On Fri, Jul 15, 2016 at 3:56 PM, Rajkumar Rajaratnam <rajkum...@wso2.com> wrote:
> Hi, > > I have a jaggery app with some pages and secured them via SAML SSO with > WSO2 IS. So the authentication is implemented, now I have to implement the > authorization. I need to control access to these jaggery pages by > roles/permissions of the loggedin user. Here is the approach I have > followed and I need to validate whether it is okay or there are better > ways. > > 1. Created custom permissions under my application service provider > (one permission per one feature in my jaggery app) > 2. When a user access a feature in the jaggery app, I am calling " > *isUserAuthorized*" method of "*RemoteAuthorizationManagerService*" > admin service to check whether the logged in user is authorized to access > the page. I think "isUserAuthorized" method checks whether the given user > has any roles with the given permission. So, if it returns true, then I > allow the user to access the page. > 3. I am calling the admin service with basic authentication. Is there > any issues with this approach? Do I need to obtain a session cookie and > call the admin service using session cookie instead of username/password? > What is the recommended approach? > > Any issues with this approach? > Since "isUserAuthorized" method of "RemoteAuthorizationManagerService" requires "/permission/admin/configure/security" permission, a user without this permission will not able to access this service using his session cookie. So your current approach is correct. > Thanks, > Raj. > > -- > Rajkumar Rajaratnam > Committer & PMC Member, Apache Stratos > Senior Software Engineer, WSO2 > > Mobile : +94777568639 > Thanks, -- *Thanuja Lakmal* Senior Software Engineer WSO2 Inc. http://wso2.com/ *lean.enterprise.middleware* Mobile: +94715979891 +94758009992
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev