Hi KasunG, On Tue, Mar 31, 2015 at 4:32 PM, KasunG Gajasinghe <[email protected]> wrote:
> Hi, > > Two questions - > > 1. Why do we need a separate axis2 deployer to handle just user roles? > We were thinking about modifying existing deployers (proxy deployer etc) to call the relevant component in the security side. > > 2. Isn't it much cleaner if we keep the list of user roles as a registry > property of the registry resource that contains the policy? Then, this > won't depend on the service type, and the security configuration will be > located in a single place. I believe allowRoles was provided as a quick fix > for a support ticket. > This is a very good suggestion. Let's consider this option as well. > > Thanks. > > On Tue, Mar 31, 2015 at 3:53 PM, Sohani Weerasinghe <[email protected]> > wrote: > >> Meeting notes is as follows >> >> Participants: Jasintha, Susinda, Awanthika, Chanaka, IsuruU, Johann, >> Godwin, Dulindra, Sohani >> >> Notes: >> >> From the Developer Studio perspective, currently we are implementing the >> security policy as a registry resource and as per the discussion had we >> will use the parameter 'allowRoles' to define the relevant user roles. This >> will be a service level parameter and the roles can be obtained by >> connecting to the server. >> >> This parameter is already available with ESB and this needs to be >> facilitated by DSS and Axis2. >> >> From the Servers (ESB, DSS and AS) a deployer needs to be implemented to >> handle user roles at the run time >> >> Please add points to this if I have missed anything. >> >> Thanks, >> Sohani >> >> Sohani Weerasinghe >> Software Engineer >> WSO2, Inc: http://wso2.com >> >> Mobile : +94 716439774 >> Blog :http://christinetechtips.blogspot.com/ >> Twitter : https://twitter.com/sohanichristine >> >> On Thu, Mar 26, 2015 at 3:35 PM, Sohani Weerasinghe <[email protected]> >> wrote: >> >>> Hi Chanaka, >>> >>> Thanks for the explanation and as per the offline discussion we had, >>> let's have a meeting on next week so that we can discuss and finalize the >>> things. >>> >>> Regards, >>> Sohani >>> >>> Sohani Weerasinghe >>> Software Engineer >>> WSO2, Inc: http://wso2.com >>> >>> Mobile : +94 716439774 >>> Blog :http://christinetechtips.blogspot.com/ >>> Twitter : https://twitter.com/sohanichristine >>> >>> On Thu, Mar 26, 2015 at 3:26 PM, Chanaka Fernando <[email protected]> >>> wrote: >>> >>>> Hi Sohani, >>>> >>>> I got your idea. But what I meant was that this does not give any >>>> additional security. BTW, I am not against the registry based approach :) >>>> >>>> Thanks, >>>> Chanaka >>>> >>>> >>>> >>>> On Thu, Mar 26, 2015 at 3:05 PM, Sohani Weerasinghe <[email protected]> >>>> wrote: >>>> >>>>> @Chanaka : I just considered the fact that if we specify it as a >>>>> parameter then that information will be visible. That is why thought of >>>>> saving it as a registry resource would be better. But if we can continue >>>>> with the parameter then we'll continue the testing with that. >>>>> >>>>> Regards, >>>>> Sohani >>>>> >>>>> Sohani Weerasinghe >>>>> Software Engineer >>>>> WSO2, Inc: http://wso2.com >>>>> >>>>> Mobile : +94 716439774 >>>>> Blog :http://christinetechtips.blogspot.com/ >>>>> Twitter : https://twitter.com/sohanichristine >>>>> >>>>> On Thu, Mar 26, 2015 at 3:02 PM, Chanaka Fernando <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Sohani, >>>>>> >>>>>> What is the additional security you get from having that parameter in >>>>>> registry? >>>>>> >>>>>> Thanks, >>>>>> Chanaka >>>>>> >>>>>> On Thu, Mar 26, 2015 at 2:55 PM, Sohani Weerasinghe <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Chanaka, >>>>>>> >>>>>>> Please find my comments inline >>>>>>> >>>>>>> Sohani Weerasinghe >>>>>>> Software Engineer >>>>>>> WSO2, Inc: http://wso2.com >>>>>>> >>>>>>> Mobile : +94 716439774 >>>>>>> Blog :http://christinetechtips.blogspot.com/ >>>>>>> Twitter : https://twitter.com/sohanichristine >>>>>>> >>>>>>> On Thu, Mar 26, 2015 at 2:18 PM, Chanaka Fernando <[email protected] >>>>>>> > wrote: >>>>>>> >>>>>>>> Hi Godwin, >>>>>>>> >>>>>>>> Please see my comments inline. >>>>>>>> >>>>>>>> AFAIK, in old model (file base persistence) roles are not >>>>>>>> persisting in meta file and it use AuthorizationManager >>>>>>>> (JDBCAuthorizationManager) for persistence, We use same model for >>>>>>>> current >>>>>>>> implementation as well and roles are not persisting in registry. >>>>>>>> >>>>>>>> The problem with that approach is we need to include this >>>>>>>> information within the CAR file. Otherwise, it is not self contained. >>>>>>>> We >>>>>>>> need to have this user role information within the CAR file. >>>>>>>> >>>>>>>> @Sohani: If we can make sure all the security related scenarios >>>>>>>> (which requires user related information) are working properly with the >>>>>>>> <parameter name="allowRoles">admin</parameter>, then we can use this >>>>>>>> parameter instead of a separate registry resource. >>>>>>>> >>>>>>> >>>>>>> When considering the security perspective isn't it better to specify >>>>>>> user roles information as a registry resource rather than use as a >>>>>>> parameter? WDYT? >>>>>>> >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Chanaka >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Mar 25, 2015 at 11:46 PM, Godwin Amila Shrimal < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi Sohani, >>>>>>>>> >>>>>>>>> AFAIK, in old model (file base persistence) roles are not >>>>>>>>> persisting in meta file and it use AuthorizationManager >>>>>>>>> (JDBCAuthorizationManager) for persistence, We use same model for >>>>>>>>> current >>>>>>>>> implementation as well and roles are not persisting in registry. >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> Godwin >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, Mar 25, 2015 at 11:23 AM, Sohani Weerasinghe < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi Chanaka/Godwin, >>>>>>>>>> >>>>>>>>>> In order to further implement this feature I really appreciate >>>>>>>>>> your input on the below concerns. >>>>>>>>>> >>>>>>>>>> 1. When considering the security perspective, it seems we have >>>>>>>>>> two options to specify user roles config either as a registry >>>>>>>>>> resource or >>>>>>>>>> using the parameter 'allowRoles' in the proxy configuration. IMO >>>>>>>>>> implement >>>>>>>>>> it as a registry resource would be better when considering the >>>>>>>>>> security >>>>>>>>>> perspective. WDYT? >>>>>>>>>> >>>>>>>>>> Also, if we are to implement it as a registry resource then the >>>>>>>>>> content of the resource will be <parameter >>>>>>>>>> name="allowRoles">admin</parameter>. >>>>>>>>>> >>>>>>>>>> @Chanaka: Can we have a parameter in the proxy config to define >>>>>>>>>> the registry resource for the user roles as we define the security >>>>>>>>>> policy >>>>>>>>>> (eg: <policy key="conf:repository/policy.xml"/> ) ? >>>>>>>>>> >>>>>>>>>> @Godwin : If user roles is going to be implemented as a registry >>>>>>>>>> resource, will there be a predefined registry location to save it ? >>>>>>>>>> If so >>>>>>>>>> can you please state it? >>>>>>>>>> >>>>>>>>>> Really appreciate your response on this. >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Sohani >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Sohani Weerasinghe >>>>>>>>>> Software Engineer >>>>>>>>>> WSO2, Inc: http://wso2.com >>>>>>>>>> >>>>>>>>>> Mobile : +94 716439774 >>>>>>>>>> Blog :http://christinetechtips.blogspot.com/ >>>>>>>>>> Twitter : https://twitter.com/sohanichristine >>>>>>>>>> >>>>>>>>>> On Tue, Mar 24, 2015 at 3:52 PM, Sohani Weerasinghe < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Hi Chanaka/Godwin, >>>>>>>>>>> >>>>>>>>>>> Can you please provide an input on the below concerns to further >>>>>>>>>>> carry out the implementation from DevS side. >>>>>>>>>>> >>>>>>>>>>> 1.When considering the usability aspect, I think it's better if >>>>>>>>>>> we can create a registry resource for user roles at the time of >>>>>>>>>>> creating >>>>>>>>>>> the policy using the Security Editor Form by getting the User Roles >>>>>>>>>>> values >>>>>>>>>>> from the user rather than asking user to create a new registry >>>>>>>>>>> resource for >>>>>>>>>>> User Roles. >>>>>>>>>>> >>>>>>>>>>> @Godwin: can you please state the required registry path to >>>>>>>>>>> deploy the User Roles configs? >>>>>>>>>>> >>>>>>>>>>> 2. If the User Roles config saves as a registry resource, how >>>>>>>>>>> this can be utilize by the proxy service? Will there be a property >>>>>>>>>>> in the >>>>>>>>>>> proxy service so that we can point the User Role config as pointing >>>>>>>>>>> the >>>>>>>>>>> policy file. >>>>>>>>>>> >>>>>>>>>>> 3. If we are deploying the policy and User Role configs via >>>>>>>>>>> CAPP, in a case where multiple policy files deploying in the same >>>>>>>>>>> registry >>>>>>>>>>> location, in order to match the User Role config with the relevant >>>>>>>>>>> policy >>>>>>>>>>> file, how can we identify the matching User Role config and the >>>>>>>>>>> policy? Can >>>>>>>>>>> we have the same resource name for the policy and the User Role >>>>>>>>>>> configs? >>>>>>>>>>> >>>>>>>>>>> @Chanaka: can you please confirm points 2 and 3? >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> Sohani >>>>>>>>>>> >>>>>>>>>>> Sohani Weerasinghe >>>>>>>>>>> Software Engineer >>>>>>>>>>> WSO2, Inc: http://wso2.com >>>>>>>>>>> >>>>>>>>>>> Mobile : +94 716439774 >>>>>>>>>>> Blog :http://christinetechtips.blogspot.com/ >>>>>>>>>>> Twitter : https://twitter.com/sohanichristine >>>>>>>>>>> >>>>>>>>>>> On Tue, Mar 24, 2015 at 3:42 PM, Chanaka Fernando < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi Godwin, >>>>>>>>>>>> >>>>>>>>>>>> That would be good. >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> Chanaka >>>>>>>>>>>> >>>>>>>>>>>> On Tue, Mar 24, 2015 at 3:40 PM, Godwin Amila Shrimal < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi Chanaka, >>>>>>>>>>>>> >>>>>>>>>>>>> It'll finish within this week. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks >>>>>>>>>>>>> Godwin >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Tue, Mar 24, 2015 at 3:35 PM, Chanaka Fernando < >>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi Godwin, >>>>>>>>>>>>>> >>>>>>>>>>>>>> When will you finish the offsite dev service? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>> Chanaka >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Tue, Mar 24, 2015 at 3:30 PM, Godwin Amila Shrimal < >>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi Chanaka, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> We have basically completed the registry base implementation >>>>>>>>>>>>>>> in security mgt component and need to do code refactoring and >>>>>>>>>>>>>>> more testing. >>>>>>>>>>>>>>> I tested basic scenarios with STS-service and it worked ok. >>>>>>>>>>>>>>> Currently I am >>>>>>>>>>>>>>> in an offsite DevService and planning to do remaining >>>>>>>>>>>>>>> refactoring and >>>>>>>>>>>>>>> testing after this. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>> Godwin >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Tue, Mar 24, 2015 at 2:00 PM, Chanaka Fernando < >>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hi All, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I am writing this mail to take the discussions related to >>>>>>>>>>>>>>>> $subject in to a single place. With the ESB 4.9.0 release, we >>>>>>>>>>>>>>>> are removing >>>>>>>>>>>>>>>> the UI capability of applying security policies from the >>>>>>>>>>>>>>>> management >>>>>>>>>>>>>>>> console. Going forward, users can only apply security policies >>>>>>>>>>>>>>>> to ESB proxy >>>>>>>>>>>>>>>> services using developer studio. Even though this >>>>>>>>>>>>>>>> functionality is already >>>>>>>>>>>>>>>> available in the Developer Studio, it has some edge cases when >>>>>>>>>>>>>>>> we use that >>>>>>>>>>>>>>>> approach. One such limitation is that there is no place to >>>>>>>>>>>>>>>> select the >>>>>>>>>>>>>>>> users/roles in the developer studio when applying the security >>>>>>>>>>>>>>>> policy. >>>>>>>>>>>>>>>> Currently, this information is stored in meta files and with >>>>>>>>>>>>>>>> the 4.9.0 >>>>>>>>>>>>>>>> version, service meta files are removed. Plan is to store this >>>>>>>>>>>>>>>> information >>>>>>>>>>>>>>>> in registry and access from their. From the Developer Studio >>>>>>>>>>>>>>>> also, it will >>>>>>>>>>>>>>>> create the registry file when applying security policies. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> This would be a necessary feature for ESB 4.9.0 release >>>>>>>>>>>>>>>> since this will effect the entire security applying process >>>>>>>>>>>>>>>> going forward. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> @Godwin: Please add if I have missed anything and give us >>>>>>>>>>>>>>>> some update on the status from the security side. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> @Sohani/DevS team: Please give us some update on this >>>>>>>>>>>>>>>> implementation. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>>> Chanaka >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> Chanaka Fernando >>>>>>>>>>>>>>>> Technical Lead >>>>>>>>>>>>>>>> WSO2, Inc.; http://wso2.com >>>>>>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> mobile: +94 773337238 >>>>>>>>>>>>>>>> Blog : http://soatutorials.blogspot.com >>>>>>>>>>>>>>>> LinkedIn: >>>>>>>>>>>>>>>> http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>>>>>>>>>>>>> Twitter:https://twitter.com/chanakaudaya >>>>>>>>>>>>>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> *Godwin Amila Shrimal* >>>>>>>>>>>>>>> Senior Software Engineer >>>>>>>>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> mobile: *+94772264165* >>>>>>>>>>>>>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>>>>>>>>>>>>>> twitter: https://twitter.com/godwinamila >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Chanaka Fernando >>>>>>>>>>>>>> Technical Lead >>>>>>>>>>>>>> WSO2, Inc.; http://wso2.com >>>>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>>>> >>>>>>>>>>>>>> mobile: +94 773337238 >>>>>>>>>>>>>> Blog : http://soatutorials.blogspot.com >>>>>>>>>>>>>> LinkedIn: >>>>>>>>>>>>>> http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>>>>>>>>>>> Twitter:https://twitter.com/chanakaudaya >>>>>>>>>>>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> *Godwin Amila Shrimal* >>>>>>>>>>>>> Senior Software Engineer >>>>>>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>>> >>>>>>>>>>>>> mobile: *+94772264165* >>>>>>>>>>>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>>>>>>>>>>>> twitter: https://twitter.com/godwinamila >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> -- >>>>>>>>>>>> Chanaka Fernando >>>>>>>>>>>> Technical Lead >>>>>>>>>>>> WSO2, Inc.; http://wso2.com >>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>> >>>>>>>>>>>> mobile: +94 773337238 >>>>>>>>>>>> Blog : http://soatutorials.blogspot.com >>>>>>>>>>>> LinkedIn: >>>>>>>>>>>> http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>>>>>>>>> Twitter:https://twitter.com/chanakaudaya >>>>>>>>>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Godwin Amila Shrimal* >>>>>>>>> Senior Software Engineer >>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>> lean.enterprise.middleware >>>>>>>>> >>>>>>>>> mobile: *+94772264165* >>>>>>>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>>>>>>>> twitter: https://twitter.com/godwinamila >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> -- >>>>>>>> Chanaka Fernando >>>>>>>> Technical Lead >>>>>>>> WSO2, Inc.; http://wso2.com >>>>>>>> lean.enterprise.middleware >>>>>>>> >>>>>>>> mobile: +94 773337238 >>>>>>>> Blog : http://soatutorials.blogspot.com >>>>>>>> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>>>>> Twitter:https://twitter.com/chanakaudaya >>>>>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> -- >>>>>> Chanaka Fernando >>>>>> Technical Lead >>>>>> WSO2, Inc.; http://wso2.com >>>>>> lean.enterprise.middleware >>>>>> >>>>>> mobile: +94 773337238 >>>>>> Blog : http://soatutorials.blogspot.com >>>>>> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>>> Twitter:https://twitter.com/chanakaudaya >>>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> >>>> -- >>>> -- >>>> Chanaka Fernando >>>> Technical Lead >>>> WSO2, Inc.; http://wso2.com >>>> lean.enterprise.middleware >>>> >>>> mobile: +94 773337238 >>>> Blog : http://soatutorials.blogspot.com >>>> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>> Twitter:https://twitter.com/chanakaudaya >>>> Wordpress:http://chanakaudaya.wordpress.com >>>> >>>> >>>> >>>> >>> >> > > > -- > > *Kasun Gajasinghe*Senior Software Engineer, WSO2 Inc. > email: kasung AT spamfree wso2.com > linked-in: http://lk.linkedin.com/in/gajasinghe > blog: http://kasunbg.org > > > -- *Isuru Udana* Senior *Software Engineer* WSO2 Inc.; http://wso2.com email: [email protected] cell: +94 77 3791887 blog: http://mytecheye.blogspot.com/ twitter: http://twitter.com/isudana
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
