On 28/08/2013 09:30, Marcin Sośnicki wrote:
Hi Francesco,
I understand that REST methods are exposed, for example self
registering user can choose from Roles he wish to be in during
sef-registration process, so this is needed.
But I was talking about UI console. For example, I have the UI
deployed at http://mysyncope.net/syncope-ui/. And I can access UI tabs
like http://mysyncope.net/syncope-ui/roles or
http://mysyncope.net/syncope-ui/schema even when not logged in.
For the security model currently implemented up to 1.1.X, the UI
anonymous visibility is a consequence of REST anonymous availability.
This will also change in 1.2.0?
Definitely yes.
Thanks a lot for your time and help.
You're welcome (and welcome to Syncope as well).
Regards.
2013/8/28 Francesco Chicchiriccò <[email protected]
<mailto:[email protected]>>
On 28/08/2013 08:56, Marcin Sośnicki wrote:
Hello,
I have a question: I am using Apache Syncope at version
1.2.0-SNAPSHOT. I have noticed that it is possible, while not
logged in, to browse resources like /roles, /schema and
/resources. Is it intentional? Non admin users also have
access to these resources. I would appreciate your help, as
maybe there are reasons for such behaviour.
Hi Marcin,
if you search our mailing list archives, you will find some
discussion about this topic: basically, some REST resources are
available as anonymous in order to enable the self-registration
feature [1].
Anyway, as reported in our roadmap [2] (more specifically [3]),
this is going to change in 1.2.0.
Hope this clarifies.
Regards.
[1]
https://cwiki.apache.org/confluence/display/SYNCOPE/Handle+user+requests+%28including+self+registration%29
[2] https://cwiki.apache.org/confluence/display/SYNCOPE/Roadmap
[3] https://issues.apache.org/jira/browse/SYNCOPE-132
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/
