>>>> Because other admin services run on HTTPS too. >>>>> >>>> >>>> HTTPS + session right? So we need username/token. Not just HTTPS. >>>> >>> > If it is done this way, then this service can easily be exposed as a REST > API without any change. You can use Basic Auth. for authentication. > > >> So this is essentially making it normal (non-admin) web service and >> enabling username/token over HTTPS right? >> >> This would make it more interoperable. But this will deviate from the >> Carbon way and make it the standard WS way. Off topic, I wonder why we don't >> do this for our normal admin services. >> > > This has some performance implications. If we are to do this, then it has > to be happened for each and every admin service which makes the management > console really slow. And this does not scale well in a case like Stratos as > it introduces some more overhead to Rampart. > > In the current implementation, the call for AuthenticationAdmin happens > only once(during the authentication) and the resulted authenticated cookie > will be used for the subsequent admin service calls. > So the best option is to have both. For an example in SQS service users can either authenticate using the standard SQS authentication and normal carbon authentication. The advantage of this method is that we can use existing SQS clients as it is. For Admin services also we can use carbon authentication for our purposes. But it is better to expose a standard API for .Net clients rather than askiking to copy cookies etc .. thanks, Amila. > > >> >> Anyway to do this, we just need to remove the admin services entry in the >> services.xml and drop a UT policy as the *ws-api-sec-policy.xml* >> > > And it is required to specifically configure the HTTPS as the only > available transport for this service through the services.xml. Otherwise it > will be exposed over all the transports. > > Thanks, > Thilina > > -- > Thilina Buddhika > > Associate Technical Lead > WSO2 Inc. ; http://wso2.com > lean . enterprise . middleware > > phone : +94 77 44 88 727 > blog : http://blog.thilinamb.com > > _______________________________________________ > Carbon-dev mailing list > [email protected] > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > >
_______________________________________________ Carbon-dev mailing list [email protected] http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
