Hi Sohani, What is the additional security you get from having that parameter in registry?
Thanks, Chanaka On Thu, Mar 26, 2015 at 2:55 PM, Sohani Weerasinghe <soh...@wso2.com> wrote: > Hi Chanaka, > > Please find my comments inline > > Sohani Weerasinghe > Software Engineer > WSO2, Inc: http://wso2.com > > Mobile : +94 716439774 > Blog :http://christinetechtips.blogspot.com/ > Twitter : https://twitter.com/sohanichristine > > On Thu, Mar 26, 2015 at 2:18 PM, Chanaka Fernando <chana...@wso2.com> > wrote: > >> Hi Godwin, >> >> Please see my comments inline. >> >> AFAIK, in old model (file base persistence) roles are not persisting in >> meta file and it use AuthorizationManager (JDBCAuthorizationManager) for >> persistence, We use same model for current implementation as well and roles >> are not persisting in registry. >> >> The problem with that approach is we need to include this information >> within the CAR file. Otherwise, it is not self contained. We need to have >> this user role information within the CAR file. >> >> @Sohani: If we can make sure all the security related scenarios (which >> requires user related information) are working properly with the <parameter >> name="allowRoles">admin</parameter>, then we can use this parameter instead >> of a separate registry resource. >> > > When considering the security perspective isn't it better to specify user > roles information as a registry resource rather than use as a parameter? > WDYT? > >> >> Thanks, >> Chanaka >> >> >> On Wed, Mar 25, 2015 at 11:46 PM, Godwin Amila Shrimal <god...@wso2.com> >> wrote: >> >>> Hi Sohani, >>> >>> AFAIK, in old model (file base persistence) roles are not persisting in >>> meta file and it use AuthorizationManager (JDBCAuthorizationManager) for >>> persistence, We use same model for current implementation as well and roles >>> are not persisting in registry. >>> >>> >>> Thanks >>> Godwin >>> >>> >>> On Wed, Mar 25, 2015 at 11:23 AM, Sohani Weerasinghe <soh...@wso2.com> >>> wrote: >>> >>>> Hi Chanaka/Godwin, >>>> >>>> In order to further implement this feature I really appreciate your >>>> input on the below concerns. >>>> >>>> 1. When considering the security perspective, it seems we have two >>>> options to specify user roles config either as a registry resource or using >>>> the parameter 'allowRoles' in the proxy configuration. IMO implement it as >>>> a registry resource would be better when considering the security >>>> perspective. WDYT? >>>> >>>> Also, if we are to implement it as a registry resource then the content >>>> of the resource will be <parameter name="allowRoles">admin</parameter>. >>>> >>>> @Chanaka: Can we have a parameter in the proxy config to define the >>>> registry resource for the user roles as we define the security policy >>>> (eg: <policy key="conf:repository/policy.xml"/> ) ? >>>> >>>> @Godwin : If user roles is going to be implemented as a registry >>>> resource, will there be a predefined registry location to save it ? If so >>>> can you please state it? >>>> >>>> Really appreciate your response on this. >>>> >>>> Thanks, >>>> Sohani >>>> >>>> >>>> >>>> Sohani Weerasinghe >>>> Software Engineer >>>> WSO2, Inc: http://wso2.com >>>> >>>> Mobile : +94 716439774 >>>> Blog :http://christinetechtips.blogspot.com/ >>>> Twitter : https://twitter.com/sohanichristine >>>> >>>> On Tue, Mar 24, 2015 at 3:52 PM, Sohani Weerasinghe <soh...@wso2.com> >>>> wrote: >>>> >>>>> Hi Chanaka/Godwin, >>>>> >>>>> Can you please provide an input on the below concerns to further carry >>>>> out the implementation from DevS side. >>>>> >>>>> 1.When considering the usability aspect, I think it's better if we can >>>>> create a registry resource for user roles at the time of creating the >>>>> policy using the Security Editor Form by getting the User Roles values >>>>> from >>>>> the user rather than asking user to create a new registry resource for >>>>> User >>>>> Roles. >>>>> >>>>> @Godwin: can you please state the required registry path to deploy the >>>>> User Roles configs? >>>>> >>>>> 2. If the User Roles config saves as a registry resource, how this >>>>> can be utilize by the proxy service? Will there be a property in the proxy >>>>> service so that we can point the User Role config as pointing the policy >>>>> file. >>>>> >>>>> 3. If we are deploying the policy and User Role configs via CAPP, in a >>>>> case where multiple policy files deploying in the same registry location, >>>>> in order to match the User Role config with the relevant policy file, how >>>>> can we identify the matching User Role config and the policy? Can we have >>>>> the same resource name for the policy and the User Role configs? >>>>> >>>>> @Chanaka: can you please confirm points 2 and 3? >>>>> >>>>> Thanks, >>>>> Sohani >>>>> >>>>> Sohani Weerasinghe >>>>> Software Engineer >>>>> WSO2, Inc: http://wso2.com >>>>> >>>>> Mobile : +94 716439774 >>>>> Blog :http://christinetechtips.blogspot.com/ >>>>> Twitter : https://twitter.com/sohanichristine >>>>> >>>>> On Tue, Mar 24, 2015 at 3:42 PM, Chanaka Fernando <chana...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi Godwin, >>>>>> >>>>>> That would be good. >>>>>> >>>>>> Thanks, >>>>>> Chanaka >>>>>> >>>>>> On Tue, Mar 24, 2015 at 3:40 PM, Godwin Amila Shrimal < >>>>>> god...@wso2.com> wrote: >>>>>> >>>>>>> Hi Chanaka, >>>>>>> >>>>>>> It'll finish within this week. >>>>>>> >>>>>>> >>>>>>> Thanks >>>>>>> Godwin >>>>>>> >>>>>>> >>>>>>> On Tue, Mar 24, 2015 at 3:35 PM, Chanaka Fernando <chana...@wso2.com >>>>>>> > wrote: >>>>>>> >>>>>>>> Hi Godwin, >>>>>>>> >>>>>>>> When will you finish the offsite dev service? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Chanaka >>>>>>>> >>>>>>>> On Tue, Mar 24, 2015 at 3:30 PM, Godwin Amila Shrimal < >>>>>>>> god...@wso2.com> wrote: >>>>>>>> >>>>>>>>> Hi Chanaka, >>>>>>>>> >>>>>>>>> We have basically completed the registry base implementation in >>>>>>>>> security mgt component and need to do code refactoring and more >>>>>>>>> testing. I >>>>>>>>> tested basic scenarios with STS-service and it worked ok. Currently I >>>>>>>>> am in >>>>>>>>> an offsite DevService and planning to do remaining refactoring and >>>>>>>>> testing >>>>>>>>> after this. >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> Godwin >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Tue, Mar 24, 2015 at 2:00 PM, Chanaka Fernando < >>>>>>>>> chana...@wso2.com> wrote: >>>>>>>>> >>>>>>>>>> Hi All, >>>>>>>>>> >>>>>>>>>> I am writing this mail to take the discussions related to >>>>>>>>>> $subject in to a single place. With the ESB 4.9.0 release, we are >>>>>>>>>> removing >>>>>>>>>> the UI capability of applying security policies from the management >>>>>>>>>> console. Going forward, users can only apply security policies to >>>>>>>>>> ESB proxy >>>>>>>>>> services using developer studio. Even though this functionality is >>>>>>>>>> already >>>>>>>>>> available in the Developer Studio, it has some edge cases when we >>>>>>>>>> use that >>>>>>>>>> approach. One such limitation is that there is no place to select the >>>>>>>>>> users/roles in the developer studio when applying the security >>>>>>>>>> policy. >>>>>>>>>> Currently, this information is stored in meta files and with the >>>>>>>>>> 4.9.0 >>>>>>>>>> version, service meta files are removed. Plan is to store this >>>>>>>>>> information >>>>>>>>>> in registry and access from their. From the Developer Studio also, >>>>>>>>>> it will >>>>>>>>>> create the registry file when applying security policies. >>>>>>>>>> >>>>>>>>>> This would be a necessary feature for ESB 4.9.0 release since >>>>>>>>>> this will effect the entire security applying process going forward. >>>>>>>>>> >>>>>>>>>> @Godwin: Please add if I have missed anything and give us some >>>>>>>>>> update on the status from the security side. >>>>>>>>>> >>>>>>>>>> @Sohani/DevS team: Please give us some update on this >>>>>>>>>> implementation. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Chanaka >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> -- >>>>>>>>>> Chanaka Fernando >>>>>>>>>> Technical Lead >>>>>>>>>> WSO2, Inc.; http://wso2.com >>>>>>>>>> lean.enterprise.middleware >>>>>>>>>> >>>>>>>>>> mobile: +94 773337238 >>>>>>>>>> Blog : http://soatutorials.blogspot.com >>>>>>>>>> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>>>>>>> Twitter:https://twitter.com/chanakaudaya >>>>>>>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Godwin Amila Shrimal* >>>>>>>>> Senior Software Engineer >>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>> lean.enterprise.middleware >>>>>>>>> >>>>>>>>> mobile: *+94772264165* >>>>>>>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>>>>>>>> twitter: https://twitter.com/godwinamila >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> -- >>>>>>>> Chanaka Fernando >>>>>>>> Technical Lead >>>>>>>> WSO2, Inc.; http://wso2.com >>>>>>>> lean.enterprise.middleware >>>>>>>> >>>>>>>> mobile: +94 773337238 >>>>>>>> Blog : http://soatutorials.blogspot.com >>>>>>>> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>>>>> Twitter:https://twitter.com/chanakaudaya >>>>>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Godwin Amila Shrimal* >>>>>>> Senior Software Engineer >>>>>>> WSO2 Inc.; http://wso2.com >>>>>>> lean.enterprise.middleware >>>>>>> >>>>>>> mobile: *+94772264165* >>>>>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>>>>>> twitter: https://twitter.com/godwinamila >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> -- >>>>>> Chanaka Fernando >>>>>> Technical Lead >>>>>> WSO2, Inc.; http://wso2.com >>>>>> lean.enterprise.middleware >>>>>> >>>>>> mobile: +94 773337238 >>>>>> Blog : http://soatutorials.blogspot.com >>>>>> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >>>>>> Twitter:https://twitter.com/chanakaudaya >>>>>> Wordpress:http://chanakaudaya.wordpress.com >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >>> >>> -- >>> *Godwin Amila Shrimal* >>> Senior Software Engineer >>> WSO2 Inc.; http://wso2.com >>> lean.enterprise.middleware >>> >>> mobile: *+94772264165* >>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>> twitter: https://twitter.com/godwinamila >>> >> >> >> >> -- >> -- >> Chanaka Fernando >> Technical Lead >> WSO2, Inc.; http://wso2.com >> lean.enterprise.middleware >> >> mobile: +94 773337238 >> Blog : http://soatutorials.blogspot.com >> LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 >> Twitter:https://twitter.com/chanakaudaya >> Wordpress:http://chanakaudaya.wordpress.com >> >> >> >> > -- -- Chanaka Fernando Technical Lead WSO2, Inc.; http://wso2.com lean.enterprise.middleware mobile: +94 773337238 Blog : http://soatutorials.blogspot.com LinkedIn:http://www.linkedin.com/pub/chanaka-fernando/19/a20/5b0 Twitter:https://twitter.com/chanakaudaya Wordpress:http://chanakaudaya.wordpress.com
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev