Thank you very much Shawn for your fast feedback :) /Oleksandr
On 20/4/2015 17:07 , "Shawn McKinney" <[email protected]> wrote: > >> On Apr 20, 2015, at 9:57 AM, Oleksandr Bodriagov (Polystar) >><[email protected]> wrote: >> >> Hi Shawn, >> >> Thank you very much for your answer! I think I get it now more or less. >> Please correct me if I am wrong. >> 1) I make a POST request to URL = >> "http://<server>:<port>/fortress-rest-1.0-RC40-SNAPSHOT/rbacCreate" with >> "createSession.xml" that looks like >> <FortRequest> >> <contextId>HOME</contextId> >> <entity xsi:type="user" >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> >> <userId>someuser</userId> >> <password>userpwd</password> >> </entity> >> </FortRequest> >> >> As a response I get the session object document that describes a session >> for the user defined in "createSession.xml" if and only if this user was >> successfully authenticated. >> > >Correct. Failure will return something like this: > >HTTP/1.1 200 OK >Server: Apache-Coyote/1.1 >Date: Mon, 20 Apr 2015 14:53:40 GMT >Content-Type: application/xml >Content-Length: 435 > ><?xml version="1.0" encoding="UTF-8" standalone="yes"?> > <FortResponse> > <errorCode>1005</errorCode> > <errorMessage>getUser userId [jutsuser1] not found, Fortress >rc=1005</errorMessage> > <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >xsi:nil="true"/> > <isAuthorized xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >xsi:nil="true"/> > <session xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >xsi:nil="true"/> > </FortResponse > > > >> On Apr 20, 2015, at 9:57 AM, Oleksandr Bodriagov (Polystar) >><[email protected]> wrote: >> >> 2) Using the session object document, I make another POST request to >>URL = >> "http://<server>:<port>/fortress-rest-1.0-RC40-SNAPSHOT/rbacPerms" and >>get >> back a document describing all permissions for the user. >> >> After getting all permissions for the user from Fortress, OAuth2.0 token >> provider creates a self-contained digitally signed JSON Web token that >> describes all user's permissions and that is valid for some period of >> time. This token is returned to the client, and client can use it (until >> it expires) to access different resource servers. >> >> I think, in this case, we do not really have troubles with throughput >> because the client will ask for a new token only after the current token >> expires. It would be different if we were doing steps (1)+(2) every >>time a >> client requested some resource from a resource server. By the way, how >> many (1)+(2) requests can Fortress handle at the same time? >> > >Theoretically unlimited but in practice you will be bound by the HTTP >server¹s (tomcat) ability to process concurrent threads, and of course >the server¹s ability to do the xml serialization/deserialization. I >doubt we will come close to maxing the ldap server. What is the max >number of concurrent connections to Tomcat? I¹d think that number quite >high. > >It would be a good idea to benchmark this. I have the jmeter test cases, >just need to run them. I¹ll try to get around that in the next week or >two. > > >> On Apr 20, 2015, at 9:57 AM, Oleksandr Bodriagov (Polystar) >><[email protected]> wrote: >> >> Is it possible to have definitions of users&groups on one LDAP server >>and >> definition of roles/permissions/objects on another LDAP server? > >Today, no. Tomorrow anything is possible. This isn¹t the first time I >have been asked a question like this so it is worth considering adding as >future enhancement. > >Shawn >[email protected]
