Currently we send the gatewayId for the API method as a parameter. This is not sent to all API methods but only for the required ones such as createExeriment. But for other methods like getExperiment we don't require only the experimentId. So users can access other gateway's experiments if they know the experimentId.
The idea is to make gatewayId a mandatory field in SecurityToken and validate it at the API security manager. On Sun, Dec 13, 2015 at 12:23 PM, Amila Jayasekara <thejaka.am...@gmail.com> wrote: > > > On Fri, Dec 11, 2015 at 10:17 PM, Supun Nakandala < > supun.nakand...@gmail.com> wrote: > >> Hi devs, >> >> Currently in the Airavata API we use the gatewayId only for some API >> methods like createExperiment, registerApplication etc.. I would like to >> suggest that we move this field to SecurityToken and make it mandatory for >> all API methods. For API methods which requires the gatewayId we can read >> it from there. >> > > So, currently how does other methods figure out on which gateway id the > operation should be performed ? > > -Thejaka > > >> >> By making gatewayId a mandatory field in SecurityToken, in the API it is >> easy to implement access control to the API in a multi tenanted scenario. >> >> Any Concerns? >> >> Thanks >> Supun >> > > -- Thank you Supun Nakandala Dept. Computer Science and Engineering University of Moratuwa