Re: Authorisation with Syncope 2.x

Tue, 12 Jul 2016 03:03:30 -0700 

Il 11/07/2016 16:27, Adrian Gonzalez ha scritto:

Hello, Sorry once more :(

Hi Adrian, do not apologize.
Thank you, instead. Reporting and interaction in public ML is always welcome. 
See below for my comments.

Best regards,
F.
I would like to use Syncope in my app (using Spring Security) for user authentication and authorisation.
I would like to know if mapping GrantedAuthority to Syncope's role is the way to go ? 
I'm a bit lost, since there's also the notion of entitlements and groups.

In fact, when I look into syncope's code, I see :
@PreAuthorize("hasRole('" + StandardEntitlement.ROLE_CREATE + "')")
    public RoleTO create(final RoleTO roleTO) {
So I would say I should use entitlements and not roles.


You have to use the entitlements.
You can assign entitlements to a user by assigning them to a role and a role to the user: the user owning that role will own those entitlements. 

This is the standard for Apache Syncope.
Therefore you can think to add your own authorization method for some customizations. Please, if you will do in this way do it carefully.
But entitlement appears to be fixed (in StandardEntitlement class) and for syncope 'internal' use [1] and [2] (aka checking if user has right to perform an action on syncope - and not checking if user has right to peform action on whatever application).
Exactly! BTW you can perform some customization in order to extends the set of entitlements in order to use them to authorize access to some custom rest methods provided for your specific aims. 

This customization is not simple but feasible if strongly required.



Thanks,
Adrian

P.S. Using Syncope 2.0.0-M2
[1] http://syncope-user.1051894.n5.nabble.com/Entitlements-how-do-we-create-change-these-tp5707009p5707010.html <quote>entitlements are not meant to be extended: their primary purpose is to define security constraints on RESTful methods.</quote>
[2] https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization 


--
Fabio Martelli

Tirasa - Open Source Excellence
http://www.tirasa.net/

Apache Syncope PMC
http://people.apache.org/~fmartelli/

Reply via email to