Hi All,
Yes, We were tying to solve this problem in generic manner that can be used
across the platform. For that, we have written a component to register
authentication handler and the interceptors to intercept rest call. For now
we have written Basic and OAuth token base handlers. But anyone can write
custom handlers and register as a OSGi to use by the interceptors. As
Interceptors , we wrote common tomcat valve and hope to write servlet
filter and cxf filter.
You also can intercept the request in your own place and authenticate the
request using our generic component. It has a manager class to do the
authentication. Handler will pick based on can handle method by handler
manager.
In addition, we have develop another interceptor point to do the
authorization and it is also like same authentication component. You can
write your own handlers, and intercept by any place. We have written an
another valve as interceptor and authorization handler check the permission
as configure in identity.xml as follows.
<ResourceAccessControl>
<Resource context="/api/identity/*" secured="true"
http-method="all">
<Permissions>/permission/admin/login</Permissions>
</Resource>
<Resource context="/api/test" secured="true" http-method="put,post">
<Permissions>/permission/admin/test</Permissions>
</Resource>
</ResourceAccessControl>
We are going to release 1.0.0 M1 with next upcoming milestone in 5.3.0.
Your ideas welcome to improve this component in more generic manner. Please
let us know anything related to this.
*Harsha Thirimanna*
Associate Tech Lead | WSO2
Email: [email protected]
Mob: +94715186770
Blog: http://harshathirimanna.blogspot.com/
Twitter: http://twitter.com/harshathirimann
Linked-In: linked-in: http://www.linkedin.com/pub/ha
rsha-thirimanna/10/ab8/122
<http://wso2.com/signature>
On Tue, Aug 9, 2016 at 4:00 AM, Farasath Ahamed <[email protected]> wrote:
> Hi Rushmin,
>
> On Mon, Aug 8, 2016 at 4:14 PM, Rushmin Fernando <[email protected]> wrote:
>
>> Thanks Ishara !
>>
>> Since our products are adopting OAuth protected ReST APIs, is there an
>> OAuth authencator being developed and planed to be developed ?
>>
>
> Harsha has worked on developing a generic component that can be used by
> OAuth protected REST APIs[1]. Adding Harsha as he can provide more details
> on this.
>
> [1] https://github.com/wso2-extensions/identity-carbon-auth-rest
>
>
>
>> Regards,
>> Rushmin
>>
>>
>>
>> On Mon, Aug 8, 2016 at 4:04 PM, Ishara Karunarathna <[email protected]>
>> wrote:
>>
>>> Hi Dinusha,
>>>
>>> In this case I think publisher user should be able to create those SP,
>>> XACML policies etc.
>>> Since publisher use is within the publisher role you can assign
>>> necessary permission to that role.
>>> Once user login (SSO) to publisher with his credential he can get a
>>> cookie for that
>>> and he can use that cookie to authenticate to the admin services.
>>>
>>> @Rushmin,
>>> We don't have a authenticator for OAuth token. Better to get a ID token
>>> using OIDC or after validating OAuth token
>>> and create a carbon authenticator like saml carbon authenticator.
>>>
>>> Thanks,
>>> Ishara
>>>
>>>
>>>
>>>
>>> On Mon, Aug 8, 2016 at 3:47 PM, Rushmin Fernando <[email protected]>
>>> wrote:
>>>
>>>> In addition to creating these entries from the UI, we need to create
>>>> the same using our ReST API as well. And the API is OAuth protected.
>>>>
>>>> Is there an authenticator which gives back a cookie for an OAuth token
>>>> as well ?
>>>>
>>>> On Mon, Aug 8, 2016 at 3:29 PM, Ishara Karunarathna <[email protected]>
>>>> wrote:
>>>>
>>>>> Hi Lahiru.
>>>>>
>>>>>
>>>>> Its not the admin user.User trying to do this operation should have
>>>>> enough permission to do this.
>>>>>
>>>>> Use
>>>>>
>>>>>
>>>>>
>>>>> *entitlement/policy/view*
>>>>>
>>>>> Add this permission to the user who is trying to view those policies.
>>>>>
>>>>>
>>>>> BR,
>>>>>
>>>>> Ishara
>>>>>
>>>>>
>>>>> On Mon, Aug 8, 2016 at 3:20 PM, Lahiru Cooray <[email protected]>
>>>>> wrote:
>>>>>
>>>>>> + [DEV]
>>>>>>
>>>>>> On Mon, Aug 8, 2016 at 3:19 PM, Lahiru Cooray <[email protected]>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> *Current behaviour:*
>>>>>>> Currently in AppM, when we are creating XACML policies/Service
>>>>>>> Providers via IS admin services, we are providing the super tenant admin
>>>>>>> credentials (where the credentials are stored in a config) to get
>>>>>>> authenticated. Further, XACML policies/Service providers are only
>>>>>>> created
>>>>>>> in super tenant and marked as a SAAS app to be used in tenants.
>>>>>>>
>>>>>>> *Problem:*
>>>>>>> As we are moving for AppM - Cloud integration, we are trying to
>>>>>>> deploy these in relevant tenant spaces. So as a solution we have tried
>>>>>>> to
>>>>>>> use *SAML2SSOAuthenticator*[1] (retrieving a cookie passing the
>>>>>>> SAML response and use the same in subsequent service calls) but figured
>>>>>>> that this is not applicable for non admin users.
>>>>>>> (*eg:* In AppM user story, non admin users should be allowed to
>>>>>>> create apps with XAML policies)
>>>>>>>
>>>>>>> Any suggestions for this would be highly appreciated!
>>>>>>>
>>>>>>>
>>>>>>> [1] https://github.com/wso2/carbon-identity/blob/8cd996c1dc6
>>>>>>> d9e7c0df491322af6e9ddf1cf3709/components/carbon-authenticato
>>>>>>> rs/saml2-sso-authenticator/org.wso2.carbon.identity.authenti
>>>>>>> cator.saml2.sso/src/main/java/org/wso2/carbon/identity/authe
>>>>>>> nticator/saml2/sso/SAML2SSOAuthenticator.java
>>>>>>>
>>>>>>> --
>>>>>>> *Lahiru Cooray*
>>>>>>> Software Engineer
>>>>>>> WSO2, Inc.;http://wso2.com/
>>>>>>> lean.enterprise.middleware
>>>>>>>
>>>>>>> Mobile: +94 715 654154
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> *Lahiru Cooray*
>>>>>> Software Engineer
>>>>>> WSO2, Inc.;http://wso2.com/
>>>>>> lean.enterprise.middleware
>>>>>>
>>>>>> Mobile: +94 715 654154
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Ishara Karunarathna
>>>>> Associate Technical Lead
>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com
>>>>>
>>>>> email: [email protected], blog: isharaaruna.blogspot.com, mobile:
>>>>> +94717996791
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> *Best Regards*
>>>>
>>>> *Rushmin Fernando*
>>>> *Technical Lead*
>>>>
>>>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware
>>>>
>>>> mobile : +94772891266
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Ishara Karunarathna
>>> Associate Technical Lead
>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com
>>>
>>> email: [email protected], blog: isharaaruna.blogspot.com, mobile:
>>> +94717996791
>>>
>>>
>>>
>>
>>
>> --
>> *Best Regards*
>>
>> *Rushmin Fernando*
>> *Technical Lead*
>>
>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware
>>
>> mobile : +94772891266
>>
>>
>>
>> _______________________________________________
>> Dev mailing list
>> [email protected]
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
