Here is trace of sessionPermissions request/response: https://paste.apache.org/m3EA
Shawn [email protected] > On Apr 20, 2015, at 9:03 AM, Shawn McKinney <[email protected]> wrote: > > >> On Apr 20, 2015, at 8:01 AM, Oleksandr Bodriagov (Polystar) >> <[email protected]> wrote: >> >> I have a question concerning Fortress' REST API . The only example I have >> found is "EmTest.java" in directory-fortress-enmasse. >> Our use case is as follows. We have a few RESTful web services to which we >> would like to control access using Fortress + LDAP with users/groups and >> our own OAuth2.0 token provider/access control server. Our permissions in >> this case would be something like: >> - read data from https://server1.com/whateever >> - modify report at https://server2.com/profile/whatever >> - read report at https://server2.com/profile/whatever >> >> So, we have operations {read, modify, delete, Š} and objects >> {https://server1.com/whateever, https://server2.com/profile/whatever, Š}. >> Our token provider receives a request for the OAuth token that represents >> permissions of the requesting user. To answer this question, the token >> provider, using a fortress-rest-user account, should authenticate the >> requesting user (using this user's username/password) against Fortress and >> then get user permissions from Fortress using REST API. >> How can it be done? I have found HttpIds.PERM_READ, HttpIds.USER_READ? Am >> I on the right track? >> AccessMgrRestImpl seems to be doing what we need, but how do corresponding >> HTTP requests look like? >> I would be really grateful for any help. > > Hello Oleksandr, > > To get all permissions for a particular user call sessionPermissions. This > returns a collection of all permissions for the user’s activated role set. > > To check a single permission for a particular user call checkAccess. This > simply returns true or false. > > Both require sending the session object document that was returned on > createSession. > > I can anticipate the need to enhance this interaction by allowing the rest > server to hold onto the user’s rbac session for a configurable amount of > time. This would make things easier on the client at the expense of > requiring the server to be stateful. Will speed things up on throughput > while making the server-side heavier with memory. WDYT? > > Shawn > [email protected] >
