[
http://jira.amdatu.org/jira/browse/AMDATU-81?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=10499#comment-10499
]
Ivo Ladage - van Doorn edited comment on AMDATU-81 at 12/10/10 3:45 PM:
------------------------------------------------------------------------
Though oAuth provides us authentication, it does not provide authorization. In
the REST interface you will be able to validate oAuth tokens, retrieve a userId
from it and oAuth ensures that the oAuth information send has not been tempered
with. We however still need to provide some mechanism to determine what access
the user with the given userId has.
The JAX-RS spec supports only Basic and Digest authentication, which cannot be
used with oAuth. There are several scenario?s to secure the REST APIs:
? Scenario 1. Let it completely up to the implementation. So each REST
method should:
o Validate oAuth token and throw a 401 if it is invalid
o Invoke UserAdmin.getAuthorization(user).hasRole(role) to verify if the
role is implied by the users authorization context and throw a 401 if this is
not the case
? Scenario 2. Implement a REST call hook that intercepts all REST calls
and verifies authorization against a manageable list of access grants. A gadget
would be available where Roles can be assigned to each REST API (on method
level). Access is only true or false. Note that this scenario still allows the
first scenario for more fine-grained authorization checks.
? Scenario 3. Using declarative security using annotations, in line with
the JAX-RS spec. Where JAX-RS defines for example @RolesAllowed and @PermitAll
annotations, we could add our own annotations which will be quite similar but
map onto UserAdmin instead of roles defined in a web.xml.
? Scenario 4. A mix off the scenario?s 2 and 3 is also possible. For
example using annotations like @GrantRoles which could be associated with
actual roles in a manageable list. Advantage is that role grants are not
declarative anymore; they can be changed at runtime. It allows a mix of using
methods that do not need to be secured (like the @PermitAll annotation in
JAX-RS).
was (Author: ivol):
In 0.1.0 we are working on oAuth, allowing us to secure our API?s. One of
the API?s that needs to be secured is the REST API (the current user REST
interface for example has no security at all). Though oAuth provides us
authentication, it does not provide authorization. In the REST interface you
will be able to validate oAuth tokens, retrieve a userId from it and oAuth
ensures that the oAuth information send has not been tempered with. We however
still need to provide some mechanism to determine what access the user with the
given userId has.
The JAX-RS spec supports only Basic and Digest authentication, which cannot be
used with oAuth. There are several scenario?s to secure the REST APIs:
? Scenario 1. Let it completely up to the implementation. So each REST
method should:
o Validate oAuth token and throw a 401 if it is invalid
o Invoke UserAdmin.getAuthorization(user).hasRole(role) to verify if the
role is implied by the users authorization context and throw a 401 if this is
not the case
? Scenario 2. Implement a REST call hook that intercepts all REST calls
and verifies authorization against a manageable list of access grants. A gadget
would be available where Roles can be assigned to each REST API (on method
level). Access is only true or false. Note that this scenario still allows the
first scenario for more fine-grained authorization checks.
? Scenario 3. Using declarative security using annotations, in line with
the JAX-RS spec. Where JAX-RS defines for example @RolesAllowed and @PermitAll
annotations, we could add our own annotations which will be quite similar but
map onto UserAdmin instead of roles defined in a web.xml.
? Scenario 4. A mix off the scenario?s 2 and 3 is also possible. For
example using annotations like @GrantRoles which could be associated with
actual roles in a manageable list. Advantage is that role grants are not
declarative anymore; they can be changed at runtime. It allows a mix of using
methods that do not need to be secured (like the @PermitAll annotation in
JAX-RS).
> Add authorisation to REST service for usermanagment
> ---------------------------------------------------
>
> Key: AMDATU-81
> URL: http://jira.amdatu.org/jira/browse/AMDATU-81
> Project: Amdatu
> Issue Type: Improvement
> Components: Amdatu Authentication - oAuth, Amdatu Authorization,
> Amdatu Web - REST
> Affects Versions: 0.0.4
> Reporter: Dion Meijer
> Assignee: Ivo Ladage - van Doorn
> Fix For: 0.1.0
>
>
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
