On 16 November 2010 22:55, Luciano Resende <[email protected]> wrote:
> On Tue, Nov 16, 2010 at 7:24 AM, Suhothayan Sriskandarajah > <[email protected]> wrote: > > On 16 November 2010 20:07, Adriano Crestani <[email protected] > >wrote: > > > >> Hi Suhothayan,, > >> > >> Yes, my initial idea is to have privacy visibility defined per tag. Do > you > >> have any other suggestion? > >> > >> great > > > > Since there is no JSON RPC calls and we are only dealing with REST, there > > wont be much implications in implementing security to the rest branch. > But > > in order to provide security, each API calls need to be tested against > the > > corresponding session cookie, in order to check who calls the request, > what > > album is he accessing, and does he has permission to do so, etc... > > > > For this to be successful, I Suggest we should come up with Security API > > which will be published as services, and they will indeed call the low > level > > API that we are implementing. > > > > Thoughts? > > > > Regards > > Suho > > > > For the REST branch, I'd like to think out of the box and consider > "applying" security as a quality of service and something that can be > attached to any API. We have the concept of "SCA Policies" which > could be used and it would inject an interceptor on each API call that > would have access to the "request" and it's " headers" and could > validate the user authorization to a given resource. Having said that, > we do need the whole Access Control admin APIs (rest services) which > you created for us in the current trunk code. > > Great, I'll look in to "SCA Policies" suho -- > Luciano Resende > http://people.apache.org/~lresende <http://people.apache.org/%7Elresende> > http://twitter.com/lresende1975 > http://lresende.blogspot.com/ >
