For delegated API authorization, we support OAuth. (Allowing a 3rd party
to access a user's data on their behalf).
Matthew
|------------>
| From: |
|------------>
>-----------------------------------------------------------------------------------------------------------------------------------------|
|"Ciancetta, Jesse E." <jc...@mitre.org>
|
>-----------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| To: |
|------------>
>-----------------------------------------------------------------------------------------------------------------------------------------|
|"dev@shindig.apache.org" <dev@shindig.apache.org>
|
>-----------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Date: |
|------------>
>-----------------------------------------------------------------------------------------------------------------------------------------|
|12/16/2011 08:17 AM
|
>-----------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Subject: |
|------------>
>-----------------------------------------------------------------------------------------------------------------------------------------|
|RE: Authorization for REST API
|
>-----------------------------------------------------------------------------------------------------------------------------------------|
>-----Original Message-----
>From: Ronny Roeller [mailto:rroel...@gmail.com]
>Sent: Thursday, December 15, 2011 6:04 PM
>To: dev@shindig.apache.org
>Subject: Authorization for REST API
>
>Hi,
>
>I want to add fine-granular authorization for calls to the REST API. For
>example: a) users can read all fields of their own profile but only a
>subset of fields in other profiles, or b) only administrators are allowed
>to create new groups, etc.
>
>I thought of setting up Shiro after the AuthenticationServletFilter found
a
>SecurityToken, and then to verify the permissions in my PersonService
>class. Does that make sense? What would be the proper way of authorizing
>REST requests in Shindig?
Makes sense to me. That sounds pretty similar to what we've done with our
Shindig SPI implementations in Apache Rave except we're not using Shiro for
any of it. In our case we're pulling all the context we need about the
request (owner/viewer/application/...) from the security token and making
our authorization decisions based on that. You can have a look at our
appdata implementation to see what we're doing if you think it might help:
http://svn.apache.org/repos/asf/incubator/rave/trunk/rave-shindig/src/main/java/org/apache/rave/opensocial/service/impl/DefaultAppDataService.java
>
>Many thanks,
>Ronny
