Hi, REST API requests (for example to "http://<server>:8080/fortress-rest-<version>/rbacAuthZ" and "http://<server>:8080/fortress-rest-<version>/rbacPerms") require a session object/xml. This is on top of HTTP authentication that should be performed using credentials of an account assigned [fortress-rest-user, fortress-rest-super-user] roles. The problem is that a session object actually introduces a state to the REST API because one has to remember this session object in order to do subsequent requests. Even the fortress-rest-super-user has to add this session object despite being administrator. Administrator should be able to view permissions of other users, but at the same time administrator is not supposed to know users' passwords, and without this knowledge he/she cannot create a session object to view permissions.
In my opinion, a fortress-rest administrator (user A) should be able to execute a simple authenticated GET request to get all permissions for a user Bob: curl GET -H "Authorization: Basic blablabla" https://<server>:8443/fortress-rest-<version>/rbacpermissions/user/Bob A request to check Bob's access to some particular object executed by fortress-rest administrator should be a simple POST: curl POST -H "Authorization: Basic blablabla" --data "user=Bob&object=someobject&operation=someoperation" https://<server>:8080/fortress-rest-<version>/checkaccess I have found a ticket https://issues.apache.org/jira/browse/FC-77 that is a little bit related to what I wrote here. Are there any plans to remove this session object? /Oleksandr
