Yes.. I already created a JIRA task to track oauth authenticator --Pradeep sent from my phone On Oct 7, 2013 12:03 PM, "Nirmal Fernando" <[email protected]> wrote:
> Pradeep, > > Thanks for the reply. > > On Mon, Oct 7, 2013 at 10:42 AM, Pradeep Fernando <[email protected]>wrote: > >> >> Hi Nirmal, >> >> Please find answers inline, >> >> On Sat, Oct 5, 2013 at 10:04 AM, Nirmal Fernando >> <[email protected]>wrote: >> >>> Hi Pradeep, >>> >>> Thanks for this contribution. I hope this will provide the basis for >>> others to build Stratos REST API. >>> >>> Few questions inline. >>> >>> On Fri, Oct 4, 2013 at 10:57 PM, Pradeep Fernando >>> <[email protected]>wrote: >>> >>>> Hi Devs, >>>> >>>> >>>> I came up with implemented the above feature and the patch can be found >>>> at, [1] >>>> >>>> *How it works* >>>> >>>> - The web-app to Carbon runtime state exchange happens via OSGi services >>>> - The JAX-RS application is using Apache CXF as the REST engine >>>> - Authentication and Authorization of incoming requests are handled >>>> using two seperate JAX-RS providers registered against the service class >>>> - Authentication/Authorization is closely integrated to the underlying >>>> carbon authentication/authorizaiton framework >>>> - I have defined two new annotation classes to capture method level >>>> permission details >>>> * @AuthorizationAction("PermissionString") - allows the admin >>>> service writer to annotate a certain operation with permission string. >>>> Request get authorized only if the invoking user has enough permissions >>>> >>> >>> Where are these permissions stored? Can you explain how can someone >>> compile this string? >>> >> >> This is permission string related to carbon permission model. IIRC, this >> is the same string that you use inside services.xml AuthorizationAction >> element >> >> >> >>> >>> >>>> * @SuperTenantService (true|false) - only the super-tenant user >>>> can access the service >>>> >>> >>> false implies all the tenants including super-tenant can access this >>> operation right? If so, can you please consider renaming this annotation? >>> >> >> In the Carbon permission structure, super-tenant is special. Other way >> around, that is super-tenant can perform tenant operations is implicit >> IMHO. In that sense, when we say, @SuperTenantService(false) it means it is >> not a super tenant service. - > any other tenant admin service. I'm ok to >> change this annotation, two concerns, >> >> 1. I used the same jargon that is being used in services.xml. >> <SuperTenantService>. Introducing another wording for the same thing might >> be confusing. >> 2. We don't really use @SuperTenantService(false) annotation. default is >> false. >> >> May be we should change this to a marker annoation, - > >> @SuperTenantService >> > > +1, makes sense. So, if you want to restrict an operation only for super > tenant access, you use @SuperTenantService annotation. > >> >> >>> >>>> - During the deployment time, the authorization handler get injected >>>> with service bean. It process all the authorization related annotation and >>>> builds a information model. When a request comes in it verifies the >>>> expected permission vs bearing permission. >>>> >>>> Can you please explain how someone can plug a new authorization >>> handler? What classes to extend, what interfaces to implement etc.? >>> >> >> They just have to implement jaxrs.ReauestHandler interface and declare >> the bean in spring config file (cxf-servlet.xml) >> >> I did not came up with a authentication/authorization abstraction for >> Stratos in implementation. >> > > No problem. > > >> It is too early IMHO. Once we have atleast one other >> authentication/authorization module we can define the abstraction. >> > > IMO we should go for OAuth2 based authentication/authorization model as > soon as possible. > > We should ideally start building up a wiki page on this too. > >> >> >> >>> >>> >>> >>>> *Challenges/Approaches that did not work.* >>>> >>>> CXF project provides a AuthorizationFilter called >>>> SimpleAuthorizationFilter[2] for JAAS based request authorization. It uses >>>> @RolesAllowed annotation to identify authorized users. However it does not >>>> suit well for the Carbon authorization system. Hence I came up with my own >>>> Annotation types, which closely resembles, params used in existing WS admin >>>> services. >>>> >>>> >>>> *Authentication mechanism is pluggable * >>>> >>>> - Right now there is only one authenticator. It uses basic-auth to >>>> authenticate incoming requests. It is possible to plug in other kinds of >>>> authenticators. >>>> >>>> *How to write your new RESTful admin service* >>>> >>>> @POST >>>> @Path("/tenant/create") >>>> @Consumes("application/json") >>>> @Produces("application/json") >>>> @AuthorizationAction("/permission/protected/manage/monitor/tenants") >>>> @SuperTenantService(true) >>>> public String addTenant(TenantInfoBean tenantInfoBean) { >>>> >>>> return success; >>>> } >>>> >>>> *Sample Request from CURL* >>>> >>>> curl -X POST -H "Content-Type: application/json" -d >>>> '{"tenantInfo":{"admin":"admin","firstname":"Frank","lastname":"Myers","adminPassword":"admin123","email":" >>>> [email protected]","tenantDomain":"frank.com"}}' -v -u admin:admin >>>> https://localhost:9443/stratos/admin/tenant/create >>>> >>>> >>>> *TODO* >>>> * >>>> * >>>> This is more of the framework for implementing RESTful admin APIs. I >>>> have implemented two Operations for the moment. We have to populate the >>>> service bean with rest of the API. Its matter of porting existing code to >>>> new service bean. What is more important is, to carefully design REST >>>> endpoints. >>>> >>>> Unlike WS endpoints, we have to be careful with REST endpoint / where >>>> the parameter goes in endpoint / HTTP method used / etc. I will spawn a >>>> separate thread on the topic. >>>> >>>> I have applied the patches to the JIRA. Would be great if the code can >>>> be committed to the main trunk. :) >>>> >>>> >>>> [1] https://issues.apache.org/jira/browse/STRATOS-90 >>>> [2] http://cxf.apache.org/docs/secure-jax-rs-services.html >>>> >>>> thanks, >>>> --Pradeep >>>> >>> >>> >>> >>> -- >>> Best Regards, >>> Nirmal >>> >>> C.S.Nirmal J. Fernando >>> Senior Software Engineer, >>> WSO2 Inc. >>> >>> Blog: http://nirmalfdo.blogspot.com/ >>> >> >> >> >> thanks, >> --Pradeep >> > > > > -- > Best Regards, > Nirmal > > C.S.Nirmal J. Fernando > Senior Software Engineer, > WSO2 Inc. > > Blog: http://nirmalfdo.blogspot.com/ >
