Hi Chanaka, Please find my comments inline
Sohani Weerasinghe Software Engineer WSO2, Inc: http://wso2.com Mobile : +94 716439774 Blog :http://christinetechtips.blogspot.com/ Twitter : https://twitter.com/sohanichristine On Thu, Mar 26, 2015 at 2:18 PM, Chanaka Fernando <chana...@wso2.com> wrote: > Hi Godwin, > > Please see my comments inline. > > AFAIK, in old model (file base persistence) roles are not persisting in > meta file and it use AuthorizationManager (JDBCAuthorizationManager) for > persistence, We use same model for current implementation as well and roles > are not persisting in registry. > > The problem with that approach is we need to include this information > within the CAR file. Otherwise, it is not self contained. We need to have > this user role information within the CAR file. > > @Sohani: If we can make sure all the security related scenarios (which > requires user related information) are working properly with the <parameter > name="allowRoles">admin</parameter>, then we can use this parameter instead > of a separate registry resource. > When considering the security perspective isn't it better to specify user roles information as a registry resource rather than use as a parameter? WDYT? > > Thanks, > Chanaka > > > On Wed, Mar 25, 2015 at 11:46 PM, Godwin Amila Shrimal <god...@wso2.com> > wrote: > >> Hi Sohani, >> >> AFAIK, in old model (file base persistence) roles are not persisting in >> meta file and it use AuthorizationManager (JDBCAuthorizationManager) for >> persistence, We use same model for current implementation as well and roles >> are not persisting in registry. >> >> >> Thanks >> Godwin >> >> >> On Wed, Mar 25, 2015 at 11:23 AM, Sohani Weerasinghe <soh...@wso2.com> >> wrote: >> >>> Hi Chanaka/Godwin, >>> >>> In order to further implement this feature I really appreciate your >>> input on the below concerns. >>> >>> 1. When considering the security perspective, it seems we have two >>> options to specify user roles config either as a registry resource or using >>> the parameter 'allowRoles' in the proxy configuration. IMO implement it as >>> a registry resource would be better when considering the security >>> perspective. WDYT? >>> >>> Also, if we are to implement it as a registry resource then the content >>> of the resource will be <parameter name="allowRoles">admin</parameter>. >>> >>> @Chanaka: Can we have a parameter in the proxy config to define the >>> registry resource for the user roles as we define the security policy >>> (eg: <policy key="conf:repository/policy.xml"/> ) ? >>> >>> @Godwin : If user roles is going to be implemented as a registry >>> resource, will there be a predefined registry location to save it ? If so >>> can you please state it? >>> >>> Really appreciate your response on this. >>> >>> Thanks, >>> Sohani >>> >>> >>> >>> Sohani Weerasinghe >>> Software Engineer >>> WSO2, Inc: http://wso2.com >>> >>> Mobile : +94 716439774 >>> Blog :http://christinetechtips.blogspot.com/ >>> Twitter : https://twitter.com/sohanichristine >>> >>> On Tue, Mar 24, 2015 at 3:52 PM, Sohani Weerasinghe <soh...@wso2.com> >>> wrote: >>> >>>> Hi Chanaka/Godwin, >>>> >>>> Can you please provide an input on the below concerns to further carry >>>> out the implementation from DevS side. >>>> >>>> 1.When considering the usability aspect, I think it's better if we can >>>> create a registry resource for user roles at the time of creating the >>>> policy using the Security Editor Form by getting the User Roles values from >>>> the user rather than asking user to create a new registry resource for User >>>> Roles. >>>> >>>> @Godwin: can you please state the required registry path to deploy the >>>> User Roles configs? >>>> >>>> 2. If the User Roles config saves as a registry resource, how this can >>>> be utilize by the proxy service? Will there be a property in the proxy >>>> service so that we can point the User Role config as pointing the policy >>>> file. >>>> >>>> 3. If we are deploying the policy and User Role configs via CAPP, in a >>>> case where multiple policy files deploying in the same registry location, >>>> in order to match the User Role config with the relevant policy file, how >>>> can we identify the matching User Role config and the policy? Can we have >>>> the same resource name for the policy and the User Role configs? >>>> >>>> @Chanaka: can you please confirm points 2 and 3? >>>> >>>> Thanks, >>>> Sohani >>>> >>>> Sohani Weerasinghe >>>> Software Engineer >>>> WSO2, Inc: http://wso2.com >>>> >>>> Mobile : +94 716439774 >>>> Blog :http://christinetechtips.blogspot.com/ >>>> Twitter : https://twitter.com/sohanichristine >>>> >>>> On Tue, Mar 24, 2015 at 3:42 PM, Chanaka Fernando <chana...@wso2.com> >>>> wrote: >>>> >>>>> Hi Godwin, >>>>> >>>>> That would be good. >>>>> >>>>> Thanks, >>>>> Chanaka >>>>> >>>>> On Tue, Mar 24, 2015 at 3:40 PM, Godwin Amila Shrimal <god...@wso2.com >>>>> > wrote: >>>>> >>>>>> Hi Chanaka, >>>>>> >>>>>> It'll finish within this week. >>>>>> >>>>>> >>>>>> Thanks >>>>>> Godwin >>>>>> >>>>>> >>>>>> On Tue, Mar 24, 2015 at 3:35 PM, Chanaka Fernando <chana...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi Godwin, >>>>>>> >>>>>>> When will you finish the offsite dev service? >>>>>>> >>>>>>> Thanks, >>>>>>> Chanaka >>>>>>> >>>>>>> On Tue, Mar 24, 2015 at 3:30 PM, Godwin Amila Shrimal < >>>>>>> god...@wso2.com> wrote: >>>>>>> >>>>>>>> Hi Chanaka, >>>>>>>> >>>>>>>> We have basically completed the registry base implementation in >>>>>>>> security mgt component and need to do code refactoring and more >>>>>>>> testing. I >>>>>>>> tested basic scenarios with STS-service and it worked ok. Currently I >>>>>>>> am in >>>>>>>> an offsite DevService and planning to do remaining refactoring and >>>>>>>> testing >>>>>>>> after this. >>>>>>>> >>>>>>>> >>>>>>>> Thanks >>>>>>>> Godwin >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Mar 24, 2015 at 2:00 PM, Chanaka Fernando < >>>>>>>> chana...@wso2.com> wrote: >>>>>>>> >>>>>>>>> Hi All, >>>>>>>>> >>>>>>>>> I am writing this mail to take the discussions related to $subject >>>>>>>>> in to a single place. With the ESB 4.9.0 release, we are removing the >>>>>>>>> UI >>>>>>>>> capability of applying security policies from the management console. >>>>>>>>> Going >>>>>>>>> forward, users can only apply security policies to ESB proxy services >>>>>>>>> using >>>>>>>>> developer studio. Even though this functionality is already available >>>>>>>>> in >>>>>>>>> the Developer Studio, it has some edge cases when we use that >>>>>>>>> approach. One >>>>>>>>> such limitation is that there is no place to select the users/roles >>>>>>>>> in the >>>>>>>>> developer studio when applying the security policy. Currently, this >>>>>>>>> information is stored in meta files and with the 4.9.0 version, >>>>>>>>> service >>>>>>>>> meta files are removed. Plan is to store this information in registry >>>>>>>>> and >>>>>>>>> access from their. From the Developer Studio also, it will create the >>>>>>>>> registry file when applying security policies. >>>>>>>>> >>>>>>>>> This would be a necessary feature for ESB 4.9.0 release since this >>>>>>>>> will effect the entire security applying process going forward. >>>>>>>>> >>>>>>>>> @Godwin: Please add if I have missed anything and give us some >>>>>>>>> update on the status from the security side. >>>>>>>>> >>>>>>>>> @Sohani/DevS team: Please give us some update on this >>>>>>>>> implementation. >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Chanaka >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> -- >>>>>>>>> Chanaka Fernando >>>>>>>>> Technical Lead >>>>>>>>> WSO2, Inc.; http://wso2.com >>>>>>>>> lean.enterprise.middleware >>>>>>>>> >>>>>>>>> mobile: +94 773337238 >>>>>>>>> Blog : http://soatutorials.blogspot.com >>>>>>>>> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>>>>>> Twitter:https://twitter.com/chanakaudaya >>>>>>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Godwin Amila Shrimal* >>>>>>>> Senior Software Engineer >>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>> lean.enterprise.middleware >>>>>>>> >>>>>>>> mobile: *+94772264165* >>>>>>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>>>>>>> twitter: https://twitter.com/godwinamila >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> -- >>>>>>> Chanaka Fernando >>>>>>> Technical Lead >>>>>>> WSO2, Inc.; http://wso2.com >>>>>>> lean.enterprise.middleware >>>>>>> >>>>>>> mobile: +94 773337238 >>>>>>> Blog : http://soatutorials.blogspot.com >>>>>>> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>>>> Twitter:https://twitter.com/chanakaudaya >>>>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Godwin Amila Shrimal* >>>>>> Senior Software Engineer >>>>>> WSO2 Inc.; http://wso2.com >>>>>> lean.enterprise.middleware >>>>>> >>>>>> mobile: *+94772264165* >>>>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>>>>> twitter: https://twitter.com/godwinamila >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> -- >>>>> Chanaka Fernando >>>>> Technical Lead >>>>> WSO2, Inc.; http://wso2.com >>>>> lean.enterprise.middleware >>>>> >>>>> mobile: +94 773337238 >>>>> Blog : http://soatutorials.blogspot.com >>>>> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>> Twitter:https://twitter.com/chanakaudaya >>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>> >>>>> >>>>> >>>>> >>>> >>> >> >> >> -- >> *Godwin Amila Shrimal* >> Senior Software Engineer >> WSO2 Inc.; http://wso2.com >> lean.enterprise.middleware >> >> mobile: *+94772264165* >> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >> twitter: https://twitter.com/godwinamila >> > > > > -- > -- > Chanaka Fernando > Technical Lead > WSO2, Inc.; http://wso2.com > lean.enterprise.middleware > > mobile: +94 773337238 > Blog : http://soatutorials.blogspot.com > LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 > Twitter:https://twitter.com/chanakaudaya > Wordpress:http://chanakaudaya.wordpress.com > > > >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
