Hi all, In our APP implementation does not have authorization support and we need to implement that before the next release as well. So today we (Sanjiva , Chathura and I ) discussed about this can came up with the following general approach for the authorization.
Web app (/web) ============== - When we use this user is supposed to login in the registry and once the user login in the registry we create a secure registry. If the user does not login in to the system then we treat the user as a the "anonymous" user. No matter what when we use the web application we will have the session object associate with the user and depending on the user role and role authorization we can control the user action. (For example if the user tries to perform an action which is not authorized to him then will throw an exception) Accessing resource content (/resource/a/ab/c) ================================ - Here there are two approaches , first user tries to access a resource while he is having a valid session (meaning that he has login in the system using the web app). Then once he type the URL in the browser then if the user is authorized to access the resource then he will be able to access the resource , else he will get HTTP 401 - Second when user try to browse the resource without login , then the content will be shown if the user is authorized to do so , else he will be giving a HTTP 401 with the challenge (asking to give the username and the password). If he does then at the server (servlet) will create a secure registry for that and handle the request. APP (/atom) ============ In this case if the user want to make the communication secure , (s)he can turn on the HTTPS in the serer side and provide the relevant data to the registry to send the user credential. Second we can send the username and the password in the request as the authentication headers and retrieve that from the server side and create a secure registry for the user. To implement this I looked in to abdera and found that we can send a header called "Authorization" and access that at the server side. However abdera does not have a way to give or retrieve the cookies, therefore we can not completely rely on abdera session management support. As a result of that we need to send this authorization header in each requests. I will implement the APP authorization support based on this approach and commit the code so that we can comment on that. -Deepal _______________________________________________ Registry-dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/registry-dev
