@Chanaka : I just considered the fact that if we specify it as a parameter then that information will be visible. That is why thought of saving it as a registry resource would be better. But if we can continue with the parameter then we'll continue the testing with that.
Regards, Sohani Sohani Weerasinghe Software Engineer WSO2, Inc: http://wso2.com Mobile : +94 716439774 Blog :http://christinetechtips.blogspot.com/ Twitter : https://twitter.com/sohanichristine On Thu, Mar 26, 2015 at 3:02 PM, Chanaka Fernando <[email protected]> wrote: > Hi Sohani, > > What is the additional security you get from having that parameter in > registry? > > Thanks, > Chanaka > > On Thu, Mar 26, 2015 at 2:55 PM, Sohani Weerasinghe <[email protected]> > wrote: > >> Hi Chanaka, >> >> Please find my comments inline >> >> Sohani Weerasinghe >> Software Engineer >> WSO2, Inc: http://wso2.com >> >> Mobile : +94 716439774 >> Blog :http://christinetechtips.blogspot.com/ >> Twitter : https://twitter.com/sohanichristine >> >> On Thu, Mar 26, 2015 at 2:18 PM, Chanaka Fernando <[email protected]> >> wrote: >> >>> Hi Godwin, >>> >>> Please see my comments inline. >>> >>> AFAIK, in old model (file base persistence) roles are not persisting in >>> meta file and it use AuthorizationManager (JDBCAuthorizationManager) for >>> persistence, We use same model for current implementation as well and roles >>> are not persisting in registry. >>> >>> The problem with that approach is we need to include this information >>> within the CAR file. Otherwise, it is not self contained. We need to have >>> this user role information within the CAR file. >>> >>> @Sohani: If we can make sure all the security related scenarios (which >>> requires user related information) are working properly with the <parameter >>> name="allowRoles">admin</parameter>, then we can use this parameter instead >>> of a separate registry resource. >>> >> >> When considering the security perspective isn't it better to specify user >> roles information as a registry resource rather than use as a parameter? >> WDYT? >> >>> >>> Thanks, >>> Chanaka >>> >>> >>> On Wed, Mar 25, 2015 at 11:46 PM, Godwin Amila Shrimal <[email protected]> >>> wrote: >>> >>>> Hi Sohani, >>>> >>>> AFAIK, in old model (file base persistence) roles are not persisting in >>>> meta file and it use AuthorizationManager (JDBCAuthorizationManager) for >>>> persistence, We use same model for current implementation as well and roles >>>> are not persisting in registry. >>>> >>>> >>>> Thanks >>>> Godwin >>>> >>>> >>>> On Wed, Mar 25, 2015 at 11:23 AM, Sohani Weerasinghe <[email protected]> >>>> wrote: >>>> >>>>> Hi Chanaka/Godwin, >>>>> >>>>> In order to further implement this feature I really appreciate your >>>>> input on the below concerns. >>>>> >>>>> 1. When considering the security perspective, it seems we have two >>>>> options to specify user roles config either as a registry resource or >>>>> using >>>>> the parameter 'allowRoles' in the proxy configuration. IMO implement it as >>>>> a registry resource would be better when considering the security >>>>> perspective. WDYT? >>>>> >>>>> Also, if we are to implement it as a registry resource then the >>>>> content of the resource will be <parameter >>>>> name="allowRoles">admin</parameter>. >>>>> >>>>> @Chanaka: Can we have a parameter in the proxy config to define the >>>>> registry resource for the user roles as we define the security policy >>>>> (eg: <policy key="conf:repository/policy.xml"/> ) ? >>>>> >>>>> @Godwin : If user roles is going to be implemented as a registry >>>>> resource, will there be a predefined registry location to save it ? If so >>>>> can you please state it? >>>>> >>>>> Really appreciate your response on this. >>>>> >>>>> Thanks, >>>>> Sohani >>>>> >>>>> >>>>> >>>>> Sohani Weerasinghe >>>>> Software Engineer >>>>> WSO2, Inc: http://wso2.com >>>>> >>>>> Mobile : +94 716439774 >>>>> Blog :http://christinetechtips.blogspot.com/ >>>>> Twitter : https://twitter.com/sohanichristine >>>>> >>>>> On Tue, Mar 24, 2015 at 3:52 PM, Sohani Weerasinghe <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Chanaka/Godwin, >>>>>> >>>>>> Can you please provide an input on the below concerns to further >>>>>> carry out the implementation from DevS side. >>>>>> >>>>>> 1.When considering the usability aspect, I think it's better if we >>>>>> can create a registry resource for user roles at the time of creating the >>>>>> policy using the Security Editor Form by getting the User Roles values >>>>>> from >>>>>> the user rather than asking user to create a new registry resource for >>>>>> User >>>>>> Roles. >>>>>> >>>>>> @Godwin: can you please state the required registry path to deploy >>>>>> the User Roles configs? >>>>>> >>>>>> 2. If the User Roles config saves as a registry resource, how this >>>>>> can be utilize by the proxy service? Will there be a property in the >>>>>> proxy >>>>>> service so that we can point the User Role config as pointing the policy >>>>>> file. >>>>>> >>>>>> 3. If we are deploying the policy and User Role configs via CAPP, in >>>>>> a case where multiple policy files deploying in the same registry >>>>>> location, >>>>>> in order to match the User Role config with the relevant policy file, how >>>>>> can we identify the matching User Role config and the policy? Can we have >>>>>> the same resource name for the policy and the User Role configs? >>>>>> >>>>>> @Chanaka: can you please confirm points 2 and 3? >>>>>> >>>>>> Thanks, >>>>>> Sohani >>>>>> >>>>>> Sohani Weerasinghe >>>>>> Software Engineer >>>>>> WSO2, Inc: http://wso2.com >>>>>> >>>>>> Mobile : +94 716439774 >>>>>> Blog :http://christinetechtips.blogspot.com/ >>>>>> Twitter : https://twitter.com/sohanichristine >>>>>> >>>>>> On Tue, Mar 24, 2015 at 3:42 PM, Chanaka Fernando <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Godwin, >>>>>>> >>>>>>> That would be good. >>>>>>> >>>>>>> Thanks, >>>>>>> Chanaka >>>>>>> >>>>>>> On Tue, Mar 24, 2015 at 3:40 PM, Godwin Amila Shrimal < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi Chanaka, >>>>>>>> >>>>>>>> It'll finish within this week. >>>>>>>> >>>>>>>> >>>>>>>> Thanks >>>>>>>> Godwin >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Mar 24, 2015 at 3:35 PM, Chanaka Fernando < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi Godwin, >>>>>>>>> >>>>>>>>> When will you finish the offsite dev service? >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Chanaka >>>>>>>>> >>>>>>>>> On Tue, Mar 24, 2015 at 3:30 PM, Godwin Amila Shrimal < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi Chanaka, >>>>>>>>>> >>>>>>>>>> We have basically completed the registry base implementation in >>>>>>>>>> security mgt component and need to do code refactoring and more >>>>>>>>>> testing. I >>>>>>>>>> tested basic scenarios with STS-service and it worked ok. Currently >>>>>>>>>> I am in >>>>>>>>>> an offsite DevService and planning to do remaining refactoring and >>>>>>>>>> testing >>>>>>>>>> after this. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks >>>>>>>>>> Godwin >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Tue, Mar 24, 2015 at 2:00 PM, Chanaka Fernando < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Hi All, >>>>>>>>>>> >>>>>>>>>>> I am writing this mail to take the discussions related to >>>>>>>>>>> $subject in to a single place. With the ESB 4.9.0 release, we are >>>>>>>>>>> removing >>>>>>>>>>> the UI capability of applying security policies from the management >>>>>>>>>>> console. Going forward, users can only apply security policies to >>>>>>>>>>> ESB proxy >>>>>>>>>>> services using developer studio. Even though this functionality is >>>>>>>>>>> already >>>>>>>>>>> available in the Developer Studio, it has some edge cases when we >>>>>>>>>>> use that >>>>>>>>>>> approach. One such limitation is that there is no place to select >>>>>>>>>>> the >>>>>>>>>>> users/roles in the developer studio when applying the security >>>>>>>>>>> policy. >>>>>>>>>>> Currently, this information is stored in meta files and with the >>>>>>>>>>> 4.9.0 >>>>>>>>>>> version, service meta files are removed. Plan is to store this >>>>>>>>>>> information >>>>>>>>>>> in registry and access from their. From the Developer Studio also, >>>>>>>>>>> it will >>>>>>>>>>> create the registry file when applying security policies. >>>>>>>>>>> >>>>>>>>>>> This would be a necessary feature for ESB 4.9.0 release since >>>>>>>>>>> this will effect the entire security applying process going forward. >>>>>>>>>>> >>>>>>>>>>> @Godwin: Please add if I have missed anything and give us some >>>>>>>>>>> update on the status from the security side. >>>>>>>>>>> >>>>>>>>>>> @Sohani/DevS team: Please give us some update on this >>>>>>>>>>> implementation. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> Chanaka >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> -- >>>>>>>>>>> Chanaka Fernando >>>>>>>>>>> Technical Lead >>>>>>>>>>> WSO2, Inc.; http://wso2.com >>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>> >>>>>>>>>>> mobile: +94 773337238 >>>>>>>>>>> Blog : http://soatutorials.blogspot.com >>>>>>>>>>> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>>>>>>>> Twitter:https://twitter.com/chanakaudaya >>>>>>>>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> *Godwin Amila Shrimal* >>>>>>>>>> Senior Software Engineer >>>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>>> lean.enterprise.middleware >>>>>>>>>> >>>>>>>>>> mobile: *+94772264165* >>>>>>>>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>>>>>>>>> twitter: https://twitter.com/godwinamila >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> -- >>>>>>>>> Chanaka Fernando >>>>>>>>> Technical Lead >>>>>>>>> WSO2, Inc.; http://wso2.com >>>>>>>>> lean.enterprise.middleware >>>>>>>>> >>>>>>>>> mobile: +94 773337238 >>>>>>>>> Blog : http://soatutorials.blogspot.com >>>>>>>>> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>>>>>> Twitter:https://twitter.com/chanakaudaya >>>>>>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Godwin Amila Shrimal* >>>>>>>> Senior Software Engineer >>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>> lean.enterprise.middleware >>>>>>>> >>>>>>>> mobile: *+94772264165* >>>>>>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>>>>>>> twitter: https://twitter.com/godwinamila >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> -- >>>>>>> Chanaka Fernando >>>>>>> Technical Lead >>>>>>> WSO2, Inc.; http://wso2.com >>>>>>> lean.enterprise.middleware >>>>>>> >>>>>>> mobile: +94 773337238 >>>>>>> Blog : http://soatutorials.blogspot.com >>>>>>> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>>>> Twitter:https://twitter.com/chanakaudaya >>>>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>>> >>>> -- >>>> *Godwin Amila Shrimal* >>>> Senior Software Engineer >>>> WSO2 Inc.; http://wso2.com >>>> lean.enterprise.middleware >>>> >>>> mobile: *+94772264165* >>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>>> twitter: https://twitter.com/godwinamila >>>> >>> >>> >>> >>> -- >>> -- >>> Chanaka Fernando >>> Technical Lead >>> WSO2, Inc.; http://wso2.com >>> lean.enterprise.middleware >>> >>> mobile: +94 773337238 >>> Blog : http://soatutorials.blogspot.com >>> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>> Twitter:https://twitter.com/chanakaudaya >>> Wordpress:http://chanakaudaya.wordpress.com >>> >>> >>> >>> >> > > > -- > -- > Chanaka Fernando > Technical Lead > WSO2, Inc.; http://wso2.com > lean.enterprise.middleware > > mobile: +94 773337238 > Blog : http://soatutorials.blogspot.com > LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 > Twitter:https://twitter.com/chanakaudaya > Wordpress:http://chanakaudaya.wordpress.com > > > >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
