Using oauth bearer token in HTTP header to determine user. How would the the policy work, just do a check to see if user is in the "fortress-rest-access-user" role?
----- Original Message ----- From: "Shawn McKinney" <[email protected]> To: [email protected] Sent: Monday, February 8, 2016 5:27:17 PM Subject: Re: Access Manager Permissions > On Feb 8, 2016, at 4:08 PM, Chris Pike <[email protected]> wrote: > > We have a REST service that will get called to retrieve the active roles for > a user. Need to restrict who can make this call. How is that user credential being passed in currently? As HTTP header or via session attribute inside the payload? If former, you may restrict using this policy: https://github.com/apache/directory-fortress-enmasse/blob/master/src/main/resources/FortressRestServerPolicy.xml. I am not opposed to adding the security checks to the accessmgr methods. We could make it a configurable option. Shawn
