Hi Thanuja, I had a look at the way IS dashboard jaggery app restricts access to features by permissions.
- It uses "*getUserInfo*" method of "*LoggedUserInfoAdmin*" admin service to retrieve all the permissions of the loggedin user and put them in the session. - Since it retrieves all the permissions of the loggedin user only once (at login time) and holds them in the session, it reduces the number of network calls and improves the performance. - It uses session cookie to invoke admin services Hence, I thought of following the same approach because it gives better performance than my previous approach. In order to call "*getUserInfo*" method of "*LoggedUserInfoAdmin*" admin service, the loggedin user should have "*/permission/admin/login*" permission. Is there any issue with assigning this permission to all the users? Thanks, Raj. On Sun, Jul 17, 2016 at 5:19 AM, Rajkumar Rajaratnam <rajkum...@wso2.com> wrote: > Thanks Thanuja for the response. Will follow the current approach. > > On Fri, Jul 15, 2016 at 7:35 PM, Thanuja Jayasinghe <than...@wso2.com> > wrote: > >> >> >> On Fri, Jul 15, 2016 at 3:56 PM, Rajkumar Rajaratnam <rajkum...@wso2.com> >> wrote: >> >>> Hi, >>> >>> I have a jaggery app with some pages and secured them via SAML SSO with >>> WSO2 IS. So the authentication is implemented, now I have to implement the >>> authorization. I need to control access to these jaggery pages by >>> roles/permissions of the loggedin user. Here is the approach I have >>> followed and I need to validate whether it is okay or there are better >>> ways. >>> >>> 1. Created custom permissions under my application service provider >>> (one permission per one feature in my jaggery app) >>> 2. When a user access a feature in the jaggery app, I am calling " >>> *isUserAuthorized*" method of "*RemoteAuthorizationManagerService*" >>> admin service to check whether the logged in user is authorized to access >>> the page. I think "isUserAuthorized" method checks whether the given user >>> has any roles with the given permission. So, if it returns true, then I >>> allow the user to access the page. >>> 3. I am calling the admin service with basic authentication. Is >>> there any issues with this approach? Do I need to obtain a session cookie >>> and call the admin service using session cookie instead of >>> username/password? What is the recommended approach? >>> >>> Any issues with this approach? >>> >> Since "isUserAuthorized" method of "RemoteAuthorizationManagerService" >> requires "/permission/admin/configure/security" permission, a user >> without this permission will not able to access this service using his >> session cookie. So your current approach is correct. >> >>> Thanks, >>> Raj. >>> >>> -- >>> Rajkumar Rajaratnam >>> Committer & PMC Member, Apache Stratos >>> Senior Software Engineer, WSO2 >>> >>> Mobile : +94777568639 >>> >> >> Thanks, >> >> -- >> *Thanuja Lakmal* >> Senior Software Engineer >> WSO2 Inc. http://wso2.com/ >> *lean.enterprise.middleware* >> Mobile: +94715979891 +94758009992 >> > > > > -- > Rajkumar Rajaratnam > Committer & PMC Member, Apache Stratos > Senior Software Engineer, WSO2 > > Mobile : +94777568639 > -- Rajkumar Rajaratnam Committer & PMC Member, Apache Stratos Senior Software Engineer, WSO2 Mobile : +94777568639
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
