On Tue, Nov 16, 2010 at 7:24 AM, Suhothayan Sriskandarajah <[email protected]> wrote: > On 16 November 2010 20:07, Adriano Crestani <[email protected]>wrote: > >> Hi Suhothayan,, >> >> Yes, my initial idea is to have privacy visibility defined per tag. Do you >> have any other suggestion? >> >> great > > Since there is no JSON RPC calls and we are only dealing with REST, there > wont be much implications in implementing security to the rest branch. But > in order to provide security, each API calls need to be tested against the > corresponding session cookie, in order to check who calls the request, what > album is he accessing, and does he has permission to do so, etc... > > For this to be successful, I Suggest we should come up with Security API > which will be published as services, and they will indeed call the low level > API that we are implementing. > > Thoughts? > > Regards > Suho >
For the REST branch, I'd like to think out of the box and consider "applying" security as a quality of service and something that can be attached to any API. We have the concept of "SCA Policies" which could be used and it would inject an interceptor on each API call that would have access to the "request" and it's " headers" and could validate the user authorization to a given resource. Having said that, we do need the whole Access Control admin APIs (rest services) which you created for us in the current trunk code. -- Luciano Resende http://people.apache.org/~lresende http://twitter.com/lresende1975 http://lresende.blogspot.com/
