Hi All,
I have made following changes, so far with regard to this task.
1. Re-factored backend authenticator code and common code is moved to
an abstract implementation
2. Deprecated existing authenticator API and implemented code in a
backward compatible way. i.e. previous authenticators will work as it
was
3. Wrote 2 authenticators
BasicAccessAuthenticator - for basic auth
CookieAuthenticator - For authentication with
RememberMe cookie
4. Re-factored FE authenticator framework but could not complete it
With this change we should be able to access admin services without
calling AuthenticationAdmin.
i.e.
From browser we can directly call a service with basic auth credentials.
E.g :-
https://10.100.3.161:9443/services/UserAdmin/listUsers?filter=*
Thus we can pro-grammatically call any admin service without calling
AuthenticationAdmin.
Also, there is an utility method in CarbonUtils to set authorisation header.
E.g :-
serverAdminStub = new ServerAdminStub(serviceEPR);
ServiceClient client = serverAdminStub._getServiceClient();
.....
.....
CarbonUtils.setBasicAccessSecurityHeaders(userName, password, client);
I tested my changes with AS, IS and a stratos deployment with AS, IS
and manager. Need to test changes with ESB.
TODO
- Re-factor FE authenticator framework
- Testing with ESB
- Review changes (will schedule a review for this)
By any chance if you encounter any login issues, please shout at me.
Thank you
Regards,
AmilaJ
On Thu, Feb 16, 2012 at 1:42 PM, Prabath Siriwardena <prab...@wso2.com> wrote:
> +1 for the approach..
>
> 'login' is a permission for the Management Console.. - so I believe BE
> services shouldn't be coupled with it..
>
> If you develop your own clients using the BE services - then you can have
> your own permissions.... So - we need to treat our FE - one of those clients
> - who will handle 'login' permission..
>
> Thanks & regards,
> -Prabath
>
>
> On Wed, Feb 15, 2012 at 10:25 PM, Amila Jayasekara <ami...@wso2.com> wrote:
>>
>> Hi All,
>>
>> As i mentioned in the initial mail we will get rid of "login" call to
>> AuthenticationAdmin and will authenticate users only through provided
>> authenticators. During this change i realise that we were authorising
>> (checking whether users have login permission) users at the same time
>> we authenticate users. IMO the authentication process should not do
>> any permission checks rather it should only validate the user is a
>> legitimate user within the system.
>>
>> If we need to authorise users we need to make a separate call (We are
>> yet to identify which component is going to handle authorization). I
>> will be changing code accordingly.
>>
>> If you have any concerns / feedback please let me know.
>>
>> Thanks
>> AmilaJ
>>
>> On Wed, Feb 15, 2012 at 8:33 AM, Manjula Rathnayake <manju...@wso2.com>
>> wrote:
>> >
>> >
>> > On Tue, Feb 14, 2012 at 10:14 PM, Sameera Jayasoma <same...@wso2.com>
>> > wrote:
>> >>
>> >> https://wso2.org/jira/browse/CARBON-12378
>> >>
>> >> Thanks,
>> >> Sameera.
>> >>
>> >>
>> >> On Tue, Feb 14, 2012 at 9:50 PM, Amila Jayasekara <ami...@wso2.com>
>> >> wrote:
>> >>>
>> >>> On Tue, Feb 14, 2012 at 9:32 PM, Sameera Jayasoma <same...@wso2.com>
>> >>> wrote:
>> >>> > Hi Amila,
>> >>> >
>> >>> > +1 for the proposed changes. Please see my comments below.
>> >>> >
>> >>> > On Tue, Feb 14, 2012 at 3:22 PM, Amila Jayasekara <ami...@wso2.com>
>> >>> > wrote:
>> >>> >>
>> >>> >> Hi All,
>> >>> >>
>> >>> >> We had a review discussion on Carbon Authenticators and following
>> >>> >> are
>> >>> >> the review notes.
>> >>> >>
>> >>> >> 1. There are some common logic that should be implemented in every
>> >>> >> authenticator. Currently invoking this logic is duplicated among
>> >>> >> authenticators. So to avoid that we are planning to come up with an
>> >>> >> abstract Authenticator implementation.
>> >>> >> 2. As per now AuthenticationHandler first invokes
>> >>> >> AuthenticationAdmin
>> >>> >> and then it calls chain of authenticators. The AuthenticationAdmin
>> >>> >> call is not necessary. We need to refactor code in such a way that
>> >>> >> authenticator it self will only handle authenticating logic (Rather
>> >>> >> than within the Handler).
>> >>> >> 3. Properly implement authenticator chaining pattern. Make use
>> >>> >> “isHandle”, “priority”, “isAuthenticated” methods and make only
>> >>> >> authenticator aware about the logic.
>> >>> >> 4. After cleaning up the API, implement “Basic Auth” authenticator.
>> >>> >> (As first step)
>> >>> >
>> >>> >
>> >>> > 5. Cleanup Carbon.UI framework to improve the plugability of custom
>> >>> > authenticators. I recently wrote an authenticator, but I had to hard
>> >>> > code
>> >>> > some URLs in the CarbonSecurityHttpContext class. Please have a look
>> >>> > at
>> >>> > the
>> >>> > following method in this class.
>> >>> >
>> >>> > private boolean skipSSOSessionInvalidation(String requestedURI) {
>> >>> > boolean skipSessionInvalidation = false;
>> >>> > if ((requestedURI.indexOf("/samlsso") > -1)
>> >>> > || (requestedURI.indexOf("sso-saml/login.jsp") > -1)
>> >>> > ||
>> >>> > (requestedURI.indexOf("stratos-sso/login_ajaxprocessor.jsp") > -1)
>> >>> > ||
>> >>> > (requestedURI.indexOf("sso-saml/redirect_ajaxprocessor.jsp") > -1)
>> >>> > ||
>> >>> > (requestedURI.indexOf("stratos-sso/redirect_ajaxprocessor.jsp") >
>> >>> > -1)
>> >>> > ||
>> >>> > (requestedURI.indexOf("sso-acs/redirect_ajaxprocessor.jsp") > -1)
>> >>> > ||
>> >>> > (requestedURI.indexOf("stratos-auth/redirect_ajaxprocessor.jsp") >
>> >>> > -1))
>> >>> > {
>> >>> > skipSessionInvalidation = true;
>> >>> > }
>> >>> > return skipSessionInvalidation;
>> >>> > }
>> >>> >
>> >>> > As a part of this effort, lets refactor this bit of code as well.
>> >
>> >
>> > I have looked into this already, I will come up with set of handler
>> > implementations(same as axis2 handlers) to clean up that lengthy method.
>> > We
>> > will discuss once I am done with the code.
>> >
>> > Thank you.
>> >>>
>> >>>
>> >>> +1. Will take above into consideration as well. If possible please
>> >>> create a carbon Jira and assigned to me.
>> >>>
>> >>> Thanks
>> >>> AmilaJ
>> >>>
>> >>> >
>> >>> > Thanks,
>> >>> > Sameera.
>> >>> >
>> >>> >>
>> >>> >> Thanks
>> >>> >> AmilaJ
>> >>> >>
>> >>> >> --
>> >>> >> Mobile : +94773330538
>> >>> >>
>> >>> >> _______________________________________________
>> >>> >> Carbon-dev mailing list
>> >>> >> Carbon-dev@wso2.org
>> >>> >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> > --
>> >>> > Sameera Jayasoma
>> >>> > Technical Lead and Product Manager, WSO2 Carbon
>> >>> >
>> >>> > WSO2, Inc. (http://wso2.com)
>> >>> > email: same...@wso2.com
>> >>> > blog: http://tech.jayasoma.org
>> >>> >
>> >>> >
>> >>> > Lean . Enterprise . Middleware
>> >>> >
>> >>> > _______________________________________________
>> >>> > Carbon-dev mailing list
>> >>> > Carbon-dev@wso2.org
>> >>> > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>> >>> >
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Mobile : +94773330538
>> >>> _______________________________________________
>> >>> Carbon-dev mailing list
>> >>> Carbon-dev@wso2.org
>> >>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> Sameera Jayasoma
>> >> Technical Lead and Product Manager, WSO2 Carbon
>> >>
>> >> WSO2, Inc. (http://wso2.com)
>> >> email: same...@wso2.com
>> >> blog: http://tech.jayasoma.org
>> >>
>> >> Lean . Enterprise . Middleware
>> >>
>> >> _______________________________________________
>> >> Carbon-dev mailing list
>> >> Carbon-dev@wso2.org
>> >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>> >>
>> >
>> >
>> >
>> > --
>> > Manjula Rathnayaka
>> > Software Engineer
>> > WSO2, Inc.
>> > Mobile:+94 77 743 1987
>> >
>> > _______________________________________________
>> > Carbon-dev mailing list
>> > Carbon-dev@wso2.org
>> > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>> >
>>
>>
>>
>> --
>> Mobile : +94773330538
>> _______________________________________________
>> Carbon-dev mailing list
>> Carbon-dev@wso2.org
>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>
>
>
>
> --
> Thanks & Regards,
> Prabath
>
> Mobile : +94 71 809 6732
>
> http://blog.facilelogin.com
> http://RampartFAQ.com
>
>
> _______________________________________________
> Carbon-dev mailing list
> Carbon-dev@wso2.org
> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>
--
Mobile : +94773330538
_______________________________________________
Carbon-dev mailing list
Carbon-dev@wso2.org
http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
