> Deepal > > Do we have a simple way of configuring whether the registry is > available on HTTP and HTTPS or just HTTPS? > Nope , however if you enable HTTPS in the application server then you will automatically get the HTTPS support. Not only that I do not see a way to configure the HTTPS inside the registry .
-Deepal > Paul > > Deepal Jayasinghe wrote: >> Hi all, >> >> In our APP implementation does not have authorization support and we >> need to implement that before the next release as well. So today we >> (Sanjiva , Chathura and I ) discussed about this can came up with the >> following general approach for the authorization. >> >> Web app (/web) >> ============== >> - When we use this user is supposed to login in the registry and once >> the user login in the registry we create a secure registry. If the user >> does not login in to the system then we treat the user as a the >> "anonymous" user. No matter what when we use the web application we will >> have the session object associate with the user and depending on the >> user role and role authorization we can control the user action. (For >> example if the user tries to perform an action which is not authorized >> to him then will throw an exception) >> >> Accessing resource content (/resource/a/ab/c) >> ================================ >> - Here there are two approaches , first user tries to access a >> resource while he is having a valid session (meaning that he has login >> in the system using the web app). Then once he type the URL in the >> browser then if the user is authorized to access the resource then he >> will be able to access the resource , else he will get HTTP 401 >> - Second when user try to browse the resource without login , then the >> content will be shown if the user is authorized to do so , else he will >> be giving a HTTP 401 with the challenge (asking to give the username and >> the password). If he does then at the server (servlet) will create a >> secure registry for that and handle the request. >> >> APP (/atom) >> ============ >> In this case if the user want to make the communication secure , (s)he >> can turn on the HTTPS in the serer side and provide the relevant data to >> the registry to send the user credential. >> >> Second we can send the username and the password in the request as the >> authentication headers and retrieve that from the server side and >> create a secure registry for the user. To implement this I looked in to >> abdera and found that we can send a header called "Authorization" and >> access that at the server side. However abdera does not have a way to >> give or retrieve the cookies, therefore we can not completely rely on >> abdera session management support. As a result of that we need to send >> this authorization header in each requests. I will implement the APP >> authorization support based on this approach and commit the code so that >> we can comment on that. >> >> -Deepal >> >> >> _______________________________________________ >> Registry-dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/registry-dev >> _______________________________________________ Registry-dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/registry-dev
