On Tue, Apr 25, 2017 at 2:52 PM, Harsha Thirimanna <hars...@wso2.com> wrote:
> > On Tue, Apr 25, 2017 at 2:00 PM, Asela Pathberiya <as...@wso2.com> wrote: > >> >> >> On Tue, Apr 25, 2017 at 12:44 PM, Harsha Thirimanna <hars...@wso2.com> >> wrote: >> >>> >>> On Tue, Apr 25, 2017 at 12:38 PM, Nuwan Dias <nuw...@wso2.com> wrote: >>> >>>> Hi Gayan, >>>> >>>> What are you trying to achieve by moving the client-secret validation >>>> logic to the interceptor from the jax-rs layer? >>>> >>> >>> Actually, we have separate layer to pass the secured API in IS and it >>> is common service that can be used for any product. AppManager also using >>> that. >>> In here also Gayan is trying to get the security check into that common >>> layer instead of allowing to go into the next level to validate headers. >>> >> >> Are we going to use common basic authentication handler ? >> > > This feature is already done in IS 5.3.0 as a common point to handle > authentication and authorization per resources as in [1]. > > [1] http://harshathirimanna.blogspot.com/2016/11/ > authentication-authorization-common.html > >> >> BTW; Client credentials can be received as url param.. Are we >> validating them in here ? If it is not; Why are we introducing two >> validation points for same ? >> >> If we have our own way to pass authentication details, then we have to > write an authentication handler to that and register. > This is according to the OAuth2 spec... It meant that we need another handler implementation to do it or can we use existing authentication handler ? > > > >> Actually I do not see much use of changing the current validation model. >> > This is for all the APIs in IS to handle authentication/authorization in > common way and decouple it with implementation of each. > > > >> >> Thanks, >> Asela. >> >> >>> >>> >>> >>>> Since both run on the same JVM, doesn't the overhead of the process >>>> remain the same, irrespective of where it runs? >>>> >>>> Thanks, >>>> NuwanD. >>>> >>>> On Tue, Apr 25, 2017 at 12:27 PM, Gayan Gunawardana <ga...@wso2.com> >>>> wrote: >>>> >>>>> Hi All, >>>>> >>>>> In Oauth /token endpoint and /revoke endpoint >>>>> >>>>> https://localhost:9443/oauth2/token >>>>> https://localhost:9443/oauth2/revoke >>>>> >>>>> required authorization with client key, client secret in basic auth >>>>> headers. Currently in implementation we validate those headers after >>>>> serving request to JAX-RS endpoints. Basically /token, /revoke endpoints >>>>> are unsecured. There is significant amount of processing happen even for >>>>> wrong client secret. >>>>> >>>>> Since we have REST API interceptor layer In IS 5.3.0 can we use it >>>>> to validate client credentials ? We may need to plug an additional >>>>> authenticator to validate client key, client secret in basic auth headers. >>>>> This authenticator may conflict with basic authenticator because both >>>>> authenticators validate basic auth credentials different way. There are >>>>> two >>>>> approaches to avoid the conflict. >>>>> >>>>> *#option 01 * >>>>> Increase the priority of newly added authenticator and check the >>>>> context inside authenticator canHandle. >>>>> >>>>> *#option 01 * >>>>> Increase the priority of newly added authenticator and check existence >>>>> of oauth application from client key. >>>>> >>>>> WDYT? >>>>> >>>>> -- >>>>> Gayan Gunawardana >>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>> Email: ga...@wso2.com >>>>> Mobile: +94 (71) 8020933 >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> Architecture@wso2.org >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Nuwan Dias >>>> >>>> Software Architect - WSO2, Inc. http://wso2.com >>>> email : nuw...@wso2.com >>>> Phone : +94 777 775 729 <+94%2077%20777%205729> >>>> >>> >>> >>> _______________________________________________ >>> Architecture mailing list >>> Architecture@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Thanks & Regards, >> Asela >> >> ATL >> Mobile : +94 777 625 933 <+94%2077%20762%205933> >> +358 449 228 979 >> >> http://soasecurity.org/ >> http://xacmlinfo.org/ >> >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Thanks & Regards, Asela ATL Mobile : +94 777 625 933 +358 449 228 979 http://soasecurity.org/ http://xacmlinfo.org/
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture