> On Feb 9, 2016, at 3:36 PM, Chris Pike <[email protected]> wrote: > > Using oauth bearer token in HTTP header to determine user. How would the the > policy work, just do a check to see if user is in the > "fortress-rest-access-user" role?
Well that is coarse-grained but would work. Better is to establish a session using userId from the token and set into manager as discussed previously. This requires the before mentioned change to accessMgr (to do perm check) but the more I think about this use case, the better this approach sounds. Shawn
