Deepal
Do we have a simple way of configuring whether the registry is available
on HTTP and HTTPS or just HTTPS?
Paul
Deepal Jayasinghe wrote:
Hi all,
In our APP implementation does not have authorization support and we
need to implement that before the next release as well. So today we
(Sanjiva , Chathura and I ) discussed about this can came up with the
following general approach for the authorization.
Web app (/web)
==============
- When we use this user is supposed to login in the registry and once
the user login in the registry we create a secure registry. If the user
does not login in to the system then we treat the user as a the
"anonymous" user. No matter what when we use the web application we will
have the session object associate with the user and depending on the
user role and role authorization we can control the user action. (For
example if the user tries to perform an action which is not authorized
to him then will throw an exception)
Accessing resource content (/resource/a/ab/c)
================================
- Here there are two approaches , first user tries to access a
resource while he is having a valid session (meaning that he has login
in the system using the web app). Then once he type the URL in the
browser then if the user is authorized to access the resource then he
will be able to access the resource , else he will get HTTP 401
- Second when user try to browse the resource without login , then the
content will be shown if the user is authorized to do so , else he will
be giving a HTTP 401 with the challenge (asking to give the username and
the password). If he does then at the server (servlet) will create a
secure registry for that and handle the request.
APP (/atom)
============
In this case if the user want to make the communication secure , (s)he
can turn on the HTTPS in the serer side and provide the relevant data to
the registry to send the user credential.
Second we can send the username and the password in the request as the
authentication headers and retrieve that from the server side and
create a secure registry for the user. To implement this I looked in to
abdera and found that we can send a header called "Authorization" and
access that at the server side. However abdera does not have a way to
give or retrieve the cookies, therefore we can not completely rely on
abdera session management support. As a result of that we need to send
this authorization header in each requests. I will implement the APP
authorization support based on this approach and commit the code so that
we can comment on that.
-Deepal
_______________________________________________
Registry-dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/registry-dev
--
Paul Fremantle
Co-Founder and VP of Technical Sales, WSO2
OASIS WS-RX TC Co-chair
Office: +1 646 290 8050
Cell: +44 798 447 4618
blog: http://pzf.fremantle.org
[EMAIL PROTECTED]
"Oxygenating the Web Service Platform", www.wso2.com
_______________________________________________
Registry-dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/registry-dev
