Hi Pradeep, Thanks for this contribution. I hope this will provide the basis for others to build Stratos REST API.
Few questions inline. On Fri, Oct 4, 2013 at 10:57 PM, Pradeep Fernando <[email protected]>wrote: > Hi Devs, > > > I came up with implemented the above feature and the patch can be found > at, [1] > > *How it works* > > - The web-app to Carbon runtime state exchange happens via OSGi services > - The JAX-RS application is using Apache CXF as the REST engine > - Authentication and Authorization of incoming requests are handled using > two seperate JAX-RS providers registered against the service class > - Authentication/Authorization is closely integrated to the underlying > carbon authentication/authorizaiton framework > - I have defined two new annotation classes to capture method level > permission details > * @AuthorizationAction("PermissionString") - allows the admin service > writer to annotate a certain operation with permission string. Request get > authorized only if the invoking user has enough permissions > Where are these permissions stored? Can you explain how can someone compile this string? > * @SuperTenantService (true|false) - only the super-tenant user can > access the service > false implies all the tenants including super-tenant can access this operation right? If so, can you please consider renaming this annotation? > - During the deployment time, the authorization handler get injected with > service bean. It process all the authorization related annotation and > builds a information model. When a request comes in it verifies the > expected permission vs bearing permission. > > Can you please explain how someone can plug a new authorization handler? What classes to extend, what interfaces to implement etc.? > *Challenges/Approaches that did not work.* > > CXF project provides a AuthorizationFilter called > SimpleAuthorizationFilter[2] for JAAS based request authorization. It uses > @RolesAllowed annotation to identify authorized users. However it does not > suit well for the Carbon authorization system. Hence I came up with my own > Annotation types, which closely resembles, params used in existing WS admin > services. > > > *Authentication mechanism is pluggable * > > - Right now there is only one authenticator. It uses basic-auth to > authenticate incoming requests. It is possible to plug in other kinds of > authenticators. > > *How to write your new RESTful admin service* > > @POST > @Path("/tenant/create") > @Consumes("application/json") > @Produces("application/json") > @AuthorizationAction("/permission/protected/manage/monitor/tenants") > @SuperTenantService(true) > public String addTenant(TenantInfoBean tenantInfoBean) { > > return success; > } > > *Sample Request from CURL* > > curl -X POST -H "Content-Type: application/json" -d > '{"tenantInfo":{"admin":"admin","firstname":"Frank","lastname":"Myers","adminPassword":"admin123","email":" > [email protected]","tenantDomain":"frank.com"}}' -v -u admin:admin > https://localhost:9443/stratos/admin/tenant/create > > > *TODO* > * > * > This is more of the framework for implementing RESTful admin APIs. I have > implemented two Operations for the moment. We have to populate the service > bean with rest of the API. Its matter of porting existing code to new > service bean. What is more important is, to carefully design REST endpoints. > > Unlike WS endpoints, we have to be careful with REST endpoint / where the > parameter goes in endpoint / HTTP method used / etc. I will spawn a > separate thread on the topic. > > I have applied the patches to the JIRA. Would be great if the code can be > committed to the main trunk. :) > > > [1] https://issues.apache.org/jira/browse/STRATOS-90 > [2] http://cxf.apache.org/docs/secure-jax-rs-services.html > > thanks, > --Pradeep > -- Best Regards, Nirmal C.S.Nirmal J. Fernando Senior Software Engineer, WSO2 Inc. Blog: http://nirmalfdo.blogspot.com/
