Hi Ishara, We have a concern with giving admin/manager permission to the 'creator' role. (to create service providers)
As a business logic in App Manager, a 'creator' shouldn't be able to publish an app. But the if we give admin/manage permission a creator will get the 'publish' permission as well. Is there a possibility to have fine-grained permission for SP creation in the next component release ? e.g. admin/manager/sp/create Best Regards Rushmin On Tue, Aug 9, 2016 at 8:13 AM, Harsha Thirimanna <hars...@wso2.com> wrote: > Hi All, > Yes, We were tying to solve this problem in generic manner that can be > used across the platform. For that, we have written a component to register > authentication handler and the interceptors to intercept rest call. For now > we have written Basic and OAuth token base handlers. But anyone can write > custom handlers and register as a OSGi to use by the interceptors. As > Interceptors , we wrote common tomcat valve and hope to write servlet > filter and cxf filter. > > You also can intercept the request in your own place and authenticate the > request using our generic component. It has a manager class to do the > authentication. Handler will pick based on can handle method by handler > manager. > > In addition, we have develop another interceptor point to do the > authorization and it is also like same authentication component. You can > write your own handlers, and intercept by any place. We have written an > another valve as interceptor and authorization handler check the permission > as configure in identity.xml as follows. > > <ResourceAccessControl> > <Resource context="/api/identity/*" secured="true" > http-method="all"> > <Permissions>/permission/admin/login</Permissions> > </Resource> > <Resource context="/api/test" secured="true" http-method="put,post"> > <Permissions>/permission/admin/test</Permissions> > </Resource> > </ResourceAccessControl> > > We are going to release 1.0.0 M1 with next upcoming milestone in 5.3.0. > Your ideas welcome to improve this component in more generic manner. > Please let us know anything related to this. > > > > > > *Harsha Thirimanna* > Associate Tech Lead | WSO2 > > Email: hars...@wso2.com > Mob: +94715186770 > Blog: http://harshathirimanna.blogspot.com/ > Twitter: http://twitter.com/harshathirimann > Linked-In: linked-in: http://www.linkedin.com/pub/ha > rsha-thirimanna/10/ab8/122 > <http://wso2.com/signature> > > On Tue, Aug 9, 2016 at 4:00 AM, Farasath Ahamed <farasa...@wso2.com> > wrote: > >> Hi Rushmin, >> >> On Mon, Aug 8, 2016 at 4:14 PM, Rushmin Fernando <rush...@wso2.com> >> wrote: >> >>> Thanks Ishara ! >>> >>> Since our products are adopting OAuth protected ReST APIs, is there an >>> OAuth authencator being developed and planed to be developed ? >>> >> >> Harsha has worked on developing a generic component that can be used by >> OAuth protected REST APIs[1]. Adding Harsha as he can provide more details >> on this. >> >> [1] https://github.com/wso2-extensions/identity-carbon-auth-rest >> >> >> >>> Regards, >>> Rushmin >>> >>> >>> >>> On Mon, Aug 8, 2016 at 4:04 PM, Ishara Karunarathna <isha...@wso2.com> >>> wrote: >>> >>>> Hi Dinusha, >>>> >>>> In this case I think publisher user should be able to create those SP, >>>> XACML policies etc. >>>> Since publisher use is within the publisher role you can assign >>>> necessary permission to that role. >>>> Once user login (SSO) to publisher with his credential he can get a >>>> cookie for that >>>> and he can use that cookie to authenticate to the admin services. >>>> >>>> @Rushmin, >>>> We don't have a authenticator for OAuth token. Better to get a ID token >>>> using OIDC or after validating OAuth token >>>> and create a carbon authenticator like saml carbon authenticator. >>>> >>>> Thanks, >>>> Ishara >>>> >>>> >>>> >>>> >>>> On Mon, Aug 8, 2016 at 3:47 PM, Rushmin Fernando <rush...@wso2.com> >>>> wrote: >>>> >>>>> In addition to creating these entries from the UI, we need to create >>>>> the same using our ReST API as well. And the API is OAuth protected. >>>>> >>>>> Is there an authenticator which gives back a cookie for an OAuth token >>>>> as well ? >>>>> >>>>> On Mon, Aug 8, 2016 at 3:29 PM, Ishara Karunarathna <isha...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi Lahiru. >>>>>> >>>>>> >>>>>> Its not the admin user.User trying to do this operation should have >>>>>> enough permission to do this. >>>>>> >>>>>> Use >>>>>> >>>>>> >>>>>> >>>>>> *entitlement/policy/view* >>>>>> >>>>>> Add this permission to the user who is trying to view those policies. >>>>>> >>>>>> >>>>>> BR, >>>>>> >>>>>> Ishara >>>>>> >>>>>> >>>>>> On Mon, Aug 8, 2016 at 3:20 PM, Lahiru Cooray <lahi...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> + [DEV] >>>>>>> >>>>>>> On Mon, Aug 8, 2016 at 3:19 PM, Lahiru Cooray <lahi...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> *Current behaviour:* >>>>>>>> Currently in AppM, when we are creating XACML policies/Service >>>>>>>> Providers via IS admin services, we are providing the super tenant >>>>>>>> admin >>>>>>>> credentials (where the credentials are stored in a config) to get >>>>>>>> authenticated. Further, XACML policies/Service providers are only >>>>>>>> created >>>>>>>> in super tenant and marked as a SAAS app to be used in tenants. >>>>>>>> >>>>>>>> *Problem:* >>>>>>>> As we are moving for AppM - Cloud integration, we are trying to >>>>>>>> deploy these in relevant tenant spaces. So as a solution we have tried >>>>>>>> to >>>>>>>> use *SAML2SSOAuthenticator*[1] (retrieving a cookie passing the >>>>>>>> SAML response and use the same in subsequent service calls) but figured >>>>>>>> that this is not applicable for non admin users. >>>>>>>> (*eg:* In AppM user story, non admin users should be allowed to >>>>>>>> create apps with XAML policies) >>>>>>>> >>>>>>>> Any suggestions for this would be highly appreciated! >>>>>>>> >>>>>>>> >>>>>>>> [1] https://github.com/wso2/carbon-identity/blob/8cd996c1dc6 >>>>>>>> d9e7c0df491322af6e9ddf1cf3709/components/carbon-authenticato >>>>>>>> rs/saml2-sso-authenticator/org.wso2.carbon.identity.authenti >>>>>>>> cator.saml2.sso/src/main/java/org/wso2/carbon/identity/authe >>>>>>>> nticator/saml2/sso/SAML2SSOAuthenticator.java >>>>>>>> >>>>>>>> -- >>>>>>>> *Lahiru Cooray* >>>>>>>> Software Engineer >>>>>>>> WSO2, Inc.;http://wso2.com/ >>>>>>>> lean.enterprise.middleware >>>>>>>> >>>>>>>> Mobile: +94 715 654154 >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Lahiru Cooray* >>>>>>> Software Engineer >>>>>>> WSO2, Inc.;http://wso2.com/ >>>>>>> lean.enterprise.middleware >>>>>>> >>>>>>> Mobile: +94 715 654154 >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Ishara Karunarathna >>>>>> Associate Technical Lead >>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>> >>>>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >>>>>> +94717996791 >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Best Regards* >>>>> >>>>> *Rushmin Fernando* >>>>> *Technical Lead* >>>>> >>>>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >>>>> >>>>> mobile : +94772891266 >>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Ishara Karunarathna >>>> Associate Technical Lead >>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>> >>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >>>> +94717996791 >>>> >>>> >>>> >>> >>> >>> -- >>> *Best Regards* >>> >>> *Rushmin Fernando* >>> *Technical Lead* >>> >>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >>> >>> mobile : +94772891266 >>> >>> >>> >>> _______________________________________________ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> > -- *Best Regards* *Rushmin Fernando* *Technical Lead* WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware mobile : +94772891266
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
