Hello,
a first version of the role-based-mediator is working, but there are
some questions left:
* How can I determine the wished service which should be called? I
can look at the WSAAction/SOAP-Action-Property to determine the
operation which the service client wants to invoke. But what´s
about the service name- I don´t find any hint for it? Should I use
the last part of the endpoint url for that?
(localhost:8080/services/*AxisService*) I think, not all
soap-frameworks will work like that...
* Do it really make senses to determine at the esb which next
service will be invoked?
Any ideas?
Thanks,
Jens
Ruwan Linton schrieb:
Hi Jens,
Find my comments inline,
Jens Goldhammer wrote:
Hello Ruwan,
how can I integrate that url into my pom-file? Or is this configured
maven-wide?
You have to specify the usermanager as a dependency in the pom file as
follows;
<dependencies>
<dependency>
<groupId>org.wso2.commons.usermanager</groupId>
<artifactId>usermanager-core</artifactId>
<version>SNAPSHOT</version>
</dependency>
</dependencies>
Further, you need to add the wso2-m2 repository in to the list of
repositories in the pom.xml as follows;
<repositories>
<repository>
<id>wso2-m2</id>
<name>WSO2 Maven 2 Repository</name>
<url>http://dist.wso2.org/maven2/</url>
<releases>
<updatePolicy>never</updatePolicy>
</releases>
<snapshots>
<updatePolicy>daily</updatePolicy>
</snapshots>
</repository>
</repositories>
yes, you are right- I want to build a role based authentification
with caching-mechanism!
My ideas are:
- change the usermanager to provide permissions for a role/user on
service and/or operation level. Maybe I can use the ressource and
action column of the permissions table.
- determine in the mediation which service is used by looking at the
provided published wsdl or by looking at the soap-message. What do
you think is better?
I think it is better to look at the soap message because publish wsdl
does not guarantee the fact that a particular message is going to that
service. Basically even though you publish a WSDL from the ESB point
you can post any valid soap message to that proxy service.
I think I have to look which service the user wants to call, or is
this a wrong approach?
yeah you are right. (or may be the operation if on the operation level)
- extract the user-crediantials of the ws-security-header and proof
if he is authorized. (by looking first at the user-permissions- if
they are not provided at the role-permissions)
- if no security header is used, I can inspect the http-header with
basic authentification. Do I have access to it from the messageContext?
Yes, you do have access to the transport headers from the synapse
message context
Axis2MessageContext axis2smc = (Axis2MessageContext) synCtx;
org.apache.axis2.context.MessageContext axis2MessageCtx =
axis2smc.getAxis2MessageContext();
Object headers =
axis2MessageCtx.getProperty(org.apache.axis2.context.MessageContext.TRANSPORT_HEADERS);
- maybe the used mechanism can be configured by a property...
That sounds good, so that it is configurable.
- if no user-information is provided, the role based authentification
cannot be used- fault back to the client...
- give back a fault if the permission for the user has not been found
Any other ideas from your side?
I think this idea is fine may be Dimuthu can add some comments on the
UM side.
Thanks,
Ruwan
_______________________________________________
Esb-java-user mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/esb-java-user
