Re: [Architecture] [Microgateway] API Manager JWT Token Revocation Feature

[Pushpalanka Jayawardhana]

lity) with a near real-time impact, which I think is ideal. 
>>>>>>>>>>> For the
>>>>>>>>>>> persistence related issue I think we need to introduce a lightweight
>>>>>>>>>>> persistence layer across the microgateways.
>>>>>>>>>>>
>>>>>>>>>>> [1] - https://github.com/wso2/product-microgateway/issues/298
>>>>>>>>>>>
>>>>>>>>>>> On Sat, Feb 9, 2019 at 9:53 PM Fazlan Nazeem 
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi Sanjeewa,
>>>>>>>>>>>>
>>>>>>>>>>>> Irrespective of the method we use to implement this, once we
>>>>>>>>>>>> choose a mechanism, we will not be able to refer to the JWT tokens 
>>>>>>>>>>>> as
>>>>>>>>>>>> self-contained, isn't it? Because we will have to depend on an 
>>>>>>>>>>>> external
>>>>>>>>>>>> party to decide the validity of a token.
>>>>>>>>>>>>
>>>>>>>>>>>> AFAIU, I think the pub/sub model and push model has a
>>>>>>>>>>>> disadvantage if the process running the topic(in pub/sub model) or 
>>>>>>>>>>>> the
>>>>>>>>>>>> microgateway(in push model) restarted(unless we repopulate the 
>>>>>>>>>>>> topic or the
>>>>>>>>>>>> mgw memory on each restart with JTIs of unexpired revoked tokens).
>>>>>>>>>>>>
>>>>>>>>>>>> With the Pull model, I don't see this issue. the key manager
>>>>>>>>>>>> only needs to store the unexpired revoked token information.
>>>>>>>>>>>>
>>>>>>>>>>>> I also feel that we need to introduce a config to switch on
>>>>>>>>>>>> enabling/disabling this feature so that we can also use the 
>>>>>>>>>>>> microgateways
>>>>>>>>>>>> in the current mode.
>>>>>>>>>>>>
>>>>>>>>>>>> On Thu, Feb 7, 2019 at 3:58 PM Sanjeewa Malalgoda <
>>>>>>>>>>>> sanje...@wso2.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi All,
>>>>>>>>>>>>> I'm initiating this mail thread to discuss more about JWT
>>>>>>>>>>>>> token revocation feature we are planning to implement for API 
>>>>>>>>>>>>> Manager
>>>>>>>>>>>>> micro-gateway. In API Manager micro-gateway we do support both 
>>>>>>>>>>>>> oauth access
>>>>>>>>>>>>> tokens and JWT access tokens. When we use OAuth access tokens we 
>>>>>>>>>>>>> can revoke
>>>>>>>>>>>>> them and make it effect immediately. Since all OAuth tokens geting
>>>>>>>>>>>>> validated with key manager revoked tokens will fail validation. 
>>>>>>>>>>>>> When we use
>>>>>>>>>>>>> JWT token we do token validation within gateway itself without 
>>>>>>>>>>>>> calling key
>>>>>>>>>>>>> manager or external party. Since JWT is self contained one we are 
>>>>>>>>>>>>> basically
>>>>>>>>>>>>> trust its content as long as token not expired and signature 
>>>>>>>>>>>>> valid. Then it
>>>>>>>>>>>>> will be a problem.
>>>>>>>>>>>>>
>>>>>>>>>>>>> So we will need to have some mechanism to propagate revoked
>>>>>>>>>>>>> token details to micro-gateways as well. Since self contained 
>>>>>>>>>>>>> token
>>>>>>>>>>>>> revocation is ineffective(there can be mul

Re: [Architecture] Cloud Tenant deletion caching issue

[Pushpalanka Jayawardhana]

>
>>>>>>>>>>>>
>>>>>>>>>>>> On Fri, Sep 5, 2014 at 8:00 PM, Nirmal Fernando <
>>>>>>>>>>>> nir...@wso2.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Can't we use a tenant event listener and remove the entry from
>>>>>>>>>>>>> the map on a tenant deletion event?
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Fri, Sep 5, 2014 at 7:50 PM, Godwin Amila Shrimal <
>>>>>>>>>>>>> god...@wso2.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> We are working on tenant deletion implementation, once we
>>>>>>>>>>>>>> perform the current tenant deletion operation in
>>>>>>>>>>>>>> *TenantMgtAdminService* it deletes registry, user store etc.
>>>>>>>>>>>>>> data. But it doesn't allow to create a tenant again with the 
>>>>>>>>>>>>>> same tenant
>>>>>>>>>>>>>> domain name until restart the server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Reason for above situation is tenant domain and id is keeping
>>>>>>>>>>>>>> in a map(*tenantDomainIdMap*) inside the *JDBCTenantManager*.
>>>>>>>>>>>>>> When perform delete operation it check the availability from 
>>>>>>>>>>>>>> this map.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> As per the discussion we can see following solutions for this.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Solution1*
>>>>>>>>>>>>>> Check the tenant availability from database not from memory
>>>>>>>>>>>>>> data, but this will be costly if it is a frequently perform 
>>>>>>>>>>>>>> operation.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Solution2*
>>>>>>>>>>>>>> We can give a public access to delete the particular key in
>>>>>>>>>>>>>> the map, this will be a security issue which people can pass 
>>>>>>>>>>>>>> tenant domain
>>>>>>>>>>>>>> and perform deletion.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Solution3*
>>>>>>>>>>>>>> Run a periodic operation which check the availability of the
>>>>>>>>>>>>>> tenant in the database and delete from map which are not exist.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> We are looking for a feedback on this.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>> Godwin
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> *Godwin Amila Shrimal*
>>>>>>>>>>>>>> Senior Software Engineer
>>>>>>>>>>>>>> WSO2 Inc.; http://wso2.com
>>>>>>>>>>>>>> lean.enterprise.middleware
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> mobile: *+94772264165*
>>>>>>>>>>>>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>*
>>>>>>>>>>>>>> twitter: https://twitter.com/godwinamila
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ___
>>>>>>>>>

Re: [Architecture] [Dev] [IS] Architecture - API to Retrieve Authentication Session Information

[Pushpalanka Jayawardhana]

> *Solution*
>>>>>>>>>
>>>>>>>>> Develop an API to provide following functionalities.
>>>>>>>>>
>>>>>>>>>- Retrieve information of currently logged in and recently used
>>>>>>>>>sessions since last password changes.
>>>>>>>>>- Retrieve Time, location, OS and browser details of each
>>>>>>>>>session Logged in and recently used.
>>>>>>>>>- Terminate a particular logged in account.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *Retrieve session information*
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> * - User can view his currently logged in details and recently
>>>>>>>>> used session information. In each session, information about last time
>>>>>>>>> used, location, browser and OS details.- To view information, user 
>>>>>>>>> has to
>>>>>>>>> request HTTP GET request with SessionID and can query by 
>>>>>>>>> ServiceProvider
>>>>>>>>> detail for particular account. Then API will query alive UserID for 
>>>>>>>>> given
>>>>>>>>> details and produce required information for user.*
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *Terminate a particular account*
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>- If a user or admin wants to logged out from a logged in
>>>>>>>>>account, he can terminate particular account session.
>>>>>>>>>    - If Identity Provider/ Service Provider/ User Account is
>>>>>>>>>deleted by admin, session will be automatically terminated by event
>>>>>>>>>listeners.
>>>>>>>>> - *To terminate an account, user has to request HTTP POST request
>>>>>>>>>with SessionID and can query by ServiceProvider detail for 
>>>>>>>>> particular
>>>>>>>>>account. Then API will query alive UserID for given details and 
>>>>>>>>> terminate
>>>>>>>>>account.*
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *Database design*
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>- *UserID* which is mapped to* IDP, IDP UserID* and *Service
>>>>>>>>>Provider* is used to identify unique account.
>>>>>>>>>- Through *UserID*, information of particular account will be
>>>>>>>>>provided.
>>>>>>>>>- In *Session* table, details of *Browser, OS* and *Location*
>>>>>>>>>will not be used in query. So we can store this information as 
>>>>>>>>> JSON object.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Chuhaashanan
>>>>>>>>> Intern - Software Engineering
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>> *Ruwan Abeykoon*
>>>>>>>> *Associate Director/Architect**,*
>>>>>>>> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> *
>>>>>>>> *lean.enterprise.middleware.*
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Chuhaashanan
>>>>>>> Intern - Software Engineering
>>>>>>>
>>>>>>>
>>>>>>> ___
>>>>>>> Dev mailing list
>>>>>>> d...@wso2.org
>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Thanks & Regards,
>>>>>> Dulanja Liyanage
>>>>>> Lead, Platform Security Team
>>>>>> WSO2 Inc.
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Chuhaashanan
>>>>> Intern - Software Engineering
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Thanks & Regards,
>>>> Dulanja Liyanage
>>>> Lead, Platform Security Team
>>>> WSO2 Inc.
>>>>
>>>
>>>
>>>
>>> --
>>> Chuhaashanan
>>> Intern - Software Engineering
>>>
>>>
>>
>>
>> --
>> Thanks & Regards,
>> Dulanja Liyanage
>> Lead, Platform Security Team
>> WSO2 Inc.
>>
>
>
> --
>
> *Ruwan Abeykoon*
> *Associate Director/Architect**,*
> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> *
> *lean.enterprise.middleware.*
>
> ___
> Dev mailing list
> d...@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>


-- 
Pushpalanka.
-- 
Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
Mobile: +94779716248
Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [Dev] [VOTE] Release WSO2 Identity Server 5.5.0 RC2

[Pushpalanka Jayawardhana]

> *Darshana Gunawardana*Technical Lead
>>>> WSO2 Inc.; http://wso2.com
>>>>
>>>> *E-mail: darsh...@wso2.com <darsh...@wso2.com>*
>>>> *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise .
>>>> Middleware
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> Best Regards,
>>>
>>> Nuwandi Wickramasinghe
>>>
>>> Senior Software Engineer
>>>
>>> WSO2 Inc.
>>>
>>> Web : http://wso2.com
>>>
>>> Mobile : 0719214873 <071%20921%204873>
>>>
>>> ___
>>> Dev mailing list
>>> d...@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>>
>>
>>
>> *Kind Regards,Nipuni Bhagya*
>>
>> *Software Engineering Intern*
>> *WSO2*
>>
>>
>>
>> *Mobile : +94 0779028904 <+94%2077%20767%201807>*
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> *Dinali Rosemin Dabarera*
> Software Engineer
> WSO2 Lanka (pvt) Ltd.
> Web: http://wso2.com/
> Email : gdrdabar...@gmail.com
> LinkedIn <https://lk.linkedin.com/in/dinalidabarera>
> Mobile: +94770198933 <077%20019%208933>
>
>
>
>
> <https://lk.linkedin.com/in/dinalidabarera>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ___
> Dev mailing list
> d...@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>

Thanks,
-- 
Pushpalanka.
-- 
Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
Mobile: +94779716248
Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [Dev] [VOTE] Release WSO2 Identity Server 5.5.0 RC1

[Pushpalanka Jayawardhana]

Hi,

Thanks for the information Darshana. Didn't know it was decided to be
rectified in an RC2.
Thanks for the fix.

On Thu, Mar 15, 2018 at 1:39 AM, Omindu Rathnaweera <omi...@wso2.com> wrote:

> Hi Lanka,
>
> This issue is now fixed in the latest oauth version (v5.6.63) and will be
> available with RC2.
>
> Regards,
> Omindu.
>
>
> On Wed, Mar 14, 2018 at 10:32 PM, Darshana Gunawardana <darsh...@wso2.com>
> wrote:
>
>> Hi Lanka,
>>
>> As you already know, we are working on rectifying this NPE in the RC2.
>>
>> Thanks,
>>
>> On Wed, Mar 14, 2018 at 10:25 PM, Pushpalanka Jayawardhana <
>> la...@wso2.com> wrote:
>>
>>> Hi,
>>>
>>> On Wed, Mar 14, 2018 at 10:14 PM, Pushpalanka Jayawardhana <
>>> la...@wso2.com> wrote:
>>>
>>>>
>>>>
>>>> On Wed, Mar 14, 2018 at 10:09 PM, Pushpalanka Jayawardhana <
>>>> la...@wso2.com> wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> Tested OIDC hybrid flow with "code idtoken" response type. This is
>>>>> breaking with "Invalid response type" error message.
>>>>> Could do a bit of debugging and it seems that at [1], it failing to
>>>>> identify the existing key for "code idtoken" type.
>>>>>
>>>>> In the HashTable returned at
>>>>> OAuthServerConfiguration.getInstance().getSupportedResponseTypeValidators()
>>>>>   execution, "code idtoken" key has the hashCode of '-1819461976' while
>>>>> input key 'code idtoken' produce the hashcode of '-732188021'. In plain
>>>>> Java code, if we generate the hashCode for 'code idtoken' it also 
>>>>> generates
>>>>> this. This result in not identifying the sending response type properly.
>>>>> Appreciate if this can be further investigated.
>>>>>
>>>>> [1] - https://github.com/wso2-extensions/identity-inbound-auth-o
>>>>> auth/blob/5.6.x/components/org.wso2.carbon.identity.oauth/sr
>>>>> c/main/java/org/wso2/carbon/identity/oauth2/model/CarbonOAut
>>>>> hAuthzRequest.java#L49
>>>>>
>>>>
>>>> Please ignore this, just realised it should be id_token. Sorry for the
>>>> noise.
>>>>
>>> Even with this fix the flow is failing with below error,
>>>
>>> java.lang.NullPointerException
>>> 
>>> org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.getIdTokenFromRedirectURL(OAuth2AuthzEndpoint.java:2321)
>>> 
>>> org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.storeSidClaim(OAuth2AuthzEndpoint.java:2225)
>>> 
>>> org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.manageOIDCSessionState(OAuth2AuthzEndpoint.java:2050)
>>> 
>>> org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleSuccessfulAuthentication(OAuth2AuthzEndpoint.java:607)
>>> 
>>> org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleAuthenticationResponse(OAuth2AuthzEndpoint.java:574)
>>> 
>>> org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:199)
>>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> 
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>> 
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> java.lang.reflect.Method.invoke(Method.java:498)
>>> 
>>> org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:188)
>>> 
>>> org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104)
>>> org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204)
>>> org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)
>>> 
>>> org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
>>> 
>>> org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:94)
>>> 
>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
>>> 
>>> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
>>> 
>>> org.apache.cxf.transport.http.

Re: [Architecture] [Dev] [VOTE] Release WSO2 Identity Server 5.5.0 RC1

[Pushpalanka Jayawardhana]

Hi,

On Wed, Mar 14, 2018 at 10:14 PM, Pushpalanka Jayawardhana <la...@wso2.com>
wrote:

>
>
> On Wed, Mar 14, 2018 at 10:09 PM, Pushpalanka Jayawardhana <la...@wso2.com
> > wrote:
>
>> Hi All,
>>
>> Tested OIDC hybrid flow with "code idtoken" response type. This is
>> breaking with "Invalid response type" error message.
>> Could do a bit of debugging and it seems that at [1], it failing to
>> identify the existing key for "code idtoken" type.
>>
>> In the HashTable returned at
>> OAuthServerConfiguration.getInstance().getSupportedResponseTypeValidators()
>>   execution, "code idtoken" key has the hashCode of '-1819461976' while
>> input key 'code idtoken' produce the hashcode of '-732188021'. In plain
>> Java code, if we generate the hashCode for 'code idtoken' it also generates
>> this. This result in not identifying the sending response type properly.
>> Appreciate if this can be further investigated.
>>
>> [1] - https://github.com/wso2-extensions/identity-inbound-auth-
>> oauth/blob/5.6.x/components/org.wso2.carbon.identity.
>> oauth/src/main/java/org/wso2/carbon/identity/oauth2/model/C
>> arbonOAuthAuthzRequest.java#L49
>>
>
> Please ignore this, just realised it should be id_token. Sorry for the
> noise.
>
Even with this fix the flow is failing with below error,

java.lang.NullPointerException

org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.getIdTokenFromRedirectURL(OAuth2AuthzEndpoint.java:2321)

org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.storeSidClaim(OAuth2AuthzEndpoint.java:2225)

org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.manageOIDCSessionState(OAuth2AuthzEndpoint.java:2050)

org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleSuccessfulAuthentication(OAuth2AuthzEndpoint.java:607)

org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleAuthenticationResponse(OAuth2AuthzEndpoint.java:574)

org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:199)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)

org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:188)

org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104)
org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204)
org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)

org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)

org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:94)

org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)

org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)

org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249)

org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)

org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)

org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)

org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)

org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:289)

org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:214)
javax.servlet.http.HttpServlet.service(HttpServlet.java:624)

org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

org.wso2.carbon.webapp.mgt.filter.AuthorizationHeaderFilter.doFilter(AuthorizationHeaderFilter.java:85)

org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53)

org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)


This is only when the user login is performed in the flow. If the
authorization request is sent in a browser where user is already loggedin,
the issue is not occurring and flow works fine.

>
>> ​
>>
>> On Wed, Mar 14, 2018 at 7:52 PM, Sagara Gunathunga <sag...@wso2.com>
>> wrote:
>>
>>>
>>&

Re: [Architecture] [Dev] [VOTE] Release WSO2 Identity Server 5.5.0 RC1

[Pushpalanka Jayawardhana]

On Wed, Mar 14, 2018 at 10:09 PM, Pushpalanka Jayawardhana <la...@wso2.com>
wrote:

> Hi All,
>
> Tested OIDC hybrid flow with "code idtoken" response type. This is
> breaking with "Invalid response type" error message.
> Could do a bit of debugging and it seems that at [1], it failing to
> identify the existing key for "code idtoken" type.
>
> In the HashTable returned at
> OAuthServerConfiguration.getInstance().getSupportedResponseTypeValidators()
>   execution, "code idtoken" key has the hashCode of '-1819461976' while
> input key 'code idtoken' produce the hashcode of '-732188021'. In plain
> Java code, if we generate the hashCode for 'code idtoken' it also generates
> this. This result in not identifying the sending response type properly.
> Appreciate if this can be further investigated.
>
> [1] - https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/blob/5.6.x/components/org.wso2.carbon.
> identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/model/
> CarbonOAuthAuthzRequest.java#L49
>

Please ignore this, just realised it should be id_token. Sorry for the
noise.

>
> ​
>
> On Wed, Mar 14, 2018 at 7:52 PM, Sagara Gunathunga <sag...@wso2.com>
> wrote:
>
>>
>>
>> On Wed, Mar 14, 2018 at 7:46 PM, Jayanga Kaushalya <jayan...@wso2.com>
>> wrote:
>>
>>> Hi Sagara,
>>>
>>> Yes I have suggested other teams also to follow the IS convention in
>>> [1]. APIM team told me offline that they already changed. Hope others will
>>> do the same.
>>>
>>
>> Great.
>>
>> Thanks !
>>
>>>
>>> [1] [GDPR] Anonymization Tool default configurations/references are
>>> differed over the Products
>>>
>>> Thanks!
>>>
>>> *Jayanga Kaushalya*
>>> Senior Software Engineer
>>> Mobile: +94777860160 <+94%2077%20786%200160>
>>> WSO2 Inc. | http://wso2.com
>>> lean.enterprise.middleware
>>>
>>>
>>>
>>> On Wed, Mar 14, 2018 at 7:37 PM, Sagara Gunathunga <sag...@wso2.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Wed, Mar 14, 2018 at 7:27 PM, Sathya Bandara <sat...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> We are calling-off this vote as we have found an issue,
>>>>>
>>>>>- for user-mgt ui component in EI product
>>>>>- in Windows environment
>>>>>
>>>>> Since we want to align same component versions among EI & IS, we will
>>>>> fix this and update versions in IS as well. Additionally we will fix the
>>>>> issue in README.txt along with this.
>>>>>
>>>> Ruwan/Jayanga, shall we also look into the suggestion made by Lanka in
>>>> the "GDPR compliance for WSO2 products" thread ?
>>>>
>>>> Thanks !
>>>>
>>>>> We will do a RC2 and call for a vote soon.
>>>>>
>>>>> [1] https://github.com/wso2/product-ei/issues/2004
>>>>>
>>>>> On Wed, Mar 14, 2018 at 6:29 PM, Nilasini Thirunavukkarasu <
>>>>> nilas...@wso2.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I have tested the following flows in mysql.
>>>>>>
>>>>>>- User management, role management (Primary + Secondary user
>>>>>>store)
>>>>>>- OIDC flow (password grant, authorization code)(Primary +
>>>>>>Secondary user store)
>>>>>>- consent management with SAML SSO for primary and secondary
>>>>>>users.
>>>>>>- SAML assertion encryption and response signing.
>>>>>>
>>>>>>
>>>>>> I have tested the following flow with h2
>>>>>>
>>>>>>- federated scenario with two IS
>>>>>>
>>>>>> +1 to go ahead and release
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>> Nila.
>>>>>>
>>>>>>
>>>>>> On Wed, Mar 14, 2018 at 6:15 PM, Darshana Gunawardana <
>>>>>> darsh...@wso2.com> wrote:
>>>>>>
>>>>>>> Hi Dilini,
>>>>>>>
>>>>>>> We will fix this, if we noted any blocker for RC1 release.. If not,
>>>>>

Re: [Architecture] Implementing consent receipt specification in WSO2 Identity Server

[Pushpalanka Jayawardhana]

means to WSO2 server.
>>>>
>>>>
>>>> With our current implementation in Identity Server we maintain a
>>>> scope-claim mapping in the registry level. For a scope a single or multiple
>>>> claims can be mapped and we can define any custom or scope or claim. So
>>>> IIUC here we can map PII category with scope. So indirectly we can map PII
>>>> category with claims. But at the moment we don't store those scope - claim
>>>> mapping in our database. So if we are to map PII category with the scopes
>>>> we need to store the scopes in the db level.
>>>>
>>>> Thanks,
>>>>
>>>> Hasanthi Dissanayake
>>>>
>>>> Software Engineer | WSO2
>>>>
>>>> E: hasan...@wso2.com
>>>> M :0718407133 <071%20840%207133>| http://wso2.com <http://wso2.com/>
>>>>
>>>> On Wed, Sep 20, 2017 at 9:09 AM, Pushpalanka Jayawardhana <
>>>> la...@wso2.com> wrote:
>>>>
>>>>> Hi Shan,
>>>>>
>>>>> Along with these detail we save in these tables, we need to  keep a
>>>>> mapping to what each PII category means to WSO2 server.
>>>>> In that case we can think of a PII category as a collection of claims.
>>>>>
>>>>> In IS we already have this concept of collection of claims, where we
>>>>> categorize them into a scope. WSO2 APIM already make use of these scopes 
>>>>> to
>>>>> provide role based access to resources. We can try to make use of scopes 
>>>>> in
>>>>> the place of PII category to establish this mapping with server claims
>>>>> which are actually PII keys. In the 'PII_CATEGORY' table we can keep track
>>>>> of this.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> On Wed, Sep 13, 2017 at 2:45 PM, Shan Jayathilaka <sh...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> There is a new regulation called the EU General Data Protection
>>>>>> Regulation (GDPR) which replaces the Data Protection Directive 95/46/EC 
>>>>>> and
>>>>>> was designed to harmonize data privacy laws across Europe. GDPR was 
>>>>>> passed
>>>>>> as a regulation on 27th April 2016 and will be effective from 25th May
>>>>>> 2018. Regarding to this regulation any organization who is collecting 
>>>>>> user
>>>>>> data must collect data according to the user's consent. Also if an user
>>>>>> request about his/her consents about the user data, the data collecting
>>>>>> organization must provide those consents regarding to the user. In here 
>>>>>> we
>>>>>> have to record what are the consents of the user to a database. I 
>>>>>> designed
>>>>>> an [1]ER diagram for the database which collects the user consent. Also I
>>>>>> attached [2] GDPR Regulation document ,[3] a blog to understand the GDPR
>>>>>> and [4] Kantara Consent Receipt Management to this email. I hope they 
>>>>>> will
>>>>>> be helpful to all.
>>>>>>
>>>>>> *Brief explanation about the database tables*
>>>>>>
>>>>>>
>>>>>>- TRANSACTION_DETAILS: Contains details about the consent receipt
>>>>>>    id and user identification.
>>>>>>
>>>>>>
>>>>>>- DATA_CONTROLLER: Contains details about the organization which
>>>>>>collects the user data.
>>>>>>- SERVICES: Contains details about the services provided to the
>>>>>>user data.
>>>>>>- PURPOSES: Contains details about the purposes to collect the
>>>>>>user data.
>>>>>>- THIRD_PARTY: Contains details about the third party
>>>>>>organizations which take the user data shared by the data controllers.
>>>>>>- PII_CATEGORY: Contains details about the personally
>>>>>>identifiable information (pii) categories.
>>>>>>
>>>>>> [1]
>>>>>> project_gdpr_new_erd.png
>>>>>> <https://mail.google.com/mail/ca/u/1/?ui=2=2b82ec457b=att=15e7a6f581a803f6=0.1=safe=f_j7ise>
>>>>>> (140K)
>>>>>> <https://mail.google.com/mail/

Re: [Architecture] OIDC request object support

[Pushpalanka Jayawardhana]

Hi Hasanthi,

On Wed, Oct 11, 2017 at 11:10 PM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi Pushpalanka,
>
> Since scope concept is no longer effective in this approach, I assume we
>> will have to capture user consent claim by claim in this case similar to
>> how we handle consent for scopes.
>
>
> Yes we should use the same way to capture the consent claim by claim but
> with the authorization request. Anyway we need to pass the 'openid' scope
> along with the request in order to make this an oidc request right?
>
Yes, the specification specially mentions that.
Yes, consent needs to captured with the authorization request as you
mentioned. As the request object is a part of authorization request, we
have to address it here. This section of specification [1] will help in
understanding.

>
>
> Are we introducing a new table to store this?
>
> I'm wondering whether we need to introduce a new table to store the claims
> and consents with this implementation.  Can't we use the same table which
> we are introducing in consent management and then request consent, claim by
> claim here as well?
>
The newly introducing tables to store consent are domain specific, as it
comes for the solution. Consent for claims served by IS according to
request object will need to be handled through IS data source as this
governs what IS expose through userinfo endpoint and IDtoken.

>
>> We also need to take into the consideration that the request object can
>> be signed(JWS) and we need to do the signature validation before it's
>> handed over to next layer.
>>
>
> +1. Yes we need to do.
>
>
>>1. Define custom claims for those and use claim retrieving extensions
>>to handle the value
>>2. Provide an extension at this layer so that we filter out the
>>claims handled by IS and seperate others to be handled in custom ways.
>>
>> +1 for option 2
>
> BTW, are we planing to implement consent management with IS 5.3.0 WUM
> update? If so, can we do schema changes as a WUM update?  Otherwise how do
> we plan to release consent management feature?
>
Consent management we refer here is much specific to the domain. So that
will not introduce a schema change to product db script. We will make use
of the extension to be introduced at request object level and use the
storage from solution.

[1] - http://openid.net/specs/openid-connect-core-1_0.html#RequestParameter

>
> Thanks,
>
> Hasanthi Dissanayake
>
> Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133 <071%20840%207133>| http://wso2.com <http://wso2.com/>
>
> On Wed, Oct 11, 2017 at 6:38 PM, Pushpalanka Jayawardhana <la...@wso2.com>
> wrote:
>
>> Hi Hasanthi,
>>
>> On Wed, Oct 11, 2017 at 4:41 PM, Hasanthi Purnima Dissanayake <
>> hasan...@wso2.com> wrote:
>>
>>>
>>>
>>> Hasanthi Dissanayake
>>>
>>> Software Engineer | WSO2
>>>
>>> E: hasan...@wso2.com
>>> M :0718407133 <071%20840%207133>| http://wso2.com <http://wso2.com/>
>>>
>>> On Wed, Oct 11, 2017 at 4:35 PM, Hasanthi Purnima Dissanayake <
>>> hasan...@wso2.com> wrote:
>>>
>>>> Hi All,
>>>>
>>>> In order to support 'Request Object' we need to support two parameters.
>>>> 1. request parameter
>>>> 2. request_uri parameter
>>>>
>>>>
>>>>
>>>> *1. request_parameter*
>>>> The purpose of this parameter is for supporting to request some claims
>>>> other than the default Userinfo and IdToken claim set which is associated
>>>> with the requested scope.
>>>>
>>>> So if we consider a sample request with above parameter,
>>>>
>>>> https://localhost:9443/oauth2/authorize?
>>>> response_type=code%20id_token
>>>> _id=X
>>>> _uri=http://localhost:8080/playground
>>>> =openid
>>>> =af0ifjsldkj
>>>> =n-0S6_WzA2Mj
>>>> ={
>>>>   "iss": "s6BhdRkqt3",
>>>>   "aud": "https://server.example.com;,
>>>>   "response_type": "code id_token",
>>>>   "client_id": "s6BhdRkqt3",
>>>>   "redirect_uri": "https://client.example.org/cb;,
>>>>   "scope": "openid",
>>>>   "state": "af0ifjsldkj",
>>>>   "nonce": "n-0S6_WzA2Mj",
>>>>   "max_age": 86400,
>>>>
>>&g

Re: [Architecture] OIDC request object support

[Pushpalanka Jayawardhana]

Hi Hasanthi,

On Wed, Oct 11, 2017 at 4:41 PM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

>
>
> Hasanthi Dissanayake
>
> Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133 <071%20840%207133>| http://wso2.com <http://wso2.com/>
>
> On Wed, Oct 11, 2017 at 4:35 PM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi All,
>>
>> In order to support 'Request Object' we need to support two parameters.
>> 1. request parameter
>> 2. request_uri parameter
>>
>>
>>
>> *1. request_parameter*
>> The purpose of this parameter is for supporting to request some claims
>> other than the default Userinfo and IdToken claim set which is associated
>> with the requested scope.
>>
>> So if we consider a sample request with above parameter,
>>
>> https://localhost:9443/oauth2/authorize?
>> response_type=code%20id_token
>> _id=X
>> _uri=http://localhost:8080/playground
>> =openid
>> =af0ifjsldkj
>> =n-0S6_WzA2Mj
>> ={
>>   "iss": "s6BhdRkqt3",
>>   "aud": "https://server.example.com;,
>>   "response_type": "code id_token",
>>   "client_id": "s6BhdRkqt3",
>>   "redirect_uri": "https://client.example.org/cb;,
>>   "scope": "openid",
>>   "state": "af0ifjsldkj",
>>   "nonce": "n-0S6_WzA2Mj",
>>   "max_age": 86400,
>>
>>   "claims": {
>> "userinfo": {
>>   "given_name": {
>> "essential": true
>>   },
>>   "nickname": null,
>>   "email": {
>> "essential": true
>>   },
>>
>> "id_token": {
>>   "gender": null,
>>   "birthdate": {
>> "essential": true
>>   },
>>   "acr": {
>> "values": [
>>   "urn:mace:incommon:iap:silver"
>> ]
>>   }
>> }
>>   }
>> }
>>
>>
>> The expected behavior of Identity server will be as follows.
>>
>> 1.Consider the claims "given_name" and "email" which are marked as
>> 'essential:true' for 'userinfo' member. Even if they are not mapped with
>> the openid scope in the registry,  if these claims are requested claims,
>> then 'given_name' and 'email' will be returned from the Userinfo endpoint.
>> So as a summary the claims which have marked as 'essential : true' only get
>> controlled by the requested claims and ignore the requested scopes. If the
>> server can not provide those essential claims there wont be any failure or
>> error message returning from the server.
>>
> Since scope concept is no longer effective in this approach, I assume we
will have to capture user consent claim by claim in this case similar to
how we handle consent for scopes. Are we introducing a new table to store
this?

We also need to take into the consideration that the request object can be
signed(JWS) and we need to do the signature validation before it's handed
over to next layer.

Also in different domains the request object format get slightly modified.
Additionally not all coming under claims will be delivered claims from IS
user base. There can be disparate logics and sources to derive the values
for this. To cater for this we have options,

   1. Define custom claims for those and use claim retrieving extensions to
   handle the value
   2. Provide an extension at this layer so that we filter out the claims
   handled by IS and seperate others to be handled in custom ways.

Having option 2 will provide more freedom and efficient in handling cases
where none of the incoming are claims handled directly from IS user base.
Also it will let us handle any attributes introduced to outer layer from
claims.

Apart from mentioning 'essential:true', in different domains there can be
cases where the claims become essential given a condition. For example: If
user wish to have SMS OTP as an authentication factor then mobile number is
essential. We can adopt such minor modifications by keeping extendability
here.

>
>> 2. The claims like "nickname" it will act as a default claim and will
>> control by both requested scopes and the requested claims.
>>
>> This behavior is common to the id token as well.
>>
>>
>>
>> *2. request_uri parameter*
>> In this case the url will be a pre-registered url by the RP for use at
>

Re: [Architecture] Implementing consent receipt specification in WSO2 Identity Server

[Pushpalanka Jayawardhana]

Hi Shan,

Along with these detail we save in these tables, we need to  keep a mapping
to what each PII category means to WSO2 server.
In that case we can think of a PII category as a collection of claims.

In IS we already have this concept of collection of claims, where we
categorize them into a scope. WSO2 APIM already make use of these scopes to
provide role based access to resources. We can try to make use of scopes in
the place of PII category to establish this mapping with server claims
which are actually PII keys. In the 'PII_CATEGORY' table we can keep track
of this.

Thanks,

On Wed, Sep 13, 2017 at 2:45 PM, Shan Jayathilaka <sh...@wso2.com> wrote:

> There is a new regulation called the EU General Data Protection Regulation
> (GDPR) which replaces the Data Protection Directive 95/46/EC and was
> designed to harmonize data privacy laws across Europe. GDPR was passed as
> a regulation on 27th April 2016 and will be effective from 25th May 2018.
> Regarding to this regulation any organization who is collecting user data
> must collect data according to the user's consent. Also if an user request
> about his/her consents about the user data, the data collecting
> organization must provide those consents regarding to the user. In here we
> have to record what are the consents of the user to a database. I designed
> an [1]ER diagram for the database which collects the user consent. Also I
> attached [2] GDPR Regulation document ,[3] a blog to understand the GDPR
> and [4] Kantara Consent Receipt Management to this email. I hope they will
> be helpful to all.
>
> *Brief explanation about the database tables*
>
>
>- TRANSACTION_DETAILS: Contains details about the consent receipt id
>and user identification.
>
>
>- DATA_CONTROLLER: Contains details about the organization which
>collects the user data.
>- SERVICES: Contains details about the services provided to the user
>data.
>- PURPOSES: Contains details about the purposes to collect the user
>data.
>- THIRD_PARTY: Contains details about the third party organizations
>which take the user data shared by the data controllers.
>- PII_CATEGORY: Contains details about the personally identifiable
>information (pii) categories.
>
> [1]
> project_gdpr_new_erd.png
> <https://mail.google.com/mail/ca/u/1/?ui=2=2b82ec457b=att=15e7a6f581a803f6=0.1=safe=f_j7ise>
> (140K)
> <https://mail.google.com/mail/ca/u/1/?ui=2=2b82ec457b=att=15e7a6f581a803f6=0.1=safe=f_j7ise>
>
> [2]
> http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679
>
> [3]
> https://medium.facilelogin.com/understanding-gdpr-9201e1356418
>
> [4]
> https://kantarainitiative.org/confluence/display/
> infosharing/Consent+Receipt+Specification?preview=/
> 76447870/90604248/DRAFT%20Recommendation%20Consent%
> 20Receipt%20Specification%201_0_0.docx
>
> Appreciate your feedback.
>
> Regards,
>
> Shan Chathusanda Jayathilaka
> Software Engineer (Intern)
> WSO2
>
> Mobile : +94702062877 <070%20206%202877>
> Email : sh...@wso2.com
> LinkedIn : www.linkedin.com/in/shanchathusanda/
>



-- 
Pushpalanka.
-- 
Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
Mobile: +94779716248
Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Distinguish between local and federated users in oauth tables

[Pushpalanka Jayawardhana]

On Wed, May 17, 2017 at 10:37 AM, Prabath Siriwardena <prab...@wso2.com>
wrote:

>
>
> On Tue, May 16, 2017 at 10:04 PM, Ishara Karunarathna <isha...@wso2.com>
> wrote:
>
>>
>>
>> On Wed, May 17, 2017 at 10:26 AM, Prabath Siriwardena <prab...@wso2.com>
>> wrote:
>>
>>> Also - related to JWT/SAML grant types - do we have an option to JIT
>>> provision the user...?
>>>
>> This is not available in the current implementation.
>>
>>> The expectation is - when you enable JIT provisioning under the trusted
>>> IdP - and pick the userstore to provision the users - then the user should
>>> be JIT provisioned...
>>>
>> If we need to support OIDC with JWT/SAML grant types we need to have this
>> this feature. even though OIDC spec does not talk about supporting OIDC
>> with custom grant types
>> this can be treated as token exchange mechanism And +1 for supporting
>> this.
>>
>
> In fact this not related directly related ODIC - just the JWT grant type
> (JWT grant type for OAuth 2.0)..
>
> if this is not supported then - in API M - how do we generate the JWT for
> the backend - when users come from a federate JWT..?
>
In IS JWTTokenGenerator we check whether the user exists in local user
store and get the claims. Else no claims are sent in the JWT in token
validation.
AFAIK API M has written a different token generator for this case.

>
> Thanks & regards,
> -Prabath
>
>
>
>>
>> -Ishara
>>
>>>
>>> Thanks & regards,
>>> -Prabath
>>>
>>>
>>> On Tue, May 16, 2017 at 8:58 PM, Pushpalanka Jayawardhana <
>>> la...@wso2.com> wrote:
>>>
>>>>
>>>>
>>>> On Tue, May 16, 2017 at 11:15 PM, Ishara Karunarathna <isha...@wso2.com
>>>> > wrote:
>>>>
>>>>>
>>>>>
>>>>> On Tue, May 16, 2017 at 10:25 PM, Prabath Siriwardena <
>>>>> prab...@wso2.com> wrote:
>>>>>
>>>>>> How do you figure out users from different idps?
>>>>>>
>>>>> In this way we can only identify whether use is federated or local
>>>>> user.
>>>>>
>>>>> But we can use a convention to keep IDP name as well if we need to go
>>>>> without schema changes
>>>>> Ex FEDERATED:IDP1
>>>>>
>>>>
>>>> Is this to address any future issues or cater for features?
>>>>
>>>> I can see a conceptual fault saving same domain name for different
>>>> IDPs, along with the unique key constraint we have. This can lead to treat
>>>> two identities as same, since we will only know they are federated.
>>>>
>>>> CONSTRAINT CON_APP_KEY UNIQUE (CONSUMER_KEY_ID,AUTHZ_USER,TENANT_ID,
>>>> *USER_DOMAIN*,USER_TYPE,TOKEN_SCOPE_HASH,
>>>>
>>>>TOKEN_STATE,TOKEN_STATE_ID)
>>>>
>>>> What will be the places we will make use of the knowledge of
>>>> authenticated IDP?
>>>>
>>>>>
>>>>> -Ishara
>>>>>
>>>>>>
>>>>>> Thanks & regards,
>>>>>> -Prabath
>>>>>>
>>>>>> On Tue, May 16, 2017 at 7:23 AM, Pushpalanka Jayawardhana <
>>>>>> la...@wso2.com> wrote:
>>>>>>
>>>>>>> Hi All,
>>>>>>>
>>>>>>> We have below 3 issues that are caused mainly because we don't have
>>>>>>> a clear way to distinguish local and federated users in oauth related
>>>>>>> tables (authorization code and access token storage).
>>>>>>> There are few more issues related to sending subject claim in proper
>>>>>>> format in IDtoken, that needs to identify the user as federated or 
>>>>>>> local.
>>>>>>>
>>>>>>> In order to address these issues  we need to check whether user is
>>>>>>> from a federated IDP. To fix this without having DB schema changes, 
>>>>>>> IsharaK
>>>>>>> came up with this idea to use 'UserStoreDomain' column,
>>>>>>> to store the value 'FEDERATED' as user store domain for tokens and
>>>>>>> authorization codes issued to federated users. The relevant 
>>>>>>> authenticators
>>>>>>

Re: [Architecture] Distinguish between local and federated users in oauth tables

[Pushpalanka Jayawardhana]

On Tue, May 16, 2017 at 11:15 PM, Ishara Karunarathna <isha...@wso2.com>
wrote:

>
>
> On Tue, May 16, 2017 at 10:25 PM, Prabath Siriwardena <prab...@wso2.com>
> wrote:
>
>> How do you figure out users from different idps?
>>
> In this way we can only identify whether use is federated or local user.
>
> But we can use a convention to keep IDP name as well if we need to go
> without schema changes
> Ex FEDERATED:IDP1
>

Is this to address any future issues or cater for features?

I can see a conceptual fault saving same domain name for different IDPs,
along with the unique key constraint we have. This can lead to treat two
identities as same, since we will only know they are federated.

CONSTRAINT CON_APP_KEY UNIQUE (CONSUMER_KEY_ID,AUTHZ_USER,TENANT_ID,
*USER_DOMAIN*,USER_TYPE,TOKEN_SCOPE_HASH,

   TOKEN_STATE,TOKEN_STATE_ID)

What will be the places we will make use of the knowledge of authenticated
IDP?

>
> -Ishara
>
>>
>> Thanks & regards,
>> -Prabath
>>
>> On Tue, May 16, 2017 at 7:23 AM, Pushpalanka Jayawardhana <la...@wso2.com
>> > wrote:
>>
>>> Hi All,
>>>
>>> We have below 3 issues that are caused mainly because we don't have a
>>> clear way to distinguish local and federated users in oauth related tables
>>> (authorization code and access token storage).
>>> There are few more issues related to sending subject claim in proper
>>> format in IDtoken, that needs to identify the user as federated or local.
>>>
>>> In order to address these issues  we need to check whether user is from
>>> a federated IDP. To fix this without having DB schema changes, IsharaK came
>>> up with this idea to use 'UserStoreDomain' column,
>>> to store the value 'FEDERATED' as user store domain for tokens and
>>> authorization codes issued to federated users. The relevant authenticators
>>> and grant handlers are responsible to set 'isFederatedUser' flag to true,
>>> whenever they are creating and passing an authenticated user to
>>> messageContext. OAuth storage will read and store it as the userStoreDomain
>>> value with 'FEDERATED'. This domain is never expected to be sent out from
>>> server as a user attribute or property or as part of username.
>>>
>>> In order to avoid any conflicts, we will avoid users from creating user
>>> store domains with the name 'FEDERATED'.
>>> If you see any pitfalls with this approach, please raise. We are
>>> proceeding with implementation as above.
>>>
>>> [1] - https://wso2.org/jira/browse/IDENTITY-5939
>>> [2] - https://wso2.org/jira/browse/IDENTITY-4880
>>> [3] - https://wso2.org/jira/browse/IDENTITY-4512
>>>
>>> Thanks,
>>> --
>>> Pushpalanka.
>>> --
>>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
>>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
>>> Mobile: +94779716248
>>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p
>>> ushpalanka/ | Twitter: @pushpalanka
>>>
>>>
>>
>>
>> --
>> Thanks & Regards,
>> Prabath
>>
>> Twitter : @prabath
>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>>
>> Mobile : +1 650 625 7950 <%28650%29%20625-7950>
>>
>> http://facilelogin.com
>>
>
>
>
> --
> Ishara Karunarathna
> Associate Technical Lead
> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>
> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
> +94717996791 <071%20799%206791>
>
>
>


-- 
Pushpalanka.
-- 
Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
Mobile: +94779716248
Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Distinguish between local and federated users in oauth tables

[Pushpalanka Jayawardhana]

On Tue, May 16, 2017 at 10:19 PM, Nuwan Dias <nuw...@wso2.com> wrote:

> How is this going to impact migrating clients? For the data that's already
> available in the DB, I guess we won't be changing their user store domains.
> So I guess they will still be treated in the old way?
>
Yes, as of now we save domain as PRIMARY for externally authenticated users
as well. We won't be migrating those, hence treated in old way.
If there are authenticators that has been already setting this flag '
isFederatedUser' to true, now on their user store domain will be saved as
FEDERATED, fixing the mentioned bugs we had in the flow.

>
> On Tue, May 16, 2017 at 7:53 PM, Pushpalanka Jayawardhana <la...@wso2.com>
> wrote:
>
>> Hi All,
>>
>> We have below 3 issues that are caused mainly because we don't have a
>> clear way to distinguish local and federated users in oauth related tables
>> (authorization code and access token storage).
>> There are few more issues related to sending subject claim in proper
>> format in IDtoken, that needs to identify the user as federated or local.
>>
>> In order to address these issues  we need to check whether user is from a
>> federated IDP. To fix this without having DB schema changes, IsharaK came
>> up with this idea to use 'UserStoreDomain' column,
>> to store the value 'FEDERATED' as user store domain for tokens and
>> authorization codes issued to federated users. The relevant authenticators
>> and grant handlers are responsible to set 'isFederatedUser' flag to true,
>> whenever they are creating and passing an authenticated user to
>> messageContext. OAuth storage will read and store it as the userStoreDomain
>> value with 'FEDERATED'. This domain is never expected to be sent out from
>> server as a user attribute or property or as part of username.
>>
>> In order to avoid any conflicts, we will avoid users from creating user
>> store domains with the name 'FEDERATED'.
>> If you see any pitfalls with this approach, please raise. We are
>> proceeding with implementation as above.
>>
>> [1] - https://wso2.org/jira/browse/IDENTITY-5939
>> [2] - https://wso2.org/jira/browse/IDENTITY-4880
>> [3] - https://wso2.org/jira/browse/IDENTITY-4512
>>
>> Thanks,
>> --
>> Pushpalanka.
>> --
>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
>> Mobile: +94779716248
>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p
>> ushpalanka/ | Twitter: @pushpalanka
>>
>>
>
>
> --
> Nuwan Dias
>
> Software Architect - WSO2, Inc. http://wso2.com
> email : nuw...@wso2.com
> Phone : +94 777 775 729 <077%20777%205729>
>



-- 
Pushpalanka.
-- 
Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
Mobile: +94779716248
Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

[Architecture] Distinguish between local and federated users in oauth tables

[Pushpalanka Jayawardhana]

Hi All,

We have below 3 issues that are caused mainly because we don't have a clear
way to distinguish local and federated users in oauth related tables
(authorization code and access token storage).
There are few more issues related to sending subject claim in proper format
in IDtoken, that needs to identify the user as federated or local.

In order to address these issues  we need to check whether user is from a
federated IDP. To fix this without having DB schema changes, IsharaK came
up with this idea to use 'UserStoreDomain' column,
to store the value 'FEDERATED' as user store domain for tokens and
authorization codes issued to federated users. The relevant authenticators
and grant handlers are responsible to set 'isFederatedUser' flag to true,
whenever they are creating and passing an authenticated user to
messageContext. OAuth storage will read and store it as the userStoreDomain
value with 'FEDERATED'. This domain is never expected to be sent out from
server as a user attribute or property or as part of username.

In order to avoid any conflicts, we will avoid users from creating user
store domains with the name 'FEDERATED'.
If you see any pitfalls with this approach, please raise. We are proceeding
with implementation as above.

[1] - https://wso2.org/jira/browse/IDENTITY-5939
[2] - https://wso2.org/jira/browse/IDENTITY-4880
[3] - https://wso2.org/jira/browse/IDENTITY-4512

Thanks,
-- 
Pushpalanka.
-- 
Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
Mobile: +94779716248
Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Define Username Claim in Domain Level

[Pushpalanka Jayawardhana]

Hi Thanuja,

On Tue, Mar 21, 2017 at 11:47 AM, Thanuja Jayasinghe <than...@wso2.com>
wrote:

>
>
> On Sun, Mar 19, 2017 at 2:10 PM, Gayan Gunawardana <ga...@wso2.com> wrote:
>
>>
>>
>> On Wed, Mar 15, 2017 at 6:50 AM, Thanuja Jayasinghe <than...@wso2.com>
>> wrote:
>>
>>> Hi Nuwandi,
>>>
>>> On Tue, Mar 14, 2017 at 1:54 PM, Nuwandi Wickramasinghe <
>>> nuwan...@wso2.com> wrote:
>>>
>>>>
>>>>
>>>> On Tue, Mar 14, 2017 at 12:42 PM, Thanuja Jayasinghe <than...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi Gayan,
>>>>>
>>>>> Yes. We need to specially handle username claim("
>>>>> http://wso2.org/claims/username;).
>>>>>
>>>> So, it will always be http://wso2.org/claims/username, not
>>>> configurable?
>>>>
>>>
>>> I see following performance related concerns if we marked some claim as
>>> the username claim using a property,
>>>
>>>
>>>
>>>- In every operation which we are going to specially handle for
>>>username claim, we need to check that property
>>>- If we want to get the username claim value, first we need to go
>>>through claims to identify the username claim and then retrieve the value
>>>for that claim
>>>
>>> Also, it will be much easier for the User object to retrieve username
>>> claim from a claim URI rather than a property. (We don't have the API
>>> support for retrieving claim value from a property)
>>>
>>> In a case like "email as username", we can still map the username claim
>>> to the email attribute. Then we can map the same email attribute to email
>>> claim to avoid the confusion.
>>>
>> if  "http://wso2.org/claims/username; represent username claim always we
>> do not need to define it separately in domain-config.yaml right ?
>>
> Yes.
>
> @Pushpalanka: Are we planning to provide the capability to change root
> claim dialect?
>
This is still under consideration at thread'[IS 6.0.0] Making native claim
dialect configurable'.

If that answers yes, still can we interpret this as 'root claim dialect
claim URI+* username*'? Still, with little medications, we can have the
mentioned optimizations, as I see.

>
>>>
>>>>> Shall we add a method to User[1] class to retrieve username?
>>>>>
>>>> +1 to have a method in User.java
>>>>
>>>>>
>>>>> [1] -  https://github.com/wso2/carbon-identity-mgt/blob/master/com
>>>>> ponents/org.wso2.carbon.identity.mgt/src/main/java/org/wso2/
>>>>> carbon/identity/mgt/User.java
>>>>>
>>>>> Thanks,
>>>>> Thanuja
>>>>>
>>>>> On Tue, Mar 14, 2017 at 12:12 PM, Gayan Gunawardana <ga...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> Don't we have to provide an API to get username claim from domain
>>>>>> level.
>>>>>> I am suggesting to have some thing like
>>>>>>
>>>>>> org.wso2.carbon.identity.mgt.User userStoreUser = identityStore.
>>>>>> getUser(userId);
>>>>>> userStoreUser.getUsernameClaim();
>>>>>>
>>>>>> Currently we handle username claim as just an another claim but it
>>>>>> should be treated as special claim because username is the human friendly
>>>>>> unique identifier for users.
>>>>>>
>>>>>> In domain-config.yaml we can define username claim for each domain.
>>>>>>
>>>>>> Also another requirement is when we get username from out side
>>>>>> application, we need to retrieve corresponding user from identity store 
>>>>>> so
>>>>>> we need to set value got from out side to appropriate claim. In that case
>>>>>> there should be a way to identify username claim.
>>>>>>
>>>>>> WDYT?
>>>>>>
>>>>>> Thanks,
>>>>>> Gayan
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Gayan Gunawardana
>>>>>> Software Engineer; WSO2 Inc.; http://wso2.com/
>>>>>> Email: ga...@wso2.com
>>>>>> Mobile: +94 (71) 8020933
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> *Thanuja Lakmal*
>>>>> Senior Software Engineer
>>>>> WSO2 Inc. http://wso2.com/
>>>>> *lean.enterprise.middleware*
>>>>> Mobile: +94715979891 +94758009992
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Best Regards,
>>>>
>>>> Nuwandi Wickramasinghe
>>>>
>>>> Software Engineer
>>>>
>>>> WSO2 Inc.
>>>>
>>>> Web : http://wso2.com
>>>>
>>>> Mobile : 0719214873 <071%20921%204873>
>>>>
>>>
>>> Thanks,
>>> Thanuja
>>>
>>> --
>>> *Thanuja Lakmal*
>>> Senior Software Engineer
>>> WSO2 Inc. http://wso2.com/
>>> *lean.enterprise.middleware*
>>> Mobile: +94715979891 +94758009992
>>>
>>
>>
>>
>> --
>> Gayan Gunawardana
>> Software Engineer; WSO2 Inc.; http://wso2.com/
>> Email: ga...@wso2.com
>> Mobile: +94 (71) 8020933
>>
>
>
>
> --
> *Thanuja Lakmal*
> Senior Software Engineer
> WSO2 Inc. http://wso2.com/
> *lean.enterprise.middleware*
> Mobile: +94715979891 +94758009992
>



-- 
Pushpalanka.
-- 
Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
Mobile: +94779716248
Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

[Architecture] [C5][IS 6.0.0] Add and Update Group UI for IS 6.0.0

[Pushpalanka Jayawardhana]

Hi All,

I am working on implementing 'add group' and 'update group' UIs for IS
6.0.0 as per the wire-frames [1] and [2].

In group addition, user experience will be as, in the 'General' tab user
provides name and description of the role.
User can either conclude the group addition flow here or go to 'Users' tab
to select users who will be in this group.
User can either conclude the flow here or go to 'Roles' tab to select the
roles to be assigned to all the users in the newly added group.

Same goes with the update flow.

Claims will be defined for the group, to keep track of the attributes of
the group, such as group description.
Any thoughts are welcome to improve the flow or design.

[1] -
https://github.com/wso2-dev-ux/product-is/blob/master/Wireframes/admin-portal/v3/4.2%20Add%20group%20-%20general%20info.png
[2] -
https://github.com/wso2-dev-ux/product-is/blob/master/Wireframes/admin-portal/v3/4.8%20Edit%20group%20-%20general%20info.png

Thanks,
-- 
Pushpalanka.
-- 
Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
Mobile: +94779716248
Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [Dev] Username Recovery Feature in IS 6.0.0

[Pushpalanka Jayawardhana]

Hi All,

On Sat, Jan 21, 2017 at 1:35 PM, Isura Karunaratne <is...@wso2.com> wrote:

> Hi Dinali,
>
> On Sat, Jan 21, 2017 at 12:33 PM, Dinali Dabarera <din...@wso2.com> wrote:
>
>> Hi all,
>>
>> We are working on implementing username recovery feature for IS 6.0.0
>>
>> *The admin has to enable the Username Recovery*
>>
>>
>> *When Username Recovery enabled:*
>>
>>- User portal user can click on the forget username option.
>>- The User can enter his details of the default profile.
>>- The System will match the entered details with the claims available
>>and if they matched, the relevant username will email to his email address
>>and prompt a notification saying that an email is sent to his mail.
>>- If it doesn't match, the user will notify telling that relevant
>>user is not registered in the system.
>>
>> We need to inform user, if multiple users matching to the given criteria.
> Then the user can fiill additional details to recover username.
>
We should have a mechanism like captcha verification here, to avoid
possible brute force attack.

>
>
>> *When Username Recovery is disabled:*
>>
>>- User portal user may not be able to recover his username.
>>- The User needs to contact the admin of the system to recover his
>>username.
>>
>> The admin enables the username recovery in the identity.yaml file for
>> the users in the domain.  Since we have different user stores available in
>> IS 6.0.0,
>>   *Does the admin need to enable username recovery in user store
>> wise or Does he need to configure it for the whole domain at once?*
>>
>>
> We need to have a global configuration identity.yaml file for all the
> domains. It is better to have domain/roles/group wise configuration for all
> the identity managment scenarios like account lock, password policy,
> password recovery, idle account suspenstion, force password reset, user
> onbording with ask paassword.
>
>
> Thanks
> Isura.
>
>>
>> Please provide us your comments on this point.
>>
>> Thanks,
>>
>> Dina.
>> --
>> *Dinali Rosemin Dabarera*
>> Software Engineer
>> WSO2 Lanka (pvt) Ltd.
>> Web: http://wso2.com/
>> Email : gdrdabar...@gmail.com
>> LinkedIn <https://lk.linkedin.com/in/dinalidabarera>
>> Mobile: +94770198933 <+94%2077%20019%208933>
>>
>>
>>
>>
>> <https://lk.linkedin.com/in/dinalidabarera>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>

Thanks,
-- 
Pushpalanka.
-- 
Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
Mobile: +94779716248
Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Grouping Identity server configurations.

[Pushpalanka Jayawardhana]

Hi All,

As I could deduce from the discussion so far, we are looking for 2 main
purposes to be achieved with security circles.

   1. Bulk configuration of service providers
   2. Limiting the session sharing between service providers

*Bulk configuration of service providers*
This will be beneficial in cases,

Many service providers are present in the environment while all have
similar configurations to be applied
In updating of service provider configurations which needs same
modification .

Value addition will be less in below cases,

Service provider configuration not a frequent operation
Most use cases having ~10 service providers

If service providers does not share similar configurations

If we are moving forward with file based configuration of service
providers, bulk configuration/update means file modification applied to
several files.


We can loosen the requirement for service providers to have same
configuration, by letting service providers override it as IsharaK
mentioned. Another option is to treat claim config, provisioning config,
authentication flow as different small circles. Depending on the
configuration patterns, we may create new bigger circles using these small
circles. With this granularity re-usability of a one set of configuration
will be high, but only beneficial if there is a big number of service
providers. In this sense IDP can also be treated within a circle.

*Limiting the session sharing between service providers*
Assume a service provider is no allowed to be present in two security
circles as that would violate the session sharing limitation for rest of
the service providers in the related circles.
Let's take 3 service providers A.B and C.

B needs to share the session with A

C needs to share the session with A

But B and C should not share the session. (not transitive)   As I
understood so far, this is not possible with security circles.



Thanks,
Pushpalanka

On Mon, Nov 7, 2016 at 10:59 AM, Dimuthu Leelarathne <dimut...@wso2.com>
wrote:

>
>
> On Sun, Oct 16, 2016 at 11:37 AM, Ishara Karunarathna <isha...@wso2.com>
> wrote:
>
>> Hi All,
>>
>> With the current IS implementation We have individual SP configurations
>> and we associate authentication chains, claim, provisioning configurations
>> etc.. to that service provider configuration.
>> As a improvement to this we can group these configurations lets say a
>> security circle.
>>
>> For a security circle [SC].
>> We can configure set of service providers within a SC.
>> Associate Userstores to that SC
>> Define Authentication chain, Provision config etc..
>> Configre Administration policies Ex: only users in wso2admin can manage
>> the wso2 security circle.
>>
>
> According to new security model, I hope we can associate admins for SCs to
> achieve the exact Enterprise usecase defined in "[C5 IS] Multi-tenancy in
> C5 based IS".
>
> thanks,
> Dimuthu
>
>
>> Group authorization policies belong to this circle.
>> Once we configure those it will be applicable to all service providers
>> and can override with SP level configurations.
>> We can have different login sessions to each circle.
>>
>> How can we use this.
>> Achieve Enterprise SaaS application use case discussed in [1]
>> No need to configure same configurations in each SP level can inherit
>> from SC configurations.
>> Since we are going with container base Multi tenancy in C5, If a user
>> does not like, that can be handle with this security circle.
>>
>> Thanks,
>> Ishara
>> [1] "[C5 IS] Multi-tenancy in C5 based IS"
>>
>> --
>> Ishara Karunarathna
>> Associate Technical Lead
>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>
>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>> +94717996791
>>
>>
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> Dimuthu Leelarathne
> Director, Solutions Architecture
>
> WSO2, Inc. (http://wso2.com)
> email: dimut...@wso2.com
> Mobile: +94773661935
> Blog: http://muthulee.blogspot.com
>
> Lean . Enterprise . Middleware
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Pushpalanka.
-- 
Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
Mobile: +94779716248
Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [IS] Regenerating client secret/key and revoking an oauth app in OAuth 2.0 implementation

[Pushpalanka Jayawardhana]

Hi All,

On Fri, Jun 3, 2016 at 5:46 PM, Prabath Siriwardana <prab...@wso2.com>
wrote:

>
>
> On Thu, Jun 2, 2016 at 10:30 PM, Indunil Upeksha Rathnayake <
> indu...@wso2.com> wrote:
>
>> Hi,
>> I am working on implementing regeneration of client secret/key of an
>> oauth app and revocation of an oauth app for the next milestone release of
>> Identity Server. Appreciate your feedbacks on the following approaches I
>> have taken.
>>
>> A trusted client would need to update the client secret/key, in order to
>> prevent the abuse of revealed client secret/key. So for addressing that, I
>> am working on adding two options as *Regenerate Client Secret *and 
>> *Regenerate
>> Consumer Key* for oauth applications in IS. After a client secret/key
>> get regenerated, that will immediately invalidate any active authorization
>> code, access token or refresh token, issued to the respective client.
>>
>> *Will it be necessary to add two options for revoking client secret and
>> key or better to go for a different approach?*
>>
>
> I guess (as discussed in this thread already) - having the ability to
> change the consumer secret would be enough. Changing the consumer key is
> bit challanging too - we would have all the analytics data against the
> consumer key.
>
On a side note which is not directly relevant to consumer key revocation, I
have seen occasions where customers wanted to decide the consumer key than
generating them.

Use case:
Eg: When they are already having plenty of applications(may be mobile apps)
which have embedded consumer key or/and secret, and then moving from
current authorization server to WSO2 Identity Server they need to update
consumer credentials in all these applications to use WSO2 generated ones,
which they are reluctant to do.
While we may be able to support above use case via a extension point, won't
it be good to have a highly secured API to do it?
Analytics, we may have to handle using the old to new consumer key mapping.


>
> Also - consumer key is not something - someone would remember and use - so
> I don't think its same as the username - so I don't see any need to change
>

>
>>
>>
>>
>> And apart from that planning for the implementation of *Revoking an
>> oauth app*. In there the oauth app will be revoked and that also will
>> immediately invalidate any active authorization code, access token or
>> refresh token, issued to the respective client. In order to activate the
>> oauth app again, need to regenerate the client secret.
>>
>>
>> *In there to activate the app, better to regenerate "both client key and
>> secret" or "either client key or secret"?*
>>
>
> Revoking an app means - mostly the revoking of its consumer secret (the
> previous scenario).
>
> Another couple of use cases we can address with this:
>
> 1. Blocking an app temporary - Deactivate the App - and the Activate it
> after sometime - nothing to do with the consumer secret revocation.
>
> 2. Ability to revoke an access token (s) issued on behalf of a user for a
> particular app.
>
> 3. Ability to revoke all the access tokens issued on behalf of a user
> across all the apps.
>
> Thanks & regards,
> -Prabath
>
>
>>
>>
>> Really value your ideas/suggestions on improving this feature.
>>
>> Thanks and Regards
>> --
>> Indunil Upeksha Rathnayake
>> Software Engineer | WSO2 Inc
>> Emailindu...@wso2.com
>>
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> Thanks & Regards,
> Prabath
>
> Twitter : @prabath
> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>
> Mobile : +1 650 625 7950
>
> http://facilelogin.com
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>

Thanks,
-- 
Pushpalanka.
-- 
Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
Mobile: +94779716248
Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

[Architecture] WSO2 Identity Server 5.2.0 Beta Released

[Pushpalanka Jayawardhana]

ustom
   Response Type Validator class is not read under SupportedGrantTypes in
   Identity.xml
   - IDENTITY-4381 <https://wso2.org/jira/browse/IDENTITY-4381>
   NullPointerException could happen in e.getCause().getCause()
   - IDENTITY-4377 <https://wso2.org/jira/browse/IDENTITY-4377> Session
   Hijacking vulnerability at Identity Server's PassiveSTS endpoint
   - IDENTITY-4371 <https://wso2.org/jira/browse/IDENTITY-4371>
   InfoRecoverySample build breaks
   - IDENTITY-4361 <https://wso2.org/jira/browse/IDENTITY-4361> Error when
   adding default bps profile when database is DB2
   - IDENTITY-4333 <https://wso2.org/jira/browse/IDENTITY-4333> validating
   the Refresh Token with database Oracle
   - IDENTITY-4314 <https://wso2.org/jira/browse/IDENTITY-4314>
   IDENTITY-3729 Features for nested.category must use "perfect" match
   - IDENTITY-4305 <https://wso2.org/jira/browse/IDENTITY-4305> Provide a
   target date to share the finalized 2016 IS roadmap
   - IDENTITY-4255 <https://wso2.org/jira/browse/IDENTITY-4255>
   IDENTITY-3729 Define importFeatureDef with version match rule in
   carbon-identity
   - IDENTITY-3948 <https://wso2.org/jira/browse/IDENTITY-3948> Required
   validations are not done for Callback URL for Oauth as Service Provider
   - IDENTITY-3894 <https://wso2.org/jira/browse/IDENTITY-3894> [Request
   Path Authentication] User credential prompted even after sending right
   access token
   - IDENTITY-3730 <https://wso2.org/jira/browse/IDENTITY-3730>
   IDENTITY-3729 POMs of "wso2-rampart", "wso2-wss4j", "balana" and "charon"
   need to be reviewed and fixed for WSO2 best practices
   - IDENTITY-3648 <https://wso2.org/jira/browse/IDENTITY-3648> Update
   OpenSAML version to 2.6.4.


Improvements


   - IDENTITY-4497 <https://wso2.org/jira/browse/IDENTITY-4497> Add PKCE
   Support Detection
   - IDENTITY-4459 <https://wso2.org/jira/browse/IDENTITY-4459> Add the
   session data persistence pool size to the identity.xml
   - IDENTITY-4442 <https://wso2.org/jira/browse/IDENTITY-4442> Users can
   disable their own accounts via the MC and Dashboard


New Features


   - IDENTITY-4453 <https://wso2.org/jira/browse/IDENTITY-4453> - Add PKCE
   Support for OAuth 2.0 Authorization Code Grant Type
   - IDENTITY-4096 <https://wso2.org/jira/browse/IDENTITY-4096> - SAML 2.0
   token support for WS-Federation (Passive)


Patches


   - IDENTITY-4449 <https://wso2.org/jira/browse/IDENTITY-4449> Data
   persistence is not working properly for AuthorizationGrantCache
   - IDENTITY-4443 <https://wso2.org/jira/browse/IDENTITY-4443> Identity
   server Tenant management servlet failure
   - IDENTITY-4440 <https://wso2.org/jira/browse/IDENTITY-4440> SCIM bulk
   update error masked by null pointer exception
   - IDENTITY-4398 <https://wso2.org/jira/browse/IDENTITY-4398> Authorization
   code can be sent in to get access token multiple times
   - IDENTITY-4395 <https://wso2.org/jira/browse/IDENTITY-4395> Identity
   Server URL must be configured inside EndpointConfig.properties
   - IDENTITY-4393 <https://wso2.org/jira/browse/IDENTITY-4393> Openid
   connect is failing when using implicit grant with custom claims.
   - IDENTITY-4386 <https://wso2.org/jira/browse/IDENTITY-4386> When role
   list have more than a single page, user can't select roles from 2 pages.
   - IDENTITY-4319 <https://wso2.org/jira/browse/IDENTITY-4319> Database
   read inside sync block in SecurityDeploymentInterceptor

Thanks,
-- 
Pushpalanka.
-- 
Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
Mobile: +94779716248
Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Decoupling client_id/client_secret based OAuth 2.0 client authentication from the token endpoint

[Pushpalanka Jayawardhana]

+1.

SCIM endpoint supports Basic Auth and OAuth for security through a handler
interface defined specifically for SCIM.
When implementing DCR (Dynamic client registration) specification this same
need occurred. If the the security handlers defined inside SCIM(which serve
for a generic purpose) can be placed in a seperate more generic package,
that can be reused in occasionas like this.

[1] -
https://github.com/wso2/carbon-identity/tree/master/components/scim/org.wso2.carbon.identity.scim.provider/src/main/java/org/wso2/carbon/identity/scim/provider/auth


Thanks,
Pushpalanka.
-- 
Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
Mobile: +94779716248
Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka


On Mon, Feb 22, 2016 at 1:42 PM, Johann Nallathamby <joh...@wso2.com> wrote:

> +1.
>
> Also these set of authenticators should be used to secure any REST
> endpoint that we expose, not only OAuth2. WDYT? E.g. in SCIM endpoint the
> authentication is baked into the SCIM code, although it has a concept of
> handlers. I think all these restful authentication mechanisms must unify
> and come under a single framework.
>
>
> On Mon, Feb 22, 2016 at 11:24 AM, Prabath Siriwardana <prab...@wso2.com>
> wrote:
>
>> At the moment we are coupled into HTTP basic authentication
>> with client_id/client_secret , which is not right..
>>
>> Can we decouple this from the token endpoint..? And we should able to
>> develop these authenticators as independent connectors..
>>
>> WDYT...?
>>
>> --
>> Thanks & Regards,
>> Prabath
>>
>> Twitter : @prabath
>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>>
>> Mobile : +1 650 625 7950
>>
>> http://blog.facilelogin.com
>> http://blog.api-security.org
>>
>
>
>
> --
> Thanks & Regards,
>
> *Johann Dilantha Nallathamby*
> Technical Lead & Product Lead of WSO2 Identity Server
> Governance Technologies Team
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - *+9476950*
> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

[Architecture] An API to get the count of users

[Pushpalanka Jayawardhana]

Hi All,

We are in the process of addressing following requirements related to
getting the user count of user store.

*Requirement*
Mainly(in prority order),

   1. *Get the count of users in a userstore domain*
   2. Get the count of users within a tenant space
   3. Get the count of users having a specific claim value (count the
   results matching a specific claim value. eg: Number of users been locked,
   Number of users from a specific country)


Additionally following functionalities would be good to have,

   1. Get the count of users across tenants


​


*Approaches*

   1. Keep a seperate database table to track the user count. Incrementally
   update it each time a new user is added.
  - When plugging an existing user store, the table needs to be
 populated initially for once with existing user.
 - PR at [1] creates a table 'IDN_UID_USER' to same user when user
 name is renamed. It will be possible to use that table for this same
 requirement.
 - This approach does *NOT* address 3rd requirement.
  2. Execute a count query at user store manager level (This will be an
   API addition to carbon kernel user core)
  - This will cater for all the main requirements
 - The LDAP protocol does not have a specific mentioning about an
 API for count
- Different implementations have different approaches to
achieve this.
   - OpenDS, Sundirectory server -

https://blogs.oracle.com/Ludo/entry/ldap_tip_counting_the_number
  - OpenLDAP -
  http://www.openldap.org/its/index.cgi/Archive.Incoming?id=4161
   - Implementing this in LDAP seems to be comparatively harder
than JDBC with having to manually go through the trees.
- With user stores having millions of users, the operation will
be very time consuming. (UI might be less responsive, if
the API is used
via mgt console)

Appreciate your thoughts, inputs regarding this.
@Kernel team : Appreciate your feed back on feasible time lines of
releasing this new API integrated with user.core, if required to do so.

[1] - Rename user https://github.com/wso2/carbon-identity/pull/437
<https://github.com/wso2/carbon-identity/pull/437>
[2] - LDAP Protocol - https://tools.ietf.org/html/rfc4511


Thanks,
Pushpalanka.
-- 
Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
Mobile: +94779716248
Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] An API to get the count of users

[Pushpalanka Jayawardhana]

Pushpalanka.
-- 
Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
Mobile: +94779716248
Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka


On Tue, Feb 9, 2016 at 4:42 PM, Selvaratnam Uthaiyashankar <shan...@wso2.com
> wrote:

> Why do we need to know the count? What are the user stories?

The requirement has been raised when users are migrated from one user store
to another, to check how many users have been migrated. While this
information can be generated by the administrator by running a direct query
on user store, an API is good to have for others to retrieve this
information.

One other user story I could think of is, combined with disabled user
accounts, to know the active user base of an enterprise.

>
>  Also, this is for C4 based products? If so, IMO, this feature is not
> something urgent to add to C4.
>
 This is committed for IS 5.2.0.

>
>
> On Tuesday, February 9, 2016, Pushpalanka Jayawardhana <la...@wso2.com>
> wrote:
>
>> Hi All,
>>
>> We are in the process of addressing following requirements related to
>> getting the user count of user store.
>>
>> *Requirement*
>> Mainly(in prority order),
>>
>>1. *Get the count of users in a userstore domain*
>>2. Get the count of users within a tenant space
>>3. Get the count of users having a specific claim value (count the
>>results matching a specific claim value. eg: Number of users been locked,
>>Number of users from a specific country)
>>
>>
>> Additionally following functionalities would be good to have,
>>
>>1. Get the count of users across tenants
>>
>>
>> ​
>>
>>
>> *Approaches*
>>
>>1. Keep a seperate database table to track the user count. Incrementally
>>update it each time a new user is added.
>>   - When plugging an existing user store, the table needs to be
>>  populated initially for once with existing user.
>>  - PR at [1] creates a table 'IDN_UID_USER' to same user when
>>  user name is renamed. It will be possible to use that table for 
>> this same
>>  requirement.
>>  - This approach does *NOT* address 3rd requirement.
>>   2. Execute a count query at user store manager level (This will be
>>an API addition to carbon kernel user core)
>>   - This will cater for all the main requirements
>>  - The LDAP protocol does not have a specific mentioning about
>>  an API for count
>> - Different implementations have different approaches to
>> achieve this.
>>- OpenDS, Sundirectory server -
>>   
>> https://blogs.oracle.com/Ludo/entry/ldap_tip_counting_the_number
>>   - OpenLDAP -
>>   
>> http://www.openldap.org/its/index.cgi/Archive.Incoming?id=4161
>>- Implementing this in LDAP seems to be comparatively
>> harder than JDBC with having to manually go through the trees.
>> - With user stores having millions of users, the operation
>> will be very time consuming. (UI might be less responsive, if 
>> the API is
>> used via mgt console)
>>
>> Appreciate your thoughts, inputs regarding this.
>> @Kernel team : Appreciate your feed back on feasible time lines of
>> releasing this new API integrated with user.core, if required to do so.
>>
>> [1] - Rename user https://github.com/wso2/carbon-identity/pull/437
>> <https://github.com/wso2/carbon-identity/pull/437>
>> [2] - LDAP Protocol - https://tools.ietf.org/html/rfc4511
>>
>>
>> Thanks,
>> Pushpalanka.
>> --
>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
>> Mobile: +94779716248
>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
>> lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka
>>
>>
>
> --
> S.Uthaiyashankar
> VP Engineering
> WSO2 Inc.
> http://wso2.com/ - "lean . enterprise . middleware"
>
> Phone: +94 714897591
>
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [IS] [Secondary User Store] Securing passwords in secondary userstore configurations

[Pushpalanka Jayawardhana]

Thanks,
Pushpalanka.
-- 
Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
Mobile: +94779716248
Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka


On Sun, Nov 2, 2014 at 10:55 PM, Firzhan Naqash firz...@wso2.com wrote:

 Hi All,

 1.  Yes, we are to only encrypt the property value.
 Adding more information, as I know the plan is to define something like
 below in the file to be encrypted.
  Property name=ConnectionPassword *encrypted=true*
 admin/Property
 After encrypting the value it will be saved back as,


 When we are encrypting from GUI, we use the fields mentioned to be
 encrypted in Property objects. Therefore in order to maintain the
 consistency, we can use those fields rather than explicitly defining
 property called true.

That's clean and simple. So now the developer of the user store manager
controls which properties should be encrypted rather than the admin. I
think it's fine as most of the time it's the password only.




 WDYT?

 Regards,
 Firzhan

 On Wed, Oct 29, 2014 at 10:46 AM, Pushpalanka Jayawardhana la...@wso2.com
  wrote:

 Hi,


 On Wed, Oct 29, 2014 at 1:02 AM, Udara Liyanage ud...@wso2.com wrote:

 Hi,

 Isn't is better to encrypt fields of the file rather than the whole file
 like we do in secure vault. Please correct me if I am wrong since I am not
 well aware of the exact use case

 1.  Yes, we are to only encrypt the property value.
 Adding more information, as I know the plan is to define something like
 below in the file to be encrypted.
  Property name=ConnectionPassword *encrypted=false*
 admin/Property
 After encrypting the value it will be saved back as,
  Property name=ConnectionPassword *encrypted=true*
 Wxy635hxahftafafetk8dsnnHkw/Property

 It would be great if there is a better way to imply which properties
 should be encrypted and after encrypting, to imply that the value is
 encrypted.

 2.   An indication in the file name is added to imply whether it
 carries property values to be encrypted. Otherwise all the properties
 should be scanned blindly and checked for the encryption which seemed a
 waste. The is a trade-off between this cost of scanning and another
 convention added to the file name.

 I prefer prefix rather than appending since appending enc does not help
 someone to figure it out as a secured file at first glance.

 In OSes like Linux file extension does not matter much. Is it possible
 for someone to have a file name like 'sec-con' (without any extension)

 Touched, not typed. Erroneous words are a feature, not a typo.

 Thanks,
 Pushpalanka.
 --
 Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
 Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
 Mobile: +94779716248
 Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
 lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka



___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [IS] [Secondary User Store] Securing passwords in secondary userstore configurations

[Pushpalanka Jayawardhana]

Hi,


On Wed, Oct 29, 2014 at 1:02 AM, Udara Liyanage ud...@wso2.com wrote:

 Hi,

 Isn't is better to encrypt fields of the file rather than the whole file
 like we do in secure vault. Please correct me if I am wrong since I am not
 well aware of the exact use case

1.  Yes, we are to only encrypt the property value.
Adding more information, as I know the plan is to define something like
below in the file to be encrypted.
 Property name=ConnectionPassword *encrypted=false*
admin/Property
After encrypting the value it will be saved back as,
 Property name=ConnectionPassword *encrypted=true*
Wxy635hxahftafafetk8dsnnHkw/Property

It would be great if there is a better way to imply which properties should
be encrypted and after encrypting, to imply that the value is encrypted.

2.   An indication in the file name is added to imply whether it
carries property values to be encrypted. Otherwise all the properties
should be scanned blindly and checked for the encryption which seemed a
waste. The is a trade-off between this cost of scanning and another
convention added to the file name.

 I prefer prefix rather than appending since appending enc does not help
 someone to figure it out as a secured file at first glance.

 In OSes like Linux file extension does not matter much. Is it possible for
 someone to have a file name like 'sec-con' (without any extension)

 Touched, not typed. Erroneous words are a feature, not a typo.

Thanks,
Pushpalanka.
-- 
Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
Mobile: +94779716248
Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Role Based Access Control (RBAC) for RDBMS based environment provisioning

[Pushpalanka Jayawardhana]

Thanks,
Pushpalanka.
-- 
Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
Mobile: +94779716248
Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka



On Mon, Aug 18, 2014 at 10:40 PM, Dhanuka Ranasinghe dhan...@wso2.com
wrote:



 *Dhanuka Ranasinghe*

 Senior Software Engineer
 WSO2 Inc. ; http://wso2.com
 lean . enterprise . middleware

 phone : +94 715381915


 On Sat, Aug 16, 2014 at 4:32 AM, Manfred Herrmann 
 herrmann.manf...@googlemail.com wrote:

 +1 ... for providing this capability

 my comments inline:


 2014-08-15 8:15 GMT+02:00 Sumedha Rubasinghe sume...@wso2.com:

 +1 for providing the capability.

 Are we going to define permissions per environment or are there going to
 be static set of environments?
 There is a similar mail for Cassandra in [Architecture] Supporting
 multiple environments for Cassandra.


 This mail should be answered http://markmail.org/message/4bnghbxw6egknfrn
 ...
  A consistent usecase/architecture regarding environments is prefered.

  Currently only support static set of environments, but with SS 1.5.0 we
 gonna support user define environments and instances.


 IMO permissions you have mentioned are too high level for this.  It's
 more practical to associate permissions with a specific database.  So
 having only 'Read' permission (for example) would not allow this.

 Sorry about high level description. Yes, permission is associate with
 databases. For example permission = database (db1) + Action (create), but
 again database is located in an instance and that instance located in an
 Environment. We thought first go ahead with a simple solution and then we
 can improve it iterativelly.

 Then if you consider a particular database, real deployment scenarios
 would want to control who can perform CRUD on that database.

 This is already supported in existing SS. It control when provisioning a
 database to a particular user with privilege template.

  So I feel XACML type of an approach is far more practical and
 extensible here.

 +1 for considering XACML as an option. This will allow us to make the
permission model more fine grained. In addition to restricting depending
the user role, we can consider other attributes like 'within which time
period a user is allowed to access the environment' etc., as well with this
approach. The extend-ability will come with the cost of some added
complexity though.


 Is this environment-architecture only for access rss meta-data (like
 users/user-rights/templates...)?

 Yes partly correct, this solution only apply when users working with SS,
 and this not apply when users access external databases through JDBC
 driver.

 Or is it for all DB-data like access-rights (CRUD...) on/in a specific
 RSS provisioned DB?



 On Tue, Aug 12, 2014 at 11:06 AM, Dhanuka Ranasinghe dhan...@wso2.com
 wrote:

 Since SS 1.1.0 we do support concepts of environments. There can be
 multiple database server instances in single environment. So according to
 above use case, there can be multiple database server instances (RD and
 maintenance ) for Development environment. At the moment any user can
 access any environment, configured in SS, but we need to control who and
 how they gonna access these environment. that is the whole purpose of RBAC.

 So far we have identified four permissions.

 1. Access (Read)
 2. Create
 3. Modify
 4. Delete

 These permissions should be assigned to user Roles against
 environments. By doing that we can check whether particular user has
 permission to access the environment.

 Cheers,
 Dhanuka


 ___
 Architecture mailing list
 Architecture@wso2.org
 https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




 --
 /sumedha
 m: +94 773017743
 b :  bit.ly/sumedha

 ___
 Architecture mailing list
 Architecture@wso2.org
 https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture



 ___
 Architecture mailing list
 Architecture@wso2.org
 https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture



 ___
 Architecture mailing list
 Architecture@wso2.org
 https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Are we missing a common EmailSenderService

[Pushpalanka Jayawardhana]

Hi,

+1.
I also recently had a look at this component to find possibilities to send
HTML formatted emails.

If we can have a separate email sending service it would be better if we
add this support as well.
This was easily achievable with Apache Commons
Emailhttp://commons.apache.org/proper/commons-email/userguide.htmllibrary,
keeping the freedom to send alternate plain/text as well.

Thanks,

Pushpalanka Jayawardhana

Software Engineer

WSO2 Lanka (pvt) Ltd
[image: 
Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka
[image:
Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka
[image:
LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro
[image:
Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F
[image:
SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka
Mobile: +94779716248
http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10


On Tue, Jan 21, 2014 at 1:07 PM, Ashansa Perera asha...@wso2.com wrote:

 Do we have a *service* which can be used to send the emails?
 I found an email sender component under components/stratos. But still it
 is specific to stratos.
 Wouldn't it be useful to have a common email sending service where you can
 give the configuration file as a parameter?

 We in AppFactory wanted a similar service and we have created a one[1]
 But as I feel a common email sending service would be useful platform wide.
 WDYT?

 [1]
 https://svn.wso2.org/repos/wso2/scratch/appfactorycc/components/appfac/org.wso2.carbon.appfactory.utilities/1.1.0/src/main/java/org/wso2/carbon/appfactory/utilities/services/EmailSenderService.java
 --
 Thanks  Regards,

 Ashansa Perera
 Software Engineer
 WSO2, Inc

 ___
 Architecture mailing list
 Architecture@wso2.org
 https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




-- 

Pushpalanka Jayawardhana

Software Engineer

WSO2 Lanka (pvt) Ltd
[image: 
Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka
[image:
Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka
[image:
LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro
[image:
Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F
[image:
SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka
Mobile: +94779716248
http://c.content.wso2.com/signatures/us.png
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [Identity Server] Applications

[Pushpalanka Jayawardhana]

Hi,

Pushpalanka Jayawardhana

Software Engineer

WSO2 Lanka (pvt) Ltd
[image: 
Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka
[image:
Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka
[image:
LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro
[image:
Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F
[image:
SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka
Mobile: +94779716248


On Mon, Nov 11, 2013 at 12:43 PM, Venura Kahawala ven...@wso2.com wrote:

 Hi Johann,


 On Mon, Nov 11, 2013 at 12:15 PM, Johann Nallathamby joh...@wso2.comwrote:

 Hi Venura,


 On Mon, Nov 11, 2013 at 10:46 AM, Venura Kahawala ven...@wso2.comwrote:

 Hi,

 Is this a continuation of what we discussed during the custom
 permissions feature code review?

 Please see the comments inline...


 On Mon, Nov 11, 2013 at 9:58 AM, Prabath Siriwardena 
 prab...@wso2.comwrote:

 Hi Johann,

 Please find comment inline...

 On Mon, Nov 11, 2013 at 9:35 AM, Johann Nallathamby joh...@wso2.comwrote:

 Hi Prabath,

 +1 for the concept. Some concerns and thoughts inline.. bear with me
 for my lengthy verbose arguments.. [?]


 On Mon, Nov 11, 2013 at 3:12 AM, Prabath Siriwardena prab...@wso2.com
  wrote:

 1. What is an Application under the context of Identity Server ?

 Its a consumer of identity attributes, roles (and groups),
 authentication methods/ policies and authorization policies. In practice,
 this could be a web application,mobile application - or even a desktop
 application.

 *- Identity attributes*

 A given user can be allowed to maintain his own set of attributes
 against different registered Applications. (multiple profiles)


 This should be a separate thread of discussion, but just so that we
 are on the same page here, for this we need to have the multiple profiles
 working with all types user stores. Currently it works with only JDBC. As 
 I
 understand there are problems with representing multiple values for
 attributes in a standard manner in all kinds of LDAPs. Am I right? I guess
 we need to figure out a way of supporting this.


 Yes. The underlying user store should support this. We can support by
 default for both LDAP and JDBC.





 *- Permission / Roles*

 A given Application can maintain its own set of permissions with the
 Identity Server. That is, a given application can maintain its own set of
 resources and actions. For IS - Carbon is just another application - and
 its permissions / roles will be maintained as it is today.


 Applications can create their own permissions of course, but do we
 allow them do define their own roles as well or do they select roles from
 existing roles of the tenant and assign permissions to them?


 Yes. Application should be allowed define their own roles Those out
 side the permission model of Carbon.


  +1 for this, This has to be done since if roles are not restricted to
 applications, an unintended user might get access to an application.


 My notion is that:

 An application (developer) can restrict access to his/her application
 based on
 - user stores
 - trusted IdPs
 - roles
 - users (if this is possible then unwanted users cannot get access to the
 application)


 I'm not clear on this approach. What you are telling here is, if I
 (developer) select a role for my application, then no other application
 developer should be able to get the same for their applications? If we do
 that we can avoid changes to the current UI. But we need to identify a
 method to avoid concurrent modification to the same role. May be this a
 rare case, but possible. What is the chance of you and me (both application
 developers) assign the same role to different applications?

With what I have understood, I guess this can be solved if we prefix each
role that is related with an application, with the appID or something that
is unique to that application. We can initiate these roles from existing
roles, but after it is related to an application, it will have an
independent existence. In AF, they are using this prefixing to keep roles
within an application.









 Allowing the creation of roles in this app-mgt UI would duplicate
 role-mgt functionality and managing roles should be an independent 
 concern.


 We do not need to have separate UIs. We have to reuse currently used
 user management UI. Carbon is once again just another application.


 Here we can add another parameter to role management UI specifying the
 application.


 If we agree with what I have mentioned above we don't need any change in
 this UI. We only need to list existing userstores, trusted IdPs, roles and
 user in the new App-Mgt UI and the application developer will choose from
 that list.

 To reiterate, managing roles should be a separate concern which won't
 change from what we have now. Whether

[Architecture] Issue at tenant user login in cluster mode - Mutiple user stores active

[Pushpalanka Jayawardhana]

Hi,

This with regard to the issue [1], which is a known issue in IS 4.5.0.

Issue reproduced with following steps.
Set up cluster with two IS nodes (Depsync enabled).
Create a tenant(wso2.com)
Wait till the tenant is unloaded in the worker node
Add a secondary user store in master node
Add a user(user1) to secondary user store in master node
Try to login from master node, it allows
Try to login from this user(us...@wso2.com) in worker node, it fails
Login as tenant admin and then try to login as user. it allows


So as the tenant is unloaded in the worker node, it does not check out the
added user store configuration from the SVN repo, hence users in that user
store can not login at worker node.

Following log can be seen in worker node,
{org.wso2.carbon.core.deployment.SynchronizeRepositoryRequest} -  Received
[SynchronizeRepositoryRequest{tenantId=3, tenantDomain='win.com',
messageId=203837d4-576b-4929-a0a1-e5efccf15b01}
 INFO {org.wso2.carbon.core.deployment.SynchronizeRepositoryRequest} -
Tenant is not loaded.

Is there a possibility to load the tenant at this cluster message receipt
(if we can check whether it's to sync user stores, to avoid loading tenant
at each receipt of cluster message), so that user stores will be checked
out at a fair cost?

Great to know any better ways to handle this and know your ideas.


[1] - https://wso2.org/jira/browse/IDENTITY-1824

Thanks,

Pushpalanka Jayawardhana

Software Engineer

WSO2 Lanka (pvt) Ltd
[image: 
Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka
[image:
Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka
[image:
LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro
[image:
Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F
[image:
SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka
Mobile: +94779716248
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Issue at tenant user login in cluster mode - Mutiple user stores active

[Pushpalanka Jayawardhana]

Thanks,

Pushpalanka Jayawardhana

Software Engineer

WSO2 Lanka (pvt) Ltd
[image: 
Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka
[image:
Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka
[image:
LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro
[image:
Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F
[image:
SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka
Mobile: +94779716248


On Thu, Sep 26, 2013 at 5:26 PM, Prabath Siriwardena prab...@wso2.comwrote:

 +1 for that.. Only downside - tenant is loaded not on demand..

 Another approach is..

 Currently the tenant is loaded by looking at the URL.. say for example -
 if the url says - /t/wso2.com - this will make wso2.com to be loaded if
 it is not loaded already.

 The issue with authentication is - we do not know the tenant of the user
 from the URL.

 But client (say the UI which accepts user credentials) knows the tenant of
 the user - by the user name (but the backend cannot derive it - as the user
 names comes in different places in different scenarios)..

 So - what client can do is - in authentication calls - we send the tenant
 domain of the user in an http header - say tenat_domain.

 Now - the interceptor will look in to the URL (most of the cases) and if
 no tenant info not there will look in to the tenat_domain http header and
 load the corresponding tenant..


Thanks a lot for the ideas..
Won't it be late to load the tenant at this moment? As the changes needs to
be checked out from the repo , for authentication to be successful, are we
to hold the decision using some mechanism till the check out completes?


 Thanks  regards,
 -Prabath


 On Thu, Sep 26, 2013 at 5:10 PM, Afkham Azeez az...@wso2.com wrote:

 Hmm... very interesting problem :)

 What we could do is this...

 We can implement a LoadTenant Cluster message. When that is received, all
 nodes would load the tenants. We can get depsync to follow. That way, every
 node will properly load the new user stores. IS can send this message.

 Azeez


 On Thu, Sep 26, 2013 at 4:56 PM, Pushpalanka Jayawardhana la...@wso2.com
  wrote:

 Hi,

 This with regard to the issue [1], which is a known issue in IS 4.5.0.

 Issue reproduced with following steps.
 Set up cluster with two IS nodes (Depsync enabled).
 Create a tenant(wso2.com)
 Wait till the tenant is unloaded in the worker node
 Add a secondary user store in master node
 Add a user(user1) to secondary user store in master node
 Try to login from master node, it allows
 Try to login from this user(us...@wso2.com) in worker node, it fails
 Login as tenant admin and then try to login as user. it allows


 So as the tenant is unloaded in the worker node, it does not check out
 the added user store configuration from the SVN repo, hence users in that
 user store can not login at worker node.

 Following log can be seen in worker node,
 {org.wso2.carbon.core.deployment.SynchronizeRepositoryRequest} -
 Received [SynchronizeRepositoryRequest{tenantId=3, tenantDomain='win.com',
 messageId=203837d4-576b-4929-a0a1-e5efccf15b01}
  INFO {org.wso2.carbon.core.deployment.SynchronizeRepositoryRequest} -
 Tenant is not loaded.

 Is there a possibility to load the tenant at this cluster message
 receipt (if we can check whether it's to sync user stores, to avoid loading
 tenant at each receipt of cluster message), so that user stores will be
 checked out at a fair cost?

 Great to know any better ways to handle this and know your ideas.


 [1] - https://wso2.org/jira/browse/IDENTITY-1824

 Thanks,

 Pushpalanka Jayawardhana

 Software Engineer

 WSO2 Lanka (pvt) Ltd
 [image: 
 Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka
  [image:
 Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka
  [image:
 LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro
  [image:
 Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F
  [image:
 SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka
 Mobile: +94779716248




 --
 *Afkham Azeez*
 Director of Architecture; WSO2, Inc.; http://wso2.com
 Member; Apache Software Foundation; http://www.apache.org/
 * http://www.apache.org/**
 email: **az...@wso2.com* az...@wso2.com* cell: +94 77 3320919
 blog: **http://blog.afkham.org* http://blog.afkham.org*
 twitter: **http://twitter.com/afkham_azeez*http://twitter.com/afkham_azeez
 *
 linked-in: **http://lk.linkedin.com/in/afkhamazeez*
 *
 *
 *Lean . Enterprise . Middleware*




 --
 Thanks  Regards,
 Prabath

 Mobile : +94 71 809 6732

 http://blog.facilelogin.com
 http://RampartFAQ.com

___
Architecture mailing list

Re: [Architecture] Issue at tenant user login in cluster mode - Mutiple user stores active

[Pushpalanka Jayawardhana]

Thanks,

Pushpalanka Jayawardhana

Software Engineer

WSO2 Lanka (pvt) Ltd
[image: 
Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka
[image:
Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka
[image:
LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro
[image:
Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F
[image:
SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka
Mobile: +94779716248


On Thu, Sep 26, 2013 at 10:08 PM, Prabath Siriwardena prab...@wso2.comwrote:




 Won't it be late to load the tenant at this moment? As the changes needs
 to be checked out from the repo , for authentication to be successful, are
 we to hold the decision using some mechanism till the check out completes?



 This is the same behavior you see when you login to management console
 now. User authenticated and redirected to its tenant /t/wso2.com - now
 the tenant will be loaded...

What I thought was, at tenant loading what it does is building the user
store manager chain from the config files that are already there in
relevant 'userstores' folder. Depsync will happen after this step, so that
the new file is still not checked out.
Please correct me if I'm wrong.



 Thanks  regards,
 -Prabath




 Thanks  regards,
 -Prabath


 On Thu, Sep 26, 2013 at 5:10 PM, Afkham Azeez az...@wso2.com wrote:

 Hmm... very interesting problem :)

 What we could do is this...

 We can implement a LoadTenant Cluster message. When that is received,
 all nodes would load the tenants. We can get depsync to follow. That way,
 every node will properly load the new user stores. IS can send this 
 message.

 Azeez


 On Thu, Sep 26, 2013 at 4:56 PM, Pushpalanka Jayawardhana 
 la...@wso2.com wrote:

 Hi,

 This with regard to the issue [1], which is a known issue in IS 4.5.0.

 Issue reproduced with following steps.
 Set up cluster with two IS nodes (Depsync enabled).
 Create a tenant(wso2.com)
 Wait till the tenant is unloaded in the worker node
 Add a secondary user store in master node
 Add a user(user1) to secondary user store in master node
 Try to login from master node, it allows
 Try to login from this user(us...@wso2.com) in worker node, it fails
 Login as tenant admin and then try to login as user. it allows


 So as the tenant is unloaded in the worker node, it does not check out
 the added user store configuration from the SVN repo, hence users in that
 user store can not login at worker node.

 Following log can be seen in worker node,
 {org.wso2.carbon.core.deployment.SynchronizeRepositoryRequest} -
 Received [SynchronizeRepositoryRequest{tenantId=3, tenantDomain='
 win.com', messageId=203837d4-576b-4929-a0a1-e5efccf15b01}
  INFO {org.wso2.carbon.core.deployment.SynchronizeRepositoryRequest}
 -  Tenant is not loaded.

 Is there a possibility to load the tenant at this cluster message
 receipt (if we can check whether it's to sync user stores, to avoid 
 loading
 tenant at each receipt of cluster message), so that user stores will be
 checked out at a fair cost?

 Great to know any better ways to handle this and know your ideas.


 [1] - https://wso2.org/jira/browse/IDENTITY-1824

 Thanks,

 Pushpalanka Jayawardhana

 Software Engineer

 WSO2 Lanka (pvt) Ltd
 [image: 
 Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka
  [image:
 Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka
  [image:
 LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro
  [image:
 Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F
  [image:
 SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka
 Mobile: +94779716248




 --
 *Afkham Azeez*
 Director of Architecture; WSO2, Inc.; http://wso2.com
 Member; Apache Software Foundation; http://www.apache.org/
 * http://www.apache.org/**
 email: **az...@wso2.com* az...@wso2.com* cell: +94 77 3320919
 blog: **http://blog.afkham.org* http://blog.afkham.org*
 twitter: 
 **http://twitter.com/afkham_azeez*http://twitter.com/afkham_azeez
 *
 linked-in: **http://lk.linkedin.com/in/afkhamazeez*
 *
 *
 *Lean . Enterprise . Middleware*




 --
 Thanks  Regards,
 Prabath

 Mobile : +94 71 809 6732

 http://blog.facilelogin.com
 http://RampartFAQ.com





 --
 Thanks  Regards,
 Prabath

 Mobile : +94 71 809 6732

 http://blog.facilelogin.com
 http://RampartFAQ.com

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Apple push strategy

[Pushpalanka Jayawardhana]

Hi,

In APNS connector the notnoop java-apns jar is packed into the connector
zip and uploaded [1].
It can be used once the proper security certificates are given to connect
to APNS server at configuration (explained in the docs[2]).

At the moment this is not created as an orbit. We can work on making the
apns.jar as an orbit bundle.

[1] - 
https://svn.wso2.com/wso2/repo/intern/ipass-cloud-connectors/applepush/new_class_mediator/

[2] -
https://svn.wso2.com/wso2/repo/intern/ipass-cloud-connectors/applepush/Documents/

Thanks,

Pushpalanka Jayawardhana

Software Engineer

WSO2 Lanka (pvt) Ltd
[image: 
Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka
[image:
Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka
[image:
LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro
[image:
Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F
[image:
SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka
Mobile: +94779716248
http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10



On Sat, Aug 3, 2013 at 10:37 PM, Dilshan Edirisuriya dils...@wso2.comwrote:

 Hi,

 We will be using notnoop [1] for apple push notifications in MDM. This has
 been discussed in a separate thread (related to ESB cloud connector) and
 the license was approved to use as well. Not sure whether this has been
 implemented at the moment. Is there anyway we can make use of this (if this
 has been created as a orbit) or cant we create a generic module for this to
 be used by anyone? Right now our plan is to embed this inside MDM Jaggery
 app as an external jar.


 [1] - https://github.com/notnoop/java-apns

 Regards,

 Dilshan

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Synching Configurations across the clusters

[Pushpalanka Jayawardhana]

Thanks all for the ideas.
Will be moving forward with option 2.

repository/conf/userstores/user-mgt.xml
repositoty/conf/tenants/1/userstores/user-mgt.xml - configuration for
tenant with tenant-id: 1
repositoty/conf/tenants/2/userstores/user-mgt.xml - configuration for
tenant with tenant-id: 2

So a product will have 2 locations, inside repository/conf to be synced
with dep-sync as,

   - repositoty/conf/userstores ('userstores' just to avoid syncing all
   content in conf directory) and
   - repository/conf/tenants

Thanks,

Pushpalanka Jayawardhana

Software Engineer

WSO2 Lanka (pvt) Ltd
[image: 
Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka
[image:
Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka
[image:
LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro
[image:
Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F
[image:
SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka
Mobile: +94779716248
http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10



On Tue, Jun 25, 2013 at 11:46 AM, Dhanuka Ranasinghe dhan...@wso2.comwrote:

 Hi,

 I am not much aware about carbon architecture, but have few thoughts to
 achieve above requirements.

 1. Having a high available singleton (HA) service (through MBeans) then
 make sure it is active only in master node.
 2. When the master node down one of other member in cluster become a
 master node and it's HA service will be activated.
 3. All the configurations done and read through that HA service, by doing
 this whether it's UI or local file system change it will be synch with
 every time with every member.


 Cheers,
 Dhanuka

 *Dhanuka Ranasinghe*

 Senior Software Engineer
 WSO2 Inc. ; http://wso2.com
 lean . enterprise . middleware

 phone : +94 715381915


 On Fri, May 31, 2013 at 2:41 PM, Srinath Perera srin...@wso2.com wrote:

 Hi All,

 Azeez and myself was chatting, and following are some of the conflicting
 requirements.

 1. like to edit configs from file system, and via UI avoiding two copies
 if possible (have to avoid case where we edit file, then we edit via UI
 where we lost the file updates).
 2. Need a way to sync configs across the cluster
 3. Make the sync model clear and consistent for both configs and
 artifacts (currently we use dep-sync only with artifacts)
 4. Like to sync only one folder in the product with dep-sync

 ^This will not be achieved, with the option.

  5. We should not do product folder structure before major release (C5?)

 We need to find the best solution out of that.

 --Srinath



 On Thu, May 30, 2013 at 9:20 PM, Senaka Fernando sen...@wso2.com wrote:

 Hi Srinath,

 IMHO, relying on a dep-sync-based model sounds appropriate here. We can
 have several strategies for dep-sync (i.e. registry, svn, manual etc), but
 the server will be driven by what's on the filesystem. IMHO, that's very
 straightforward.

 And, I think we need to first of all figure out what and what's going to
 be sync'ed and what's not. When it comes to some configuration files it
 might make sense to sync portions and keep some static. In that case, do we
 need to split those files in two? Also, we need to focus on the things
 that change across environments and things that don't for the sever
 configuration as in the CAR-based Governance Story for ESB configurations.

 Also, the dep-sync's notification model should work like the
 hierarchical cache invalidation model that Azeez proposed, making sure that
 things will scale.

 Thanks,
 Senaka.


 On Thu, May 30, 2013 at 4:46 PM, Jeewantha Dharmaparakrama 
 jeewan...@wso2.com wrote:

 Hi Srinath,

 If the node which detects the change in its config file redeploys the
 config in every other node explicitly, we can ensure that every node sees
 the change since there will always be one node which is responsible in
 informing the others. I guess thats what depsync does IINM.

 If the config is stored in a central place, every node will have to
 pull the change from that place. Here if one node fails to redeploy the
 change, other nodes will be unaware about it so that the system will be
 unstable.  IMHO we should prefer the former.

 Jeewantha


 On Thu, May 30, 2013 at 3:44 PM, Srinath Perera srin...@wso2.comwrote:

 Hi All,

 We just finished a review on UI for user stores and figured we are
 doing this in several ways. Pradeep, Prabath, and myself had a chat, and
 following are our thoughts.

 We have different types of configurations with carbon server

 1) Some are only apply for one node (e.g. carbon.xml, registry.xml ..)
 2) Some might be useful across

Re: [Architecture] Synching Configurations across the clusters

[Pushpalanka Jayawardhana]

Pushpalanka Jayawardhana

Software Engineer

WSO2 Lanka (pvt) Ltd
[image: 
Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka
[image:
Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka
[image:
LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro
[image:
Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F
[image:
SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka
Mobile: +94779716248
http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10

On Tue, Jun 25, 2013 at 4:00 PM, Amila Suriarachchi am...@wso2.com wrote:




 On Tue, Jun 25, 2013 at 3:05 PM, Pushpalanka Jayawardhana 
 la...@wso2.comwrote:

 Thanks all for the ideas.
 Will be moving forward with option 2.

 repository/conf/userstores/user-mgt.xml
 repositoty/conf/tenants/1/userstores/user-mgt.xml - configuration for
 tenant with tenant-id: 1
 repositoty/conf/tenants/2/userstores/user-mgt.xml - configuration for
 tenant with tenant-id: 2


 Technically speaking this is not correct. User-mgt.xml is used to
 configure UserRealm not only the userstore. So it should be usermanager.


 But in this case what we want to dep-synch only the userstores. so my
 suggestion is to put them under userstores folder with the store name.

 eg. repository/deployment/server/userstores/userstore1.xml
repository/deployment/server/userstores/userstore2.xml.

 For an example if we change one userstore there is not reason to dep-sychn
 all user-mgt.xml and re initialise all user stores.

As I have understood, still we will have to re initialise all user stores,
unless we are adding or deleting a secondary user store at the very end of
the chain. This is because the order of the secondary user stores matters
and at deletion or insertion we need to update with the new order. Correct
me if I am wrong.


 thanks,
 Amila.


 So a product will have 2 locations, inside repository/conf to be synced
 with dep-sync as,

- repositoty/conf/userstores ('userstores' just to avoid syncing all
content in conf directory) and
- repository/conf/tenants

 Thanks,

 Pushpalanka Jayawardhana

 Software Engineer

 WSO2 Lanka (pvt) Ltd
 [image: 
 Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka
  [image:
 Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka
  [image:
 LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro
  [image:
 Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F
  [image:
 SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka
 Mobile: +94779716248
 http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10



 On Tue, Jun 25, 2013 at 11:46 AM, Dhanuka Ranasinghe dhan...@wso2.comwrote:

 Hi,

 I am not much aware about carbon architecture, but have few thoughts to
 achieve above requirements.

 1. Having a high available singleton (HA) service (through MBeans) then
 make sure it is active only in master node.
 2. When the master node down one of other member in cluster become a
 master node and it's HA service will be activated.
 3. All the configurations done and read through that HA service, by
 doing this whether it's UI or local file system change it will be synch
 with every time with every member.


 Cheers,
 Dhanuka

 *Dhanuka Ranasinghe*

 Senior Software Engineer
 WSO2 Inc. ; http://wso2.com
 lean . enterprise . middleware

 phone : +94 715381915


 On Fri, May 31, 2013 at 2:41 PM, Srinath Perera srin...@wso2.comwrote:

 Hi All,

 Azeez and myself was chatting, and following are some of the
 conflicting requirements.

 1. like to edit configs from file system, and via UI avoiding two
 copies if possible (have to avoid case where we edit file, then we edit via
 UI where we lost the file updates).
 2. Need a way to sync configs across the cluster
 3. Make the sync model clear and consistent for both configs and
 artifacts (currently we use dep-sync only with artifacts)
 4. Like to sync only one folder in the product with dep-sync

 ^This will not be achieved, with the option.

  5. We should not do product folder structure before major release (C5?)

 We need to find the best solution out of that.

 --Srinath



 On Thu, May 30, 2013 at 9:20 PM, Senaka Fernando sen...@wso2.comwrote:

 Hi

Re: [Architecture] Synching Configurations across the clusters

[Pushpalanka Jayawardhana]

Hi All,

Following is how we are to use dep-sync to sync user store configurations
across clusters, with some inputs from Charitha, Prabath and Pradeep.

   - repository/conf/userstores/user-mgt.xml - configuration of super admin
   - repositoty/conf/userstores/tenants/1/user-mgt.xml - configuration for
   tenant with tenant-id: 1
   - repositoty/conf/userstores/tenants/2/user-mgt.xml - configuration for
   tenant with tenant-id: 2likewise


   1. This is similar to the structure used in deploying artifacts at
   repository/tenants/1/ for tenants, as currently existing.
   2. So we already have two folders synced with dep-sync in a product. One
   at repositoy/deployment/server/ and one at repository/tenants/.
   3. We are to add one more folder to be synced with dep-sync at
   repository/conf/userstores/

Correct me, if I have got anything wrong. Glad to know any concerns or
thoughts.

Thanks,

Pushpalanka Jayawardhana

Software Engineer

WSO2 Lanka (pvt) Ltd
[image: 
Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka
[image:
Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka
[image:
LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro
[image:
Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F
[image:
SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka
Mobile: +94779716248
http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10

On Fri, May 31, 2013 at 2:52 PM, Prabath Siriwardena prab...@wso2.comwrote:

 I guess dep sync based approach will solve these...

 Thanks  regards,
 -Prabath


 On Fri, May 31, 2013 at 2:41 PM, Srinath Perera srin...@wso2.com wrote:

 Hi All,

 Azeez and myself was chatting, and following are some of the conflicting
 requirements.

 1. like to edit configs from file system, and via UI avoiding two copies
 if possible (have to avoid case where we edit file, then we edit via UI
 where we lost the file updates).
 2. Need a way to sync configs across the cluster
 3. Make the sync model clear and consistent for both configs and
 artifacts (currently we use dep-sync only with artifacts)
 4. Like to sync only one folder in the product with dep-sync
 5. We should not do product folder structure before major release (C5?)

 We need to find the best solution out of that.


 --Srinath



 On Thu, May 30, 2013 at 9:20 PM, Senaka Fernando sen...@wso2.com wrote:

 Hi Srinath,

 IMHO, relying on a dep-sync-based model sounds appropriate here. We can
 have several strategies for dep-sync (i.e. registry, svn, manual etc), but
 the server will be driven by what's on the filesystem. IMHO, that's very
 straightforward.

 And, I think we need to first of all figure out what and what's going to
 be sync'ed and what's not. When it comes to some configuration files it
 might make sense to sync portions and keep some static. In that case, do we
 need to split those files in two? Also, we need to focus on the things
 that change across environments and things that don't for the sever
 configuration as in the CAR-based Governance Story for ESB configurations.

 Also, the dep-sync's notification model should work like the
 hierarchical cache invalidation model that Azeez proposed, making sure that
 things will scale.

 Thanks,
 Senaka.


 On Thu, May 30, 2013 at 4:46 PM, Jeewantha Dharmaparakrama 
 jeewan...@wso2.com wrote:

 Hi Srinath,

 If the node which detects the change in its config file redeploys the
 config in every other node explicitly, we can ensure that every node sees
 the change since there will always be one node which is responsible in
 informing the others. I guess thats what depsync does IINM.

 If the config is stored in a central place, every node will have to
 pull the change from that place. Here if one node fails to redeploy the
 change, other nodes will be unaware about it so that the system will be
 unstable.  IMHO we should prefer the former.

 Jeewantha


 On Thu, May 30, 2013 at 3:44 PM, Srinath Perera srin...@wso2.comwrote:

 Hi All,

 We just finished a review on UI for user stores and figured we are
 doing this in several ways. Pradeep, Prabath, and myself had a chat, and
 following are our thoughts.

 We have different types of configurations with carbon server

 1) Some are only apply for one node (e.g. carbon.xml, registry.xml ..)
 2) Some might be useful across a cluster, but we ask users to copy it
 to all the nodes (e.g. data sources, xacml policies, keystores ?? )
 3) It is proposed that we will automatically replicate user-store
 configurations using deployment synchronizer when it is added to one node.

 To share the same

Re: [Architecture] Synching Configurations across the clusters

[Pushpalanka Jayawardhana]

Pushpalanka Jayawardhana

Software Engineer

WSO2 Lanka (pvt) Ltd
[image: 
Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka
[image:
Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka
[image:
LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro
[image:
Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F
[image:
SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka


On Tue, Jun 25, 2013 at 12:05 AM, Prabath Siriwardena prab...@wso2.comwrote:

 +1

  repository/conf/user-mgt.xml
  repositoty/conf/tenants/1/user-mgt.xml - configuration for tenant with
 tenant-id: 1
  repositoty/conf/tenants/2/user-mgt.xml - configuration for tenant with
 tenant-id: 2

 OR

  repository/conf/userstores/user-mgt.xml
  repositoty/conf/tenants/1/userstores/user-mgt.xml - configuration for
 tenant with tenant-id: 1
  repositoty/conf/tenants/2/userstores/user-mgt.xml - configuration for
 tenant with tenant-id: 2


If we use the first one, then the folder to sync using dep-sync will be
conf directory, which have much more other configuration files, which not
yet required to be synced. If it is ok to sync them too,then it's fine.
Second option narrow downs what are to sync, but still have two folder to
sync 'repository/conf/userstores/' and 'repositoty/conf/tenants'. (With the
fact that default user-mgt.xml is also going to be modified and those
modifications needs to be populated in the cluster too, in addition to that
of tenants.)

Thanks  regards,
 -Prabath


 On Mon, Jun 24, 2013 at 11:55 PM, Pradeep Fernando prad...@wso2.comwrote:

 --Pradeep
 sent from my phone

 On Jun 24, 2013 11:25 PM, Pushpalanka Jayawardhana la...@wso2.com
 wrote:
 
  Hi All,
 
  Following is how we are to use dep-sync to sync user store
 configurations across clusters, with some inputs from Charitha, Prabath and
 Pradeep.
  repository/conf/userstores/user-mgt.xml - configuration of super admin
  repositoty/conf/userstores/tenants/1/user-mgt.xml - configuration for
 tenant with tenant-id: 1
  repositoty/conf/userstores/tenants/2/user-mgt.xml - configuration for
 tenant with tenant-id: 2likewise

 Is it possible to have the tenant directory structure independent from
 the user store directory. In the future there will be few config files with
 similar requirements I believe...

  This is similar to the structure used in deploying artifacts at
 repository/tenants/1/ for tenants, as currently existing.
  So we already have two folders synced with dep-sync in a product. One
 at repositoy/deployment/server/ and one at repository/tenants/.
  We are to add one more folder to be synced with dep-sync at
 repository/conf/userstores/
 
  Correct me, if I have got anything wrong. Glad to know any concerns or
 thoughts.
 
  Thanks,
 
  Pushpalanka Jayawardhana
 
  Software Engineer
 
  WSO2 Lanka (pvt) Ltd
 
 
  Mobile: +94779716248

 
  On Fri, May 31, 2013 at 2:52 PM, Prabath Siriwardena prab...@wso2.com
 wrote:
 
  I guess dep sync based approach will solve these...
 
  Thanks  regards,
  -Prabath
 
 
  On Fri, May 31, 2013 at 2:41 PM, Srinath Perera srin...@wso2.com
 wrote:
 
  Hi All,
 
  Azeez and myself was chatting, and following are some of the
 conflicting requirements.
 
  1. like to edit configs from file system, and via UI avoiding two
 copies if possible (have to avoid case where we edit file, then we edit via
 UI where we lost the file updates).
  2. Need a way to sync configs across the cluster
  3. Make the sync model clear and consistent for both configs and
 artifacts (currently we use dep-sync only with artifacts)
  4. Like to sync only one folder in the product with dep-sync
  5. We should not do product folder structure before major release
 (C5?)
 
  We need to find the best solution out of that.
 
 
  --Srinath
 
 
 
  On Thu, May 30, 2013 at 9:20 PM, Senaka Fernando sen...@wso2.com
 wrote:
 
  Hi Srinath,
 
  IMHO, relying on a dep-sync-based model sounds appropriate here. We
 can have several strategies for dep-sync (i.e. registry, svn, manual etc),
 but the server will be driven by what's on the filesystem. IMHO, that's
 very straightforward.
 
  And, I think we need to first of all figure out what and what's
 going to be sync'ed and what's not. When it comes to some configuration
 files it might make sense to sync portions and keep some static. In that
 case, do we need to split those files in two? Also, we need to focus on the
 things that change across environments and things that don't for the
 sever configuration as in the CAR-based Governance Story for ESB
 configurations.
 
  Also, the dep-sync's notification model should work like the
 hierarchical cache invalidation model that Azeez proposed, making sure that
 things will scale.
 
  Thanks,
  Senaka.
 
 
  On Thu, May 30, 2013 at 4:46 PM, Jeewantha Dharmaparakrama 
 jeewan

Re: [Architecture] User Store Manager Configuration UI - New Feature

[Pushpalanka Jayawardhana]

Hi,

Please find the slides for today's design review here,
https://docs.google.com/a/wso2.com/presentation/d/11lGLIXoeIm8TDV8vKcypLSk8Ksk-p1mrU3sqWHJD-8g/edit?usp=sharing

Thanks,

Pushpalanka Jayawardhana

Software Engineer

WSO2 Lanka (pvt) Ltd
[image: 
Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka
[image:
Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka
[image:
LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro
[image:
Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F
[image:
SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka
Mobile: +94779716248
http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10


On Wed, May 29, 2013 at 1:57 PM, Dimuthu Leelarathne dimut...@wso2.comwrote:

 +1. Please invite me the review as well.

 thanks,
 dimuthu


 On Tue, May 28, 2013 at 7:47 AM, Srinath Perera srin...@wso2.com wrote:

 Have we reviewed this? shall I schedule?

 --Srinath


 On Mon, May 27, 2013 at 5:42 PM, Amila Suriarachchi am...@wso2.comwrote:




 On Mon, May 27, 2013 at 5:30 PM, Prabath Siriwardena 
 prab...@wso2.comwrote:



 On Mon, May 27, 2013 at 5:13 PM, Amila Suriarachchi am...@wso2.comwrote:




 On Mon, May 27, 2013 at 5:01 PM, Prabath Siriwardena prab...@wso2.com
  wrote:



 On Mon, May 27, 2013 at 4:04 PM, Amila Suriarachchi 
 am...@wso2.comwrote:




 On Mon, May 27, 2013 at 3:06 PM, Prabath Siriwardena 
 prab...@wso2.com wrote:



 On Fri, May 24, 2013 at 9:51 PM, Amila Suriarachchi am...@wso2.com
  wrote:








- Saving data inserted via UI, at finish -  This has few
options. Please advice on best to use
- Update the RealmService with new configuration and then
   write the updated Realmconfiguration into user-mgt.xml (This 
 newly created
   file will trigger the Axis2 deployer as a new file addition, 
 which is not
   needed )
   - Write the updated details into user-mgt.xml. Even if
   only one UserStoreManager is edited, whole user-mgt.xml has to 
 be read in,
   place new one in relevant order and update other's order 
 accordingly.


 Idea is to create a separate file per user store. you can save
 this file with the userstore name. Then update only that file.



 I don't think we need to keep files per user store. We can persist
 the changes to the user-mgt.xml it self and keep different user-mgt.xml
 files per tenant..


 As we discussed last time user-mgt.xml is used to represent realm
 which consists of user store, authorization manager, clam manager etc 
 ...
 Since authorization manager, claim manger stuff are already multi 
 tenanted
 we don't need to have a user-mgt.xml per tenant.

 Here the requirement is to let users to add their user stores to the
 system. So adding stores as separate xml files simplify the design. 
 These
 user stored does not need to support MT since it is specific to a 
 tenant.


 I think that approach would be more scattered - to have multiple
 files by user store..


 This is the approach we follow for proxy services, cep buckets etc...
 For an example earlier we had only synapse.xml and cep-config.xml to 
 define
 all. But now have separate ones.

 Another advantage is we need to update only one store. For an example
 if every one edits the same user-mgt.xml then when a user adds one user
 store, I think all other stores need to update as well. Since for
 deployment engine it is an update of the file.



 My argument is - this is different from other service artifacts.. These
 operations do not happen frequently - so - I guess having a single file
 would make things simple...


 IMHO the main point is, it is not the correct design. Please see this
 reply.


 As we discussed last time user-mgt.xml is used to represent realm which
 consists of user store, authorization manager, clam manager etc ... Since
 authorization manager, claim manger stuff are already multi tenanted we
 don't need to have a user-mgt.xml per tenant.

 Anyway lets do a code review after implementing this either way.

 thanks,
 Amila.




 Thanks  regards,
 -Prabath



 thanks,
 Amila.



 Thanks  regards,
 -Prabath



 thanks,
 Amila.


  Thanks  regards,
 -Prabath



 thanks,
 Amila.


-



 Thanks,

 Pushpalanka Jayawardhana

 Software Engineer

 WSO2 Lanka (pvt) Ltd
 [image: 
 Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka
  [image:
 Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka
  [image:
 LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro
  [image