Hi Sohani, I got your idea. But what I meant was that this does not give any additional security. BTW, I am not against the registry based approach :)
Thanks, Chanaka On Thu, Mar 26, 2015 at 3:05 PM, Sohani Weerasinghe <[email protected]> wrote: > @Chanaka : I just considered the fact that if we specify it as a parameter > then that information will be visible. That is why thought of saving it as > a registry resource would be better. But if we can continue with the > parameter then we'll continue the testing with that. > > Regards, > Sohani > > Sohani Weerasinghe > Software Engineer > WSO2, Inc: http://wso2.com > > Mobile : +94 716439774 > Blog :http://christinetechtips.blogspot.com/ > Twitter : https://twitter.com/sohanichristine > > On Thu, Mar 26, 2015 at 3:02 PM, Chanaka Fernando <[email protected]> > wrote: > >> Hi Sohani, >> >> What is the additional security you get from having that parameter in >> registry? >> >> Thanks, >> Chanaka >> >> On Thu, Mar 26, 2015 at 2:55 PM, Sohani Weerasinghe <[email protected]> >> wrote: >> >>> Hi Chanaka, >>> >>> Please find my comments inline >>> >>> Sohani Weerasinghe >>> Software Engineer >>> WSO2, Inc: http://wso2.com >>> >>> Mobile : +94 716439774 >>> Blog :http://christinetechtips.blogspot.com/ >>> Twitter : https://twitter.com/sohanichristine >>> >>> On Thu, Mar 26, 2015 at 2:18 PM, Chanaka Fernando <[email protected]> >>> wrote: >>> >>>> Hi Godwin, >>>> >>>> Please see my comments inline. >>>> >>>> AFAIK, in old model (file base persistence) roles are not persisting in >>>> meta file and it use AuthorizationManager (JDBCAuthorizationManager) for >>>> persistence, We use same model for current implementation as well and roles >>>> are not persisting in registry. >>>> >>>> The problem with that approach is we need to include this information >>>> within the CAR file. Otherwise, it is not self contained. We need to have >>>> this user role information within the CAR file. >>>> >>>> @Sohani: If we can make sure all the security related scenarios (which >>>> requires user related information) are working properly with the <parameter >>>> name="allowRoles">admin</parameter>, then we can use this parameter instead >>>> of a separate registry resource. >>>> >>> >>> When considering the security perspective isn't it better to specify >>> user roles information as a registry resource rather than use as a >>> parameter? WDYT? >>> >>>> >>>> Thanks, >>>> Chanaka >>>> >>>> >>>> On Wed, Mar 25, 2015 at 11:46 PM, Godwin Amila Shrimal <[email protected] >>>> > wrote: >>>> >>>>> Hi Sohani, >>>>> >>>>> AFAIK, in old model (file base persistence) roles are not persisting >>>>> in meta file and it use AuthorizationManager (JDBCAuthorizationManager) >>>>> for >>>>> persistence, We use same model for current implementation as well and >>>>> roles >>>>> are not persisting in registry. >>>>> >>>>> >>>>> Thanks >>>>> Godwin >>>>> >>>>> >>>>> On Wed, Mar 25, 2015 at 11:23 AM, Sohani Weerasinghe <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Chanaka/Godwin, >>>>>> >>>>>> In order to further implement this feature I really appreciate your >>>>>> input on the below concerns. >>>>>> >>>>>> 1. When considering the security perspective, it seems we have two >>>>>> options to specify user roles config either as a registry resource or >>>>>> using >>>>>> the parameter 'allowRoles' in the proxy configuration. IMO implement it >>>>>> as >>>>>> a registry resource would be better when considering the security >>>>>> perspective. WDYT? >>>>>> >>>>>> Also, if we are to implement it as a registry resource then the >>>>>> content of the resource will be <parameter >>>>>> name="allowRoles">admin</parameter>. >>>>>> >>>>>> @Chanaka: Can we have a parameter in the proxy config to define the >>>>>> registry resource for the user roles as we define the security policy >>>>>> (eg: <policy key="conf:repository/policy.xml"/> ) ? >>>>>> >>>>>> @Godwin : If user roles is going to be implemented as a registry >>>>>> resource, will there be a predefined registry location to save it ? If >>>>>> so >>>>>> can you please state it? >>>>>> >>>>>> Really appreciate your response on this. >>>>>> >>>>>> Thanks, >>>>>> Sohani >>>>>> >>>>>> >>>>>> >>>>>> Sohani Weerasinghe >>>>>> Software Engineer >>>>>> WSO2, Inc: http://wso2.com >>>>>> >>>>>> Mobile : +94 716439774 >>>>>> Blog :http://christinetechtips.blogspot.com/ >>>>>> Twitter : https://twitter.com/sohanichristine >>>>>> >>>>>> On Tue, Mar 24, 2015 at 3:52 PM, Sohani Weerasinghe <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Chanaka/Godwin, >>>>>>> >>>>>>> Can you please provide an input on the below concerns to further >>>>>>> carry out the implementation from DevS side. >>>>>>> >>>>>>> 1.When considering the usability aspect, I think it's better if we >>>>>>> can create a registry resource for user roles at the time of creating >>>>>>> the >>>>>>> policy using the Security Editor Form by getting the User Roles values >>>>>>> from >>>>>>> the user rather than asking user to create a new registry resource for >>>>>>> User >>>>>>> Roles. >>>>>>> >>>>>>> @Godwin: can you please state the required registry path to deploy >>>>>>> the User Roles configs? >>>>>>> >>>>>>> 2. If the User Roles config saves as a registry resource, how this >>>>>>> can be utilize by the proxy service? Will there be a property in the >>>>>>> proxy >>>>>>> service so that we can point the User Role config as pointing the policy >>>>>>> file. >>>>>>> >>>>>>> 3. If we are deploying the policy and User Role configs via CAPP, in >>>>>>> a case where multiple policy files deploying in the same registry >>>>>>> location, >>>>>>> in order to match the User Role config with the relevant policy file, >>>>>>> how >>>>>>> can we identify the matching User Role config and the policy? Can we >>>>>>> have >>>>>>> the same resource name for the policy and the User Role configs? >>>>>>> >>>>>>> @Chanaka: can you please confirm points 2 and 3? >>>>>>> >>>>>>> Thanks, >>>>>>> Sohani >>>>>>> >>>>>>> Sohani Weerasinghe >>>>>>> Software Engineer >>>>>>> WSO2, Inc: http://wso2.com >>>>>>> >>>>>>> Mobile : +94 716439774 >>>>>>> Blog :http://christinetechtips.blogspot.com/ >>>>>>> Twitter : https://twitter.com/sohanichristine >>>>>>> >>>>>>> On Tue, Mar 24, 2015 at 3:42 PM, Chanaka Fernando <[email protected] >>>>>>> > wrote: >>>>>>> >>>>>>>> Hi Godwin, >>>>>>>> >>>>>>>> That would be good. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Chanaka >>>>>>>> >>>>>>>> On Tue, Mar 24, 2015 at 3:40 PM, Godwin Amila Shrimal < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi Chanaka, >>>>>>>>> >>>>>>>>> It'll finish within this week. >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> Godwin >>>>>>>>> >>>>>>>>> >>>>>>>>> On Tue, Mar 24, 2015 at 3:35 PM, Chanaka Fernando < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi Godwin, >>>>>>>>>> >>>>>>>>>> When will you finish the offsite dev service? >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Chanaka >>>>>>>>>> >>>>>>>>>> On Tue, Mar 24, 2015 at 3:30 PM, Godwin Amila Shrimal < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Hi Chanaka, >>>>>>>>>>> >>>>>>>>>>> We have basically completed the registry base implementation in >>>>>>>>>>> security mgt component and need to do code refactoring and more >>>>>>>>>>> testing. I >>>>>>>>>>> tested basic scenarios with STS-service and it worked ok. Currently >>>>>>>>>>> I am in >>>>>>>>>>> an offsite DevService and planning to do remaining refactoring and >>>>>>>>>>> testing >>>>>>>>>>> after this. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Thanks >>>>>>>>>>> Godwin >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Tue, Mar 24, 2015 at 2:00 PM, Chanaka Fernando < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi All, >>>>>>>>>>>> >>>>>>>>>>>> I am writing this mail to take the discussions related to >>>>>>>>>>>> $subject in to a single place. With the ESB 4.9.0 release, we are >>>>>>>>>>>> removing >>>>>>>>>>>> the UI capability of applying security policies from the management >>>>>>>>>>>> console. Going forward, users can only apply security policies to >>>>>>>>>>>> ESB proxy >>>>>>>>>>>> services using developer studio. Even though this functionality is >>>>>>>>>>>> already >>>>>>>>>>>> available in the Developer Studio, it has some edge cases when we >>>>>>>>>>>> use that >>>>>>>>>>>> approach. One such limitation is that there is no place to select >>>>>>>>>>>> the >>>>>>>>>>>> users/roles in the developer studio when applying the security >>>>>>>>>>>> policy. >>>>>>>>>>>> Currently, this information is stored in meta files and with the >>>>>>>>>>>> 4.9.0 >>>>>>>>>>>> version, service meta files are removed. Plan is to store this >>>>>>>>>>>> information >>>>>>>>>>>> in registry and access from their. From the Developer Studio also, >>>>>>>>>>>> it will >>>>>>>>>>>> create the registry file when applying security policies. >>>>>>>>>>>> >>>>>>>>>>>> This would be a necessary feature for ESB 4.9.0 release since >>>>>>>>>>>> this will effect the entire security applying process going >>>>>>>>>>>> forward. >>>>>>>>>>>> >>>>>>>>>>>> @Godwin: Please add if I have missed anything and give us some >>>>>>>>>>>> update on the status from the security side. >>>>>>>>>>>> >>>>>>>>>>>> @Sohani/DevS team: Please give us some update on this >>>>>>>>>>>> implementation. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> Chanaka >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> -- >>>>>>>>>>>> Chanaka Fernando >>>>>>>>>>>> Technical Lead >>>>>>>>>>>> WSO2, Inc.; http://wso2.com >>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>> >>>>>>>>>>>> mobile: +94 773337238 >>>>>>>>>>>> Blog : http://soatutorials.blogspot.com >>>>>>>>>>>> LinkedIn: >>>>>>>>>>>> http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>>>>>>>>> Twitter:https://twitter.com/chanakaudaya >>>>>>>>>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> *Godwin Amila Shrimal* >>>>>>>>>>> Senior Software Engineer >>>>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>> >>>>>>>>>>> mobile: *+94772264165* >>>>>>>>>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>>>>>>>>>> twitter: https://twitter.com/godwinamila >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> -- >>>>>>>>>> Chanaka Fernando >>>>>>>>>> Technical Lead >>>>>>>>>> WSO2, Inc.; http://wso2.com >>>>>>>>>> lean.enterprise.middleware >>>>>>>>>> >>>>>>>>>> mobile: +94 773337238 >>>>>>>>>> Blog : http://soatutorials.blogspot.com >>>>>>>>>> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>>>>>>> Twitter:https://twitter.com/chanakaudaya >>>>>>>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Godwin Amila Shrimal* >>>>>>>>> Senior Software Engineer >>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>> lean.enterprise.middleware >>>>>>>>> >>>>>>>>> mobile: *+94772264165* >>>>>>>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>>>>>>>> twitter: https://twitter.com/godwinamila >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> -- >>>>>>>> Chanaka Fernando >>>>>>>> Technical Lead >>>>>>>> WSO2, Inc.; http://wso2.com >>>>>>>> lean.enterprise.middleware >>>>>>>> >>>>>>>> mobile: +94 773337238 >>>>>>>> Blog : http://soatutorials.blogspot.com >>>>>>>> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>>>>> Twitter:https://twitter.com/chanakaudaya >>>>>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Godwin Amila Shrimal* >>>>> Senior Software Engineer >>>>> WSO2 Inc.; http://wso2.com >>>>> lean.enterprise.middleware >>>>> >>>>> mobile: *+94772264165* >>>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>>>> twitter: https://twitter.com/godwinamila >>>>> >>>> >>>> >>>> >>>> -- >>>> -- >>>> Chanaka Fernando >>>> Technical Lead >>>> WSO2, Inc.; http://wso2.com >>>> lean.enterprise.middleware >>>> >>>> mobile: +94 773337238 >>>> Blog : http://soatutorials.blogspot.com >>>> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>> Twitter:https://twitter.com/chanakaudaya >>>> Wordpress:http://chanakaudaya.wordpress.com >>>> >>>> >>>> >>>> >>> >> >> >> -- >> -- >> Chanaka Fernando >> Technical Lead >> WSO2, Inc.; http://wso2.com >> lean.enterprise.middleware >> >> mobile: +94 773337238 >> Blog : http://soatutorials.blogspot.com >> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >> Twitter:https://twitter.com/chanakaudaya >> Wordpress:http://chanakaudaya.wordpress.com >> >> >> >> > -- -- Chanaka Fernando Technical Lead WSO2, Inc.; http://wso2.com lean.enterprise.middleware mobile: +94 773337238 Blog : http://soatutorials.blogspot.com LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 Twitter:https://twitter.com/chanakaudaya Wordpress:http://chanakaudaya.wordpress.com
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
