> On Apr 20, 2015, at 9:57 AM, Oleksandr Bodriagov (Polystar)
> <[email protected]> wrote:
>
> Hi Shawn,
>
> Thank you very much for your answer! I think I get it now more or less.
> Please correct me if I am wrong.
> 1) I make a POST request to URL =
> "http://<server>:<port>/fortress-rest-1.0-RC40-SNAPSHOT/rbacCreate" with
> "createSession.xml" that looks like
> <FortRequest>
> <contextId>HOME</contextId>
> <entity xsi:type="user"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
> <userId>someuser</userId>
> <password>userpwd</password>
> </entity>
> </FortRequest>
>
> As a response I get the session object document that describes a session
> for the user defined in "createSession.xml" if and only if this user was
> successfully authenticated.
>
Correct. Failure will return something like this:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Date: Mon, 20 Apr 2015 14:53:40 GMT
Content-Type: application/xml
Content-Length: 435
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FortResponse>
<errorCode>1005</errorCode>
<errorMessage>getUser userId [jutsuser1] not found, Fortress
rc=1005</errorMessage>
<entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:nil="true"/>
<isAuthorized xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:nil="true"/>
<session xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:nil="true"/>
</FortResponse
> On Apr 20, 2015, at 9:57 AM, Oleksandr Bodriagov (Polystar)
> <[email protected]> wrote:
>
> 2) Using the session object document, I make another POST request to URL =
> "http://<server>:<port>/fortress-rest-1.0-RC40-SNAPSHOT/rbacPerms" and get
> back a document describing all permissions for the user.
>
> After getting all permissions for the user from Fortress, OAuth2.0 token
> provider creates a self-contained digitally signed JSON Web token that
> describes all user's permissions and that is valid for some period of
> time. This token is returned to the client, and client can use it (until
> it expires) to access different resource servers.
>
> I think, in this case, we do not really have troubles with throughput
> because the client will ask for a new token only after the current token
> expires. It would be different if we were doing steps (1)+(2) every time a
> client requested some resource from a resource server. By the way, how
> many (1)+(2) requests can Fortress handle at the same time?
>
Theoretically unlimited but in practice you will be bound by the HTTP server’s
(tomcat) ability to process concurrent threads, and of course the server’s
ability to do the xml serialization/deserialization. I doubt we will come
close to maxing the ldap server. What is the max number of concurrent
connections to Tomcat? I’d think that number quite high.
It would be a good idea to benchmark this. I have the jmeter test cases, just
need to run them. I’ll try to get around that in the next week or two.
> On Apr 20, 2015, at 9:57 AM, Oleksandr Bodriagov (Polystar)
> <[email protected]> wrote:
>
> Is it possible to have definitions of users&groups on one LDAP server and
> definition of roles/permissions/objects on another LDAP server?
Today, no. Tomorrow anything is possible. This isn’t the first time I have
been asked a question like this so it is worth considering adding as future
enhancement.
Shawn
[email protected]
