On Mon, Feb 27, 2012 at 1:33 PM, Amila Jayasekara <[email protected]> wrote:
> Hi All, > > I have made following changes, so far with regard to this task. > > 1. Re-factored backend authenticator code and common code is moved to > an abstract implementation > 2. Deprecated existing authenticator API and implemented code in a > backward compatible way. i.e. previous authenticators will work as it > was > 3. Wrote 2 authenticators > BasicAccessAuthenticator - for basic auth > CookieAuthenticator - For authentication with > RememberMe cookie > 4. Re-factored FE authenticator framework but could not complete it > > With this change we should be able to access admin services without > calling AuthenticationAdmin. > i.e. > From browser we can directly call a service with basic auth credentials. > > E.g :- > https://10.100.3.161:9443/services/UserAdmin/listUsers?filter=* > > Thus we can pro-grammatically call any admin service without calling > AuthenticationAdmin. > Great. This will be really useful in the API-Store/Mgt work. Thanks, Thilina > Also, there is an utility method in CarbonUtils to set authorisation > header. > > E.g :- > > serverAdminStub = new ServerAdminStub(serviceEPR); > ServiceClient client = serverAdminStub._getServiceClient(); > ..... > ..... > CarbonUtils.setBasicAccessSecurityHeaders(userName, password, client); > > I tested my changes with AS, IS and a stratos deployment with AS, IS > and manager. Need to test changes with ESB. > > TODO > - Re-factor FE authenticator framework > - Testing with ESB > - Review changes (will schedule a review for this) > > By any chance if you encounter any login issues, please shout at me. > > Thank you > Regards, > AmilaJ > > On Thu, Feb 16, 2012 at 1:42 PM, Prabath Siriwardena <[email protected]> > wrote: > > +1 for the approach.. > > > > 'login' is a permission for the Management Console.. - so I believe BE > > services shouldn't be coupled with it.. > > > > If you develop your own clients using the BE services - then you can have > > your own permissions.... So - we need to treat our FE - one of those > clients > > - who will handle 'login' permission.. > > > > Thanks & regards, > > -Prabath > > > > > > On Wed, Feb 15, 2012 at 10:25 PM, Amila Jayasekara <[email protected]> > wrote: > >> > >> Hi All, > >> > >> As i mentioned in the initial mail we will get rid of "login" call to > >> AuthenticationAdmin and will authenticate users only through provided > >> authenticators. During this change i realise that we were authorising > >> (checking whether users have login permission) users at the same time > >> we authenticate users. IMO the authentication process should not do > >> any permission checks rather it should only validate the user is a > >> legitimate user within the system. > >> > >> If we need to authorise users we need to make a separate call (We are > >> yet to identify which component is going to handle authorization). I > >> will be changing code accordingly. > >> > >> If you have any concerns / feedback please let me know. > >> > >> Thanks > >> AmilaJ > >> > >> On Wed, Feb 15, 2012 at 8:33 AM, Manjula Rathnayake <[email protected]> > >> wrote: > >> > > >> > > >> > On Tue, Feb 14, 2012 at 10:14 PM, Sameera Jayasoma <[email protected]> > >> > wrote: > >> >> > >> >> https://wso2.org/jira/browse/CARBON-12378 > >> >> > >> >> Thanks, > >> >> Sameera. > >> >> > >> >> > >> >> On Tue, Feb 14, 2012 at 9:50 PM, Amila Jayasekara <[email protected]> > >> >> wrote: > >> >>> > >> >>> On Tue, Feb 14, 2012 at 9:32 PM, Sameera Jayasoma <[email protected] > > > >> >>> wrote: > >> >>> > Hi Amila, > >> >>> > > >> >>> > +1 for the proposed changes. Please see my comments below. > >> >>> > > >> >>> > On Tue, Feb 14, 2012 at 3:22 PM, Amila Jayasekara < > [email protected]> > >> >>> > wrote: > >> >>> >> > >> >>> >> Hi All, > >> >>> >> > >> >>> >> We had a review discussion on Carbon Authenticators and following > >> >>> >> are > >> >>> >> the review notes. > >> >>> >> > >> >>> >> 1. There are some common logic that should be implemented in > every > >> >>> >> authenticator. Currently invoking this logic is duplicated among > >> >>> >> authenticators. So to avoid that we are planning to come up with > an > >> >>> >> abstract Authenticator implementation. > >> >>> >> 2. As per now AuthenticationHandler first invokes > >> >>> >> AuthenticationAdmin > >> >>> >> and then it calls chain of authenticators. The > AuthenticationAdmin > >> >>> >> call is not necessary. We need to refactor code in such a way > that > >> >>> >> authenticator it self will only handle authenticating logic > (Rather > >> >>> >> than within the Handler). > >> >>> >> 3. Properly implement authenticator chaining pattern. Make use > >> >>> >> “isHandle”, “priority”, “isAuthenticated” methods and make only > >> >>> >> authenticator aware about the logic. > >> >>> >> 4. After cleaning up the API, implement “Basic Auth” > authenticator. > >> >>> >> (As first step) > >> >>> > > >> >>> > > >> >>> > 5. Cleanup Carbon.UI framework to improve the plugability of > custom > >> >>> > authenticators. I recently wrote an authenticator, but I had to > hard > >> >>> > code > >> >>> > some URLs in the CarbonSecurityHttpContext class. Please have a > look > >> >>> > at > >> >>> > the > >> >>> > following method in this class. > >> >>> > > >> >>> > private boolean skipSSOSessionInvalidation(String requestedURI) { > >> >>> > boolean skipSessionInvalidation = false; > >> >>> > if ((requestedURI.indexOf("/samlsso") > -1) > >> >>> > || (requestedURI.indexOf("sso-saml/login.jsp") > > -1) > >> >>> > || > >> >>> > (requestedURI.indexOf("stratos-sso/login_ajaxprocessor.jsp") > -1) > >> >>> > || > >> >>> > (requestedURI.indexOf("sso-saml/redirect_ajaxprocessor.jsp") > -1) > >> >>> > || > >> >>> > (requestedURI.indexOf("stratos-sso/redirect_ajaxprocessor.jsp") > > >> >>> > -1) > >> >>> > || > >> >>> > (requestedURI.indexOf("sso-acs/redirect_ajaxprocessor.jsp") > -1) > >> >>> > || > >> >>> > (requestedURI.indexOf("stratos-auth/redirect_ajaxprocessor.jsp") > > >> >>> > -1)) > >> >>> > { > >> >>> > skipSessionInvalidation = true; > >> >>> > } > >> >>> > return skipSessionInvalidation; > >> >>> > } > >> >>> > > >> >>> > As a part of this effort, lets refactor this bit of code as well. > >> > > >> > > >> > I have looked into this already, I will come up with set of handler > >> > implementations(same as axis2 handlers) to clean up that lengthy > method. > >> > We > >> > will discuss once I am done with the code. > >> > > >> > Thank you. > >> >>> > >> >>> > >> >>> +1. Will take above into consideration as well. If possible please > >> >>> create a carbon Jira and assigned to me. > >> >>> > >> >>> Thanks > >> >>> AmilaJ > >> >>> > >> >>> > > >> >>> > Thanks, > >> >>> > Sameera. > >> >>> > > >> >>> >> > >> >>> >> Thanks > >> >>> >> AmilaJ > >> >>> >> > >> >>> >> -- > >> >>> >> Mobile : +94773330538 > >> >>> >> > >> >>> >> _______________________________________________ > >> >>> >> Carbon-dev mailing list > >> >>> >> [email protected] > >> >>> >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > >> >>> > > >> >>> > > >> >>> > > >> >>> > > >> >>> > -- > >> >>> > Sameera Jayasoma > >> >>> > Technical Lead and Product Manager, WSO2 Carbon > >> >>> > > >> >>> > WSO2, Inc. (http://wso2.com) > >> >>> > email: [email protected] > >> >>> > blog: http://tech.jayasoma.org > >> >>> > > >> >>> > > >> >>> > Lean . Enterprise . Middleware > >> >>> > > >> >>> > _______________________________________________ > >> >>> > Carbon-dev mailing list > >> >>> > [email protected] > >> >>> > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > >> >>> > > >> >>> > >> >>> > >> >>> > >> >>> -- > >> >>> Mobile : +94773330538 > >> >>> _______________________________________________ > >> >>> Carbon-dev mailing list > >> >>> [email protected] > >> >>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > >> >> > >> >> > >> >> > >> >> > >> >> -- > >> >> Sameera Jayasoma > >> >> Technical Lead and Product Manager, WSO2 Carbon > >> >> > >> >> WSO2, Inc. (http://wso2.com) > >> >> email: [email protected] > >> >> blog: http://tech.jayasoma.org > >> >> > >> >> Lean . Enterprise . Middleware > >> >> > >> >> _______________________________________________ > >> >> Carbon-dev mailing list > >> >> [email protected] > >> >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > >> >> > >> > > >> > > >> > > >> > -- > >> > Manjula Rathnayaka > >> > Software Engineer > >> > WSO2, Inc. > >> > Mobile:+94 77 743 1987 > >> > > >> > _______________________________________________ > >> > Carbon-dev mailing list > >> > [email protected] > >> > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > >> > > >> > >> > >> > >> -- > >> Mobile : +94773330538 > >> _______________________________________________ > >> Carbon-dev mailing list > >> [email protected] > >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > > > > > > > > > > -- > > Thanks & Regards, > > Prabath > > > > Mobile : +94 71 809 6732 > > > > http://blog.facilelogin.com > > http://RampartFAQ.com > > > > > > _______________________________________________ > > Carbon-dev mailing list > > [email protected] > > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > > > > > > -- > Mobile : +94773330538 > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- Thilina Buddhika Associate Technical Lead WSO2 Inc. ; http://wso2.com lean . enterprise . middleware phone : +94 77 44 88 727 blog : http://blog.thilinamb.com
_______________________________________________ Carbon-dev mailing list [email protected] http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
