Hi all, > you are suggesting to equip Syncope with some Access Management > functionalities, right?
Yep exactly. > Why don't we empower something we have "in house" like as Apache Shiro > as a starting base for providing upcoming Syncope AM features? Sounds good to me. Colm. 2012/4/17 Francesco Chicchiriccò <[email protected]>: > On 17/04/2012 12:28, Fabio Martelli wrote: >> Il giorno 17/apr/2012, alle ore 11.58, Colm O hEigeartaigh ha scritto: >> >>> Hi all, >>> >>> A "resource" in Syncope is a remote directory of some sort where you >>> can propagate/synchronize attributes to/from. >>> >>> I'd like to consider an alternative definition of a "resource" in the >>> context of web services and if it's feasible or desirable to support >>> it. >>> >>> One can currently use Syncope to authenticate a web service request >>> (e.g. is the client's username/password valid) or for authorization, >>> where you can retrieve the authenticated client's roles, and check to >>> see whether one of these roles is allowed access the local "resource" >>> the client is attempting to access. >>> >>> In other words, the application server must maintain a map of role >>> names to resources, where the resource could be a combination of WSDL >>> target namespace, service name and operation, or a URI. There may also >>> be a permission associated with this mapping such as "read", "write" >>> or "execute", etc. Many IDM solutions can accept a resource as a >>> String or URI, so the question is whether this is something we should >>> add to the roadmap for Syncope or not? >>> >>> The advantage of adding this kind of functionality to Syncope is that >>> all identity and access management is done with the same product, >>> instead of having to use Syncope for authentication/retrieving-roles, >>> and use something else to find out whether the authenticated user has >>> the correct permissions to access the local resource. >>> >>> Thoughts? How would this kind of functionality work with Syncope? >> Hi Colm, if I well understood, you are suggesting to equip Syncope with some >> Access Management functionalities, right? >> IMO this is a good idea and, looking at your proposal, probably not so >> complicated to be implemented. >> >> Actually Syncope is still too much far away to act as complete Access >> Manager but, for certain scenarios, what you described above cold be >> sufficient. >> For example, I was thinking to a web resource protected by something like an >> agent that interact with Syncope to allow or deny access to its contents. >> >> I agree with you, I'd like to extend the roadmap by adding this kind of AM >> features. > > Colm (and Fabio), > this sounds like a very nice idea: nowadays the boundaries between pure > IdM and pure AM don't have much sense anymore. > > Why don't we empower something we have "in house" like as Apache Shiro > as a starting base for providing upcoming Syncope AM features? > > Regards. > > -- > Francesco Chicchiriccò > > Apache Cocoon PMC and Apache Syncope PPMC Member > http://people.apache.org/~ilgrosso/ > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
