Hi, Two questions -
1. Why do we need a separate axis2 deployer to handle just user roles? 2. Isn't it much cleaner if we keep the list of user roles as a registry property of the registry resource that contains the policy? Then, this won't depend on the service type, and the security configuration will be located in a single place. I believe allowRoles was provided as a quick fix for a support ticket. Thanks. On Tue, Mar 31, 2015 at 3:53 PM, Sohani Weerasinghe <[email protected]> wrote: > Meeting notes is as follows > > Participants: Jasintha, Susinda, Awanthika, Chanaka, IsuruU, Johann, > Godwin, Dulindra, Sohani > > Notes: > > From the Developer Studio perspective, currently we are implementing the > security policy as a registry resource and as per the discussion had we > will use the parameter 'allowRoles' to define the relevant user roles. This > will be a service level parameter and the roles can be obtained by > connecting to the server. > > This parameter is already available with ESB and this needs to be > facilitated by DSS and Axis2. > > From the Servers (ESB, DSS and AS) a deployer needs to be implemented to > handle user roles at the run time > > Please add points to this if I have missed anything. > > Thanks, > Sohani > > Sohani Weerasinghe > Software Engineer > WSO2, Inc: http://wso2.com > > Mobile : +94 716439774 > Blog :http://christinetechtips.blogspot.com/ > Twitter : https://twitter.com/sohanichristine > > On Thu, Mar 26, 2015 at 3:35 PM, Sohani Weerasinghe <[email protected]> > wrote: > >> Hi Chanaka, >> >> Thanks for the explanation and as per the offline discussion we had, >> let's have a meeting on next week so that we can discuss and finalize the >> things. >> >> Regards, >> Sohani >> >> Sohani Weerasinghe >> Software Engineer >> WSO2, Inc: http://wso2.com >> >> Mobile : +94 716439774 >> Blog :http://christinetechtips.blogspot.com/ >> Twitter : https://twitter.com/sohanichristine >> >> On Thu, Mar 26, 2015 at 3:26 PM, Chanaka Fernando <[email protected]> >> wrote: >> >>> Hi Sohani, >>> >>> I got your idea. But what I meant was that this does not give any >>> additional security. BTW, I am not against the registry based approach :) >>> >>> Thanks, >>> Chanaka >>> >>> >>> >>> On Thu, Mar 26, 2015 at 3:05 PM, Sohani Weerasinghe <[email protected]> >>> wrote: >>> >>>> @Chanaka : I just considered the fact that if we specify it as a >>>> parameter then that information will be visible. That is why thought of >>>> saving it as a registry resource would be better. But if we can continue >>>> with the parameter then we'll continue the testing with that. >>>> >>>> Regards, >>>> Sohani >>>> >>>> Sohani Weerasinghe >>>> Software Engineer >>>> WSO2, Inc: http://wso2.com >>>> >>>> Mobile : +94 716439774 >>>> Blog :http://christinetechtips.blogspot.com/ >>>> Twitter : https://twitter.com/sohanichristine >>>> >>>> On Thu, Mar 26, 2015 at 3:02 PM, Chanaka Fernando <[email protected]> >>>> wrote: >>>> >>>>> Hi Sohani, >>>>> >>>>> What is the additional security you get from having that parameter in >>>>> registry? >>>>> >>>>> Thanks, >>>>> Chanaka >>>>> >>>>> On Thu, Mar 26, 2015 at 2:55 PM, Sohani Weerasinghe <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Chanaka, >>>>>> >>>>>> Please find my comments inline >>>>>> >>>>>> Sohani Weerasinghe >>>>>> Software Engineer >>>>>> WSO2, Inc: http://wso2.com >>>>>> >>>>>> Mobile : +94 716439774 >>>>>> Blog :http://christinetechtips.blogspot.com/ >>>>>> Twitter : https://twitter.com/sohanichristine >>>>>> >>>>>> On Thu, Mar 26, 2015 at 2:18 PM, Chanaka Fernando <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Godwin, >>>>>>> >>>>>>> Please see my comments inline. >>>>>>> >>>>>>> AFAIK, in old model (file base persistence) roles are not persisting >>>>>>> in meta file and it use AuthorizationManager (JDBCAuthorizationManager) >>>>>>> for >>>>>>> persistence, We use same model for current implementation as well and >>>>>>> roles >>>>>>> are not persisting in registry. >>>>>>> >>>>>>> The problem with that approach is we need to include this >>>>>>> information within the CAR file. Otherwise, it is not self contained. We >>>>>>> need to have this user role information within the CAR file. >>>>>>> >>>>>>> @Sohani: If we can make sure all the security related scenarios >>>>>>> (which requires user related information) are working properly with the >>>>>>> <parameter name="allowRoles">admin</parameter>, then we can use this >>>>>>> parameter instead of a separate registry resource. >>>>>>> >>>>>> >>>>>> When considering the security perspective isn't it better to specify >>>>>> user roles information as a registry resource rather than use as a >>>>>> parameter? WDYT? >>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> Chanaka >>>>>>> >>>>>>> >>>>>>> On Wed, Mar 25, 2015 at 11:46 PM, Godwin Amila Shrimal < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi Sohani, >>>>>>>> >>>>>>>> AFAIK, in old model (file base persistence) roles are not >>>>>>>> persisting in meta file and it use AuthorizationManager >>>>>>>> (JDBCAuthorizationManager) for persistence, We use same model for >>>>>>>> current >>>>>>>> implementation as well and roles are not persisting in registry. >>>>>>>> >>>>>>>> >>>>>>>> Thanks >>>>>>>> Godwin >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Mar 25, 2015 at 11:23 AM, Sohani Weerasinghe < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi Chanaka/Godwin, >>>>>>>>> >>>>>>>>> In order to further implement this feature I really appreciate >>>>>>>>> your input on the below concerns. >>>>>>>>> >>>>>>>>> 1. When considering the security perspective, it seems we have two >>>>>>>>> options to specify user roles config either as a registry resource or >>>>>>>>> using >>>>>>>>> the parameter 'allowRoles' in the proxy configuration. IMO implement >>>>>>>>> it as >>>>>>>>> a registry resource would be better when considering the security >>>>>>>>> perspective. WDYT? >>>>>>>>> >>>>>>>>> Also, if we are to implement it as a registry resource then the >>>>>>>>> content of the resource will be <parameter >>>>>>>>> name="allowRoles">admin</parameter>. >>>>>>>>> >>>>>>>>> @Chanaka: Can we have a parameter in the proxy config to define >>>>>>>>> the registry resource for the user roles as we define the security >>>>>>>>> policy >>>>>>>>> (eg: <policy key="conf:repository/policy.xml"/> ) ? >>>>>>>>> >>>>>>>>> @Godwin : If user roles is going to be implemented as a registry >>>>>>>>> resource, will there be a predefined registry location to save it ? >>>>>>>>> If so >>>>>>>>> can you please state it? >>>>>>>>> >>>>>>>>> Really appreciate your response on this. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Sohani >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Sohani Weerasinghe >>>>>>>>> Software Engineer >>>>>>>>> WSO2, Inc: http://wso2.com >>>>>>>>> >>>>>>>>> Mobile : +94 716439774 >>>>>>>>> Blog :http://christinetechtips.blogspot.com/ >>>>>>>>> Twitter : https://twitter.com/sohanichristine >>>>>>>>> >>>>>>>>> On Tue, Mar 24, 2015 at 3:52 PM, Sohani Weerasinghe < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi Chanaka/Godwin, >>>>>>>>>> >>>>>>>>>> Can you please provide an input on the below concerns to further >>>>>>>>>> carry out the implementation from DevS side. >>>>>>>>>> >>>>>>>>>> 1.When considering the usability aspect, I think it's better if >>>>>>>>>> we can create a registry resource for user roles at the time of >>>>>>>>>> creating >>>>>>>>>> the policy using the Security Editor Form by getting the User Roles >>>>>>>>>> values >>>>>>>>>> from the user rather than asking user to create a new registry >>>>>>>>>> resource for >>>>>>>>>> User Roles. >>>>>>>>>> >>>>>>>>>> @Godwin: can you please state the required registry path to >>>>>>>>>> deploy the User Roles configs? >>>>>>>>>> >>>>>>>>>> 2. If the User Roles config saves as a registry resource, how >>>>>>>>>> this can be utilize by the proxy service? Will there be a property >>>>>>>>>> in the >>>>>>>>>> proxy service so that we can point the User Role config as pointing >>>>>>>>>> the >>>>>>>>>> policy file. >>>>>>>>>> >>>>>>>>>> 3. If we are deploying the policy and User Role configs via CAPP, >>>>>>>>>> in a case where multiple policy files deploying in the same registry >>>>>>>>>> location, in order to match the User Role config with the relevant >>>>>>>>>> policy >>>>>>>>>> file, how can we identify the matching User Role config and the >>>>>>>>>> policy? Can >>>>>>>>>> we have the same resource name for the policy and the User Role >>>>>>>>>> configs? >>>>>>>>>> >>>>>>>>>> @Chanaka: can you please confirm points 2 and 3? >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Sohani >>>>>>>>>> >>>>>>>>>> Sohani Weerasinghe >>>>>>>>>> Software Engineer >>>>>>>>>> WSO2, Inc: http://wso2.com >>>>>>>>>> >>>>>>>>>> Mobile : +94 716439774 >>>>>>>>>> Blog :http://christinetechtips.blogspot.com/ >>>>>>>>>> Twitter : https://twitter.com/sohanichristine >>>>>>>>>> >>>>>>>>>> On Tue, Mar 24, 2015 at 3:42 PM, Chanaka Fernando < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Hi Godwin, >>>>>>>>>>> >>>>>>>>>>> That would be good. >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> Chanaka >>>>>>>>>>> >>>>>>>>>>> On Tue, Mar 24, 2015 at 3:40 PM, Godwin Amila Shrimal < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi Chanaka, >>>>>>>>>>>> >>>>>>>>>>>> It'll finish within this week. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Thanks >>>>>>>>>>>> Godwin >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Tue, Mar 24, 2015 at 3:35 PM, Chanaka Fernando < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi Godwin, >>>>>>>>>>>>> >>>>>>>>>>>>> When will you finish the offsite dev service? >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks, >>>>>>>>>>>>> Chanaka >>>>>>>>>>>>> >>>>>>>>>>>>> On Tue, Mar 24, 2015 at 3:30 PM, Godwin Amila Shrimal < >>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi Chanaka, >>>>>>>>>>>>>> >>>>>>>>>>>>>> We have basically completed the registry base implementation >>>>>>>>>>>>>> in security mgt component and need to do code refactoring and >>>>>>>>>>>>>> more testing. >>>>>>>>>>>>>> I tested basic scenarios with STS-service and it worked ok. >>>>>>>>>>>>>> Currently I am >>>>>>>>>>>>>> in an offsite DevService and planning to do remaining >>>>>>>>>>>>>> refactoring and >>>>>>>>>>>>>> testing after this. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>> Godwin >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Tue, Mar 24, 2015 at 2:00 PM, Chanaka Fernando < >>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi All, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I am writing this mail to take the discussions related to >>>>>>>>>>>>>>> $subject in to a single place. With the ESB 4.9.0 release, we >>>>>>>>>>>>>>> are removing >>>>>>>>>>>>>>> the UI capability of applying security policies from the >>>>>>>>>>>>>>> management >>>>>>>>>>>>>>> console. Going forward, users can only apply security policies >>>>>>>>>>>>>>> to ESB proxy >>>>>>>>>>>>>>> services using developer studio. Even though this functionality >>>>>>>>>>>>>>> is already >>>>>>>>>>>>>>> available in the Developer Studio, it has some edge cases when >>>>>>>>>>>>>>> we use that >>>>>>>>>>>>>>> approach. One such limitation is that there is no place to >>>>>>>>>>>>>>> select the >>>>>>>>>>>>>>> users/roles in the developer studio when applying the security >>>>>>>>>>>>>>> policy. >>>>>>>>>>>>>>> Currently, this information is stored in meta files and with >>>>>>>>>>>>>>> the 4.9.0 >>>>>>>>>>>>>>> version, service meta files are removed. Plan is to store this >>>>>>>>>>>>>>> information >>>>>>>>>>>>>>> in registry and access from their. From the Developer Studio >>>>>>>>>>>>>>> also, it will >>>>>>>>>>>>>>> create the registry file when applying security policies. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> This would be a necessary feature for ESB 4.9.0 release >>>>>>>>>>>>>>> since this will effect the entire security applying process >>>>>>>>>>>>>>> going forward. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> @Godwin: Please add if I have missed anything and give us >>>>>>>>>>>>>>> some update on the status from the security side. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> @Sohani/DevS team: Please give us some update on this >>>>>>>>>>>>>>> implementation. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>> Chanaka >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> Chanaka Fernando >>>>>>>>>>>>>>> Technical Lead >>>>>>>>>>>>>>> WSO2, Inc.; http://wso2.com >>>>>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> mobile: +94 773337238 >>>>>>>>>>>>>>> Blog : http://soatutorials.blogspot.com >>>>>>>>>>>>>>> LinkedIn: >>>>>>>>>>>>>>> http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>>>>>>>>>>>> Twitter:https://twitter.com/chanakaudaya >>>>>>>>>>>>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> *Godwin Amila Shrimal* >>>>>>>>>>>>>> Senior Software Engineer >>>>>>>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>>>> >>>>>>>>>>>>>> mobile: *+94772264165* >>>>>>>>>>>>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>>>>>>>>>>>>> twitter: https://twitter.com/godwinamila >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> -- >>>>>>>>>>>>> Chanaka Fernando >>>>>>>>>>>>> Technical Lead >>>>>>>>>>>>> WSO2, Inc.; http://wso2.com >>>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>>> >>>>>>>>>>>>> mobile: +94 773337238 >>>>>>>>>>>>> Blog : http://soatutorials.blogspot.com >>>>>>>>>>>>> LinkedIn: >>>>>>>>>>>>> http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>>>>>>>>>> Twitter:https://twitter.com/chanakaudaya >>>>>>>>>>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> *Godwin Amila Shrimal* >>>>>>>>>>>> Senior Software Engineer >>>>>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>> >>>>>>>>>>>> mobile: *+94772264165* >>>>>>>>>>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>>>>>>>>>>> twitter: https://twitter.com/godwinamila >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> -- >>>>>>>>>>> Chanaka Fernando >>>>>>>>>>> Technical Lead >>>>>>>>>>> WSO2, Inc.; http://wso2.com >>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>> >>>>>>>>>>> mobile: +94 773337238 >>>>>>>>>>> Blog : http://soatutorials.blogspot.com >>>>>>>>>>> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>>>>>>>> Twitter:https://twitter.com/chanakaudaya >>>>>>>>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Godwin Amila Shrimal* >>>>>>>> Senior Software Engineer >>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>> lean.enterprise.middleware >>>>>>>> >>>>>>>> mobile: *+94772264165* >>>>>>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>>>>>>> twitter: https://twitter.com/godwinamila >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> -- >>>>>>> Chanaka Fernando >>>>>>> Technical Lead >>>>>>> WSO2, Inc.; http://wso2.com >>>>>>> lean.enterprise.middleware >>>>>>> >>>>>>> mobile: +94 773337238 >>>>>>> Blog : http://soatutorials.blogspot.com >>>>>>> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>>>> Twitter:https://twitter.com/chanakaudaya >>>>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> -- >>>>> Chanaka Fernando >>>>> Technical Lead >>>>> WSO2, Inc.; http://wso2.com >>>>> lean.enterprise.middleware >>>>> >>>>> mobile: +94 773337238 >>>>> Blog : http://soatutorials.blogspot.com >>>>> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>> Twitter:https://twitter.com/chanakaudaya >>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>> >>>>> >>>>> >>>>> >>>> >>> >>> >>> -- >>> -- >>> Chanaka Fernando >>> Technical Lead >>> WSO2, Inc.; http://wso2.com >>> lean.enterprise.middleware >>> >>> mobile: +94 773337238 >>> Blog : http://soatutorials.blogspot.com >>> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>> Twitter:https://twitter.com/chanakaudaya >>> Wordpress:http://chanakaudaya.wordpress.com >>> >>> >>> >>> >> > -- *Kasun Gajasinghe*Senior Software Engineer, WSO2 Inc. email: kasung AT spamfree wso2.com linked-in: http://lk.linkedin.com/in/gajasinghe blog: http://kasunbg.org
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
