Hi Sanjeewa, On Thu, Jan 17, 2013 at 10:29 PM, Sanjeewa Malalgoda <[email protected]>wrote:
> Hi All. > At the moment we are removing authorization headers from API request when > it passes to actual back end (at gateway authorization handler). But for > some use cases we need to just pass through gateway and allow actual back > end to do authorization. In that case we can define that resource token > type as none (no application or application user). Then gateway will skip > authorization process but still it removes authorization headers if > available. But ideally it shouldn't remove them as there is no > actual authorization happens. Shall we go ahead and avoid removing security > headers? WDYT? > With above your suggested way,it'll handle 1) invoking a secured OAuth back-end endpoint when no auth scheme required at API level.But it'll not handle 2)invoking a secured OAuth back-end endpoint when an auth scheme required at API level...My question is if we are going to implement the above usecase,don't we need to consider 2nd my mentioned option as well and find a common solution for both flows.. And additionally,if we avoid removing security headers for an API request with no auth scheme required at gateway level,even the back-end endpoint secured or not,it'll pass the authorization header to backend..Is it ok to do so? Thanks; > > Thanks. > -- > *Sanjeewa Malalgoda* > WSO2 Inc. > Mobile : +14084122175 | +94713068779 > > <http://sanjeewamalalgoda.blogspot.com/>blog > :http://sanjeewamalalgoda.blogspot.com/<http://sanjeewamalalgoda.blogspot.com/> > -- Lalaji Sureshika Software Engineer; Development Technologies Team;WSO2, Inc.; http://wso2.com/ email: [email protected]; cell: +94 71 608 6811 blog: http://lalajisureshika.blogspot.com
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
