If you have separate context for each, then you can have separate permission for each context using above new API security model using valve. Is that solved your problem ?
*Harsha Thirimanna* Associate Tech Lead | WSO2 Email: hars...@wso2.com Mob: +94715186770 Blog: http://harshathirimanna.blogspot.com/ Twitter: http://twitter.com/harshathirimann Linked-In: linked-in: http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 <http://wso2.com/signature> On Thu, Aug 11, 2016 at 12:21 PM, Rushmin Fernando <rush...@wso2.com> wrote: > Hi Ishara, > > We have a concern with giving admin/manager permission to the 'creator' > role. (to create service providers) > > As a business logic in App Manager, a 'creator' shouldn't be able to > publish an app. But the if we give admin/manage permission a creator will > get the 'publish' permission as well. > > Is there a possibility to have fine-grained permission for SP creation in > the next component release ? e.g. admin/manager/sp/create > > Best Regards > Rushmin > > On Tue, Aug 9, 2016 at 8:13 AM, Harsha Thirimanna <hars...@wso2.com> > wrote: > >> Hi All, >> Yes, We were tying to solve this problem in generic manner that can be >> used across the platform. For that, we have written a component to register >> authentication handler and the interceptors to intercept rest call. For now >> we have written Basic and OAuth token base handlers. But anyone can write >> custom handlers and register as a OSGi to use by the interceptors. As >> Interceptors , we wrote common tomcat valve and hope to write servlet >> filter and cxf filter. >> >> You also can intercept the request in your own place and authenticate the >> request using our generic component. It has a manager class to do the >> authentication. Handler will pick based on can handle method by handler >> manager. >> >> In addition, we have develop another interceptor point to do the >> authorization and it is also like same authentication component. You can >> write your own handlers, and intercept by any place. We have written an >> another valve as interceptor and authorization handler check the permission >> as configure in identity.xml as follows. >> >> <ResourceAccessControl> >> <Resource context="/api/identity/*" secured="true" >> http-method="all"> >> <Permissions>/permission/admin/login</Permissions> >> </Resource> >> <Resource context="/api/test" secured="true" >> http-method="put,post"> >> <Permissions>/permission/admin/test</Permissions> >> </Resource> >> </ResourceAccessControl> >> >> We are going to release 1.0.0 M1 with next upcoming milestone in 5.3.0. >> Your ideas welcome to improve this component in more generic manner. >> Please let us know anything related to this. >> >> >> >> >> >> *Harsha Thirimanna* >> Associate Tech Lead | WSO2 >> >> Email: hars...@wso2.com >> Mob: +94715186770 >> Blog: http://harshathirimanna.blogspot.com/ >> Twitter: http://twitter.com/harshathirimann >> Linked-In: linked-in: http://www.linkedin.com/pub/ha >> rsha-thirimanna/10/ab8/122 >> <http://wso2.com/signature> >> >> On Tue, Aug 9, 2016 at 4:00 AM, Farasath Ahamed <farasa...@wso2.com> >> wrote: >> >>> Hi Rushmin, >>> >>> On Mon, Aug 8, 2016 at 4:14 PM, Rushmin Fernando <rush...@wso2.com> >>> wrote: >>> >>>> Thanks Ishara ! >>>> >>>> Since our products are adopting OAuth protected ReST APIs, is there an >>>> OAuth authencator being developed and planed to be developed ? >>>> >>> >>> Harsha has worked on developing a generic component that can be used by >>> OAuth protected REST APIs[1]. Adding Harsha as he can provide more details >>> on this. >>> >>> [1] https://github.com/wso2-extensions/identity-carbon-auth-rest >>> >>> >>> >>>> Regards, >>>> Rushmin >>>> >>>> >>>> >>>> On Mon, Aug 8, 2016 at 4:04 PM, Ishara Karunarathna <isha...@wso2.com> >>>> wrote: >>>> >>>>> Hi Dinusha, >>>>> >>>>> In this case I think publisher user should be able to create those SP, >>>>> XACML policies etc. >>>>> Since publisher use is within the publisher role you can assign >>>>> necessary permission to that role. >>>>> Once user login (SSO) to publisher with his credential he can get a >>>>> cookie for that >>>>> and he can use that cookie to authenticate to the admin services. >>>>> >>>>> @Rushmin, >>>>> We don't have a authenticator for OAuth token. Better to get a ID >>>>> token using OIDC or after validating OAuth token >>>>> and create a carbon authenticator like saml carbon authenticator. >>>>> >>>>> Thanks, >>>>> Ishara >>>>> >>>>> >>>>> >>>>> >>>>> On Mon, Aug 8, 2016 at 3:47 PM, Rushmin Fernando <rush...@wso2.com> >>>>> wrote: >>>>> >>>>>> In addition to creating these entries from the UI, we need to create >>>>>> the same using our ReST API as well. And the API is OAuth protected. >>>>>> >>>>>> Is there an authenticator which gives back a cookie for an OAuth >>>>>> token as well ? >>>>>> >>>>>> On Mon, Aug 8, 2016 at 3:29 PM, Ishara Karunarathna <isha...@wso2.com >>>>>> > wrote: >>>>>> >>>>>>> Hi Lahiru. >>>>>>> >>>>>>> >>>>>>> Its not the admin user.User trying to do this operation should have >>>>>>> enough permission to do this. >>>>>>> >>>>>>> Use >>>>>>> >>>>>>> >>>>>>> >>>>>>> *entitlement/policy/view* >>>>>>> >>>>>>> Add this permission to the user who is trying to view those policies. >>>>>>> >>>>>>> >>>>>>> BR, >>>>>>> >>>>>>> Ishara >>>>>>> >>>>>>> >>>>>>> On Mon, Aug 8, 2016 at 3:20 PM, Lahiru Cooray <lahi...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> + [DEV] >>>>>>>> >>>>>>>> On Mon, Aug 8, 2016 at 3:19 PM, Lahiru Cooray <lahi...@wso2.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> *Current behaviour:* >>>>>>>>> Currently in AppM, when we are creating XACML policies/Service >>>>>>>>> Providers via IS admin services, we are providing the super tenant >>>>>>>>> admin >>>>>>>>> credentials (where the credentials are stored in a config) to get >>>>>>>>> authenticated. Further, XACML policies/Service providers are only >>>>>>>>> created >>>>>>>>> in super tenant and marked as a SAAS app to be used in tenants. >>>>>>>>> >>>>>>>>> *Problem:* >>>>>>>>> As we are moving for AppM - Cloud integration, we are trying to >>>>>>>>> deploy these in relevant tenant spaces. So as a solution we have >>>>>>>>> tried to >>>>>>>>> use *SAML2SSOAuthenticator*[1] (retrieving a cookie passing the >>>>>>>>> SAML response and use the same in subsequent service calls) but >>>>>>>>> figured >>>>>>>>> that this is not applicable for non admin users. >>>>>>>>> (*eg:* In AppM user story, non admin users should be allowed to >>>>>>>>> create apps with XAML policies) >>>>>>>>> >>>>>>>>> Any suggestions for this would be highly appreciated! >>>>>>>>> >>>>>>>>> >>>>>>>>> [1] https://github.com/wso2/carbon-identity/blob/8cd996c1dc6 >>>>>>>>> d9e7c0df491322af6e9ddf1cf3709/components/carbon-authenticato >>>>>>>>> rs/saml2-sso-authenticator/org.wso2.carbon.identity.authenti >>>>>>>>> cator.saml2.sso/src/main/java/org/wso2/carbon/identity/authe >>>>>>>>> nticator/saml2/sso/SAML2SSOAuthenticator.java >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Lahiru Cooray* >>>>>>>>> Software Engineer >>>>>>>>> WSO2, Inc.;http://wso2.com/ >>>>>>>>> lean.enterprise.middleware >>>>>>>>> >>>>>>>>> Mobile: +94 715 654154 >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Lahiru Cooray* >>>>>>>> Software Engineer >>>>>>>> WSO2, Inc.;http://wso2.com/ >>>>>>>> lean.enterprise.middleware >>>>>>>> >>>>>>>> Mobile: +94 715 654154 >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Ishara Karunarathna >>>>>>> Associate Technical Lead >>>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>>> >>>>>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, >>>>>>> mobile: +94717996791 >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Best Regards* >>>>>> >>>>>> *Rushmin Fernando* >>>>>> *Technical Lead* >>>>>> >>>>>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >>>>>> >>>>>> mobile : +94772891266 >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Ishara Karunarathna >>>>> Associate Technical Lead >>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>> >>>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >>>>> +94717996791 >>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> *Best Regards* >>>> >>>> *Rushmin Fernando* >>>> *Technical Lead* >>>> >>>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >>>> >>>> mobile : +94772891266 >>>> >>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> Dev@wso2.org >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >> > > > -- > *Best Regards* > > *Rushmin Fernando* > *Technical Lead* > > WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware > > mobile : +94772891266 > > > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev