Hi Francesco,
That's it exactly.I'm mapping syncope roles -> Spring GrantedAuthorities for
the moment to authorize users to my services APIs.Perhaps I should modify it
and used Syncope groups instead
Thanks !
De : Francesco Chicchiriccò <[email protected]>
À : [email protected]
Envoyé le : Vendredi 15 juillet 2016 16h47
Objet : Re: Authorisation with Syncope 2.x
Hi Adrian,
I need to understand what is your use case.
It seems to me that you are attempting to use Syncope for privilege
management, e.g. you want to:
1. enlist application privileges into Syncope
2. associate such privileges with some Syncope entity (I'd say you're using
roles, but groups should be more appropriate in this case)
3. write your application(s) authentication / authorization logic so that it
depends on Syncope's REST services and data (and you're using Spring Security
for this purpose)
Is this correct?
On 12/07/2016 12:16, Adrian Gonzalez wrote:
Hi Fabio,
I was thinking about creating my own apps (let's say PhotoGalleryApp).
With a service like : @PreAuthorize("hasRole('photo.read')") public
Photo find(Long id) { ..bla
}
@PreAuthorize("hasRole('photo.update')") public Photo update(Photo
photo) { ..bla
}
}
This is really a basic sample (it won't be Cruds only). How can I customize
Syncope in order to have photo.read and photo.update for instance ?
Moreover, I'm not at ease if customisation requires code modification for
each new entitlement since I'm gonna have a lot of apps.
Thanks for your insights,
Adrian
De : Fabio Martelli <[email protected]>
À : [email protected]
Envoyé le : Mardi 12 juillet 2016 12h03
Objet : Re: Authorisation with Syncope 2.x
Il 11/07/2016 16:27, Adrian Gonzalez ha scritto:
Hello, Sorry once more :(
Hi Adrian, do not apologize.
Thank you, instead. Reporting and interaction in public ML is always welcome.
See below for my comments.
Best regards,
F.
I would like to use Syncope in my app (using Spring Security) for user
authentication and authorisation.
I would like to know if mapping GrantedAuthority to Syncope's role is the way
to go ? I'm a bit lost, since there's also the notion of entitlements and
groups.
In fact, when I look into syncope's code, I see :
@PreAuthorize("hasRole('" + StandardEntitlement.ROLE_CREATE + "')")
public RoleTO create(final RoleTO roleTO) {
So I would say I should use entitlements and not roles.
You have to use the entitlements.
You can assign entitlements to a user by assigning them to a role and a role
to the user: the user owning that role will own those entitlements.
This is the standard for Apache Syncope.
Therefore you can think to add your own authorization method for some
customizations. Please, if you will do in this way do it carefully.
But entitlement appears to be fixed (in StandardEntitlement class) and for
syncope 'internal' use [1] and [2] (aka checking if user has right to perform
an action on syncope - and not checking if user has right to peform action on
whatever application).
Exactly! BTW you can perform some customization in order to extends the set of
entitlements in order to use them to authorize access to some custom rest
methods provided for your specific aims.
This customization is not simple but feasible if strongly required.
Thanks, Adrian
P.S. Using Syncope 2.0.0-M2
[1]
http://syncope-user.1051894.n5.nabble.com/Entitlements-how-do-we-create-change-these-tp5707009p5707010.html
<quote>entitlements are not meant to be extended: their primary purpose is to
define security constraints on RESTful methods.</quote>
[2]
https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC,
CXF Committer, OpenJPA Committer, PonyMail PPMC
http://home.apache.org/~ilgrosso/
