Re: [Dev] Issue in disabling CRL, and OCSP Validators when configuring x509 authenticator
+X509Certificate+Authenticator> >> is not referring about the changes need to be done in configuration file and >> the registry to disable CRL and OCSP as well. >> >> >> [1] >> https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator >> >> Regards, >> Piraveena >> >> *Piraveena Paralogarajah* >> Software Engineer | WSO2 Inc. >> *(m)* +94776099594 | *(e)* pirave...@wso2.com >> >> -- >> You received this message because you are subscribed to the Google Groups >> "WSO2 Documentation Group" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to documentation+unsubscr...@wso2.com. >> For more options, visit https://groups.google.com/a/wso2.com/d/optout. >> > > > -- > > Tharindu Edirisinghe > Associate Technical Lead | WSO2 Inc > Platform Security Team > Blog : http://tharindue.blogspot.com > mobile : +94 775181586 > -- Indunil Upeksha Rathnayake Senior Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Unmarshalling with prevention of XML Injection
On Mon, Sep 3, 2018 at 11:48 AM, Nadeeshani Pathirennehelage <
nadeesha...@wso2.com> wrote:
> Hi Indunil,
>
> On Mon, Sep 3, 2018 at 11:05 AM, Indunil Upeksha Rathnayake <
> indu...@wso2.com> wrote:
>
>> Hi,
>>
>> This is to identify the best approach for unmarshalling an XML document
>> to a java object, with proper prevention of XML injections.
>>
>> AFAIK, it would be better to use JAXB unmarshaller to unmarshall XML to
>> java. Some other ways for unmarshalling would be as follows.
>>
>>- SAX - Involves more code and more complexity than JAXB and doens't
>>provides random access like JAXB and DOM.
>>- DOM - Uses the JAXP DOM approach which will required more code than
>>any JAXB approach and memory usage is higher.
>>
>>
>> When umarshalling a XML document, we need to prevent using the XMLs for
>> variety of attacks such as file retrieval, server side request forgery,
>> port scanning, or brute forcing. So that, in the parser, we need to prevent
>> common XML Injections like XML Bomb and XXE attack.
>>
>>- XML Entity Expansion Injection (XML Bomb) - If the parser uses a
>>DTD, an attacker might inject data that may adversely affect the XML
>> parser
>>during document processing. These adverse effects could include the parser
>>crashing or accessing local files.
>>
>>
>>- XML External Entity Injection (XXE attack) - This is a specific
>>type of Server-side Request Forgery (SSRF) attack against an application
>>that parses XML input, whereby an attacker is able to cause Denial of
>>Service (DoS) and access local or remote files and services. This attack
>>occurs when untrusted XML input containing a reference to an external
>>entity.
>>
>>
>> Since a JAXB Unmarshaller does not support any flags for disabling
>> XXE/XML Bomb, it’s imperative to parse the untrusted XML through a
>> configurable secure parser first, generate a source object as a result, and
>> pass the source object to the Unmarshaller.
>>
>
>> There are several commonly used XML parsers which can be used with JAXB
>> unmarshaller. The default settings for most of those java XML parsers is to
>> have XXE/XML Bomb enabled. To use these parsers safely, we have to
>> explicitly disable XXE/XML Bomb in the parser.
>>
>>
>> Following is an example of using "sampleXml" XML content into object type
>> "A" using SAXParser with JAXB while enabling following preventions in
>> parser level.
>>
>>- http://apache.org/xml/features/nonvalidating/load-external-dtd - To
>>ignore the external DTDs (External Entities) completely. Disabling DTDs
>>also makes the parser secure against denial of services (DOS) attacks such
>>as Billion Laughs.
>>
>>
>>- http://xml.org/sax/features/external-parameter-entities - Not to
>>include external parameter entities or the external DTD subset.
>>
>>
>>- http://xml.org/sax/features/external-general-entities - Not to
>>include external general entities.
>>
>>
>>- http://javax.xml.XMLConstants/feature/secure-processing - Instructs
>>the implementation to process XML securely. This may set limits on XML
>>constructs to avoid conditions such as denial of service attacks.
>>
>>
>> *SAXParserFactory spf = SAXParserFactory.newInstance();*
>> *spf.setNamespaceAware(true);*
>> *spf.setXIncludeAware(false);*
>>
>> *try {*
>> *spf.setFeature(Constants.SAX_FEATURE_PREFIX +
>> Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE, false);*
>> *spf.setFeature(Constants.SAX_FEATURE_PREFIX +
>> Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE, false);*
>> *spf.setFeature(Constants.XERCES_FEATURE_PREFIX +
>> Constants.LOAD_EXTERNAL_DTD_FEATURE, false);*
>> *spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);*
>> *} catch (SAXException | ParserConfigurationException e) {*
>> *log.error("Failed to load XML Processor Feature " +
>> Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE + " or " +*
>> *Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE + " or " +
>> Constants.LOAD_EXTERNAL_DTD_FEATURE +*
>> *" or secure-processing.");*
>> *}*
>>
>> *JAXBContext jc = JAXBContext.newInstance(A.class);*
>> *UnmarshallerHandler unmarshallerHandler =
>> jc.createUnmarshaller().getUnmarshallerHandler();*
>> *SAXParser sp = spf.newSAXParser();*
>> *XMLReader xr = sp.getXMLReader();*
&
[Dev] Unmarshalling with prevention of XML Injection
Hi,
This is to identify the best approach for unmarshalling an XML document to
a java object, with proper prevention of XML injections.
AFAIK, it would be better to use JAXB unmarshaller to unmarshall XML to
java. Some other ways for unmarshalling would be as follows.
- SAX - Involves more code and more complexity than JAXB and doens't
provides random access like JAXB and DOM.
- DOM - Uses the JAXP DOM approach which will required more code than
any JAXB approach and memory usage is higher.
When umarshalling a XML document, we need to prevent using the XMLs for
variety of attacks such as file retrieval, server side request forgery,
port scanning, or brute forcing. So that, in the parser, we need to prevent
common XML Injections like XML Bomb and XXE attack.
- XML Entity Expansion Injection (XML Bomb) - If the parser uses a DTD,
an attacker might inject data that may adversely affect the XML parser
during document processing. These adverse effects could include the parser
crashing or accessing local files.
- XML External Entity Injection (XXE attack) - This is a specific type
of Server-side Request Forgery (SSRF) attack against an application that
parses XML input, whereby an attacker is able to cause Denial of Service
(DoS) and access local or remote files and services. This attack occurs
when untrusted XML input containing a reference to an external entity.
Since a JAXB Unmarshaller does not support any flags for disabling XXE/XML
Bomb, it’s imperative to parse the untrusted XML through a configurable
secure parser first, generate a source object as a result, and pass the
source object to the Unmarshaller.
There are several commonly used XML parsers which can be used with JAXB
unmarshaller. The default settings for most of those java XML parsers is to
have XXE/XML Bomb enabled. To use these parsers safely, we have to
explicitly disable XXE/XML Bomb in the parser.
Following is an example of using "sampleXml" XML content into object type
"A" using SAXParser with JAXB while enabling following preventions in
parser level.
- http://apache.org/xml/features/nonvalidating/load-external-dtd - To
ignore the external DTDs (External Entities) completely. Disabling DTDs
also makes the parser secure against denial of services (DOS) attacks such
as Billion Laughs.
- http://xml.org/sax/features/external-parameter-entities - Not to
include external parameter entities or the external DTD subset.
- http://xml.org/sax/features/external-general-entities - Not to include
external general entities.
- http://javax.xml.XMLConstants/feature/secure-processing - Instructs
the implementation to process XML securely. This may set limits on XML
constructs to avoid conditions such as denial of service attacks.
*SAXParserFactory spf = SAXParserFactory.newInstance();*
*spf.setNamespaceAware(true);*
*spf.setXIncludeAware(false);*
*try {*
*spf.setFeature(Constants.SAX_FEATURE_PREFIX +
Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE, false);*
*spf.setFeature(Constants.SAX_FEATURE_PREFIX +
Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE, false);*
*spf.setFeature(Constants.XERCES_FEATURE_PREFIX +
Constants.LOAD_EXTERNAL_DTD_FEATURE, false);*
*spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);*
*} catch (SAXException | ParserConfigurationException e) {*
*log.error("Failed to load XML Processor Feature " +
Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE + " or " +*
*Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE + " or " +
Constants.LOAD_EXTERNAL_DTD_FEATURE +*
*" or secure-processing.");*
*}*
*JAXBContext jc = JAXBContext.newInstance(A.class);*
*UnmarshallerHandler unmarshallerHandler =
jc.createUnmarshaller().getUnmarshallerHandler();*
*SAXParser sp = spf.newSAXParser();*
*XMLReader xr = sp.getXMLReader();*
*xr.setContentHandler(unmarshallerHandler);*
*ByteArrayInputStream inputStream = new
ByteArrayInputStream(sampleXml.getBytes(StandardCharsets.UTF_8));*
*InputSource inputSource = new InputSource(inputStream);*
*xr.parse(inputSource);*
*inputStream.close();*
*return (A) unmarshallerHandler.getResult();*
Is there any better approach for unmarshalling while preventing XML
injections?
Other than XML Bomb and XXE attack, any other security measures that we
need to consider?
Appreciate your ideas on this.
Thanks and Regards
--
Indunil Upeksha Rathnayake
Senior Software Engineer | WSO2 Inc
Emailindu...@wso2.com
Mobile 0772182255
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Writing and calling custom admin services for WSO2IS 5.5.0
Hi Shiva, You can get some information on writing an admin service from [1]. There are following ways for invoking admin services and you can refer [2] for more information. - Invoke with SOAP UI using the WSDLs of the admin services - Invoke via CURL - Invoke programmatically via the service stubs. [1] http://madurangasblogs.blogspot.com/2016/05/adding-custom-admin-service-to-run-ldap.html [2] https://medium.com/@maheeka/wso2-admin-services-c61b7d856272 Thanks and Regards On Wed, Jun 6, 2018 at 7:16 PM, Maduranga Siriwardena wrote: > Hi Shiva, > > Can you explain the use case you are trying to achieve by writing a custom > admin service? > > Thanks, > > On Wed, Jun 6, 2018 at 10:23 AM Chamalee De Silva > wrote: > >> Hi Shiva, >> >> You can refer documentation [1] for calling admin services. >> There is no such documentation available on how to write admin services >> as they are internally built in WSO2 products, >> You can refer the iWSO2 Identity Server source code in github on how they >> have constructed. >> >> >> [1] hhttps://docs.wso2.com/display/IS550/Calling+Admin+Services >> >> On Tue, Jun 5, 2018 at 6:12 PM, Shiva Kumar K R < >> shiv...@securelyshare.com> wrote: >> >>> Hi All, >>> Is there any sources available to write and deploy admin services and >>> calling them. >>> >>> Thank you, >>> Shiva >>> >>> ___ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Thanks & Regards, >> >> *Chamalee De Silva* >> Senior Software Engineer >> *WS**O2* Inc. :http://wso2.com/ >> >> Office :- *+94 11 2145345 <%2B94%2011%202145345>* >> mobile :- *+94 7 <%2B94%2077%202782039>1 4315942* >> >> ___ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> > > > -- > Maduranga Siriwardena > Senior Software Engineer > WSO2 Inc; http://wso2.com/ > > Email: madura...@wso2.com > Mobile: +94718990591 > Blog: *https://madurangasiriwardena.wordpress.com/ > <https://madurangasiriwardena.wordpress.com/>* > <http://wso2.com/signature> > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Indunil Upeksha Rathnayake Senior Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [Architecture] [IAM] Consent Management with Requested Claims in Authentication Request
On Tue, Mar 27, 2018 at 4:32 AM, Isura Karunaratne <is...@wso2.com> wrote: > Hi Indunil, > > On Sun, Mar 25, 2018 at 9:50 PM, Indunil Upeksha Rathnayake < > indu...@wso2.com> wrote: > >> Hi, >> >> Please find the following information on current implementation of >> consent management in IS 5.5.0. >> >>- Claims to populate in the consent page, will be retrieved from the >>claim mapping configuration in SP (i.e. claims which is configured as >>requested). >>- If the claims configured in SP are mentioned as mandatory (i.e. >>without those claims application cannot work), consent MUST be given by >>user, to proceed. >>- When user have provided the consent first time, consent receipt >>will be generated for that application and for that user. Then after >>consent page will be shown, if there are any more mandatory claims which >>user has not provided the consent to share with the application. >>- If there are no SP configurations, consider that as a federated >>scenario and populate all the authenticated user attributes as mandatory >>claims in the consent. >> >> >> Following is the suggested approach for handling consent management when >> the requested claims are send dynamically from the authentication request. >> >>- *Requested/Mandatory claims are only configured in SP* >> >> >>- Populate all the claims configured in SP, in the consent page. >> >> >>- *Requested/Mandatory claims are not configured in SP and requested >>in authentication request* >> >> >>- From framework, set all the requested attributes to the >> authenticated user (i.e. values as null for the attributes which are >> not >> available for the user) and set the required property of the claims to >> true/false. >> >> >>- In the consent service, validate the required property and populate >> the consent page. Since mandatory is a property which we have >> introduced in >> IS, that won't be affected for the requested claims in authentication >> request. >> >> >>- All the requested claims in authentication request will be >> populated in the consent page whether user have a attribute value or >> not. >> >> >>- We assume that all the user attributes for which the user consent >> is needed, will be send in the first authentication request. For later >> requests, consent page will not be shown. This is because, consent page >> will be populated only for mandatory claims, if a consent receipt is >> available for the user. >> >> > What is the expected bahavour if an addional claim is requiested in later > requests. (Not in the first request). In that case,I think we can popup > consent for that claim only. > The consent page will be pop up only if that additional claim is a mandatory one. But for the requested claims in authentication request, we can't enforce mandatory property from IS. > > Thanks > Isura. > >> >>- >> >> >>- Filter out and remove the null user attribute values from framework >> and send to the inbound component or can be handled null values in >> inbound >> component. >> >> >>- Federated claims will also be treated same way as above. >> >> >>- *Requested/Mandatory claims are configured in SP and requested in >>authentication request* >> >> >>- Populate all the claims configured in SP, in the consent page. >> >> >> - Here we will be not considering about the requested claims in the >> request when showing the consent page. >> >> >> Appreciate your suggestions and comments on this. >> >> Thanks and Regards >> -- >> Indunil Upeksha Rathnayake >> Software Engineer | WSO2 Inc >> Emailindu...@wso2.com >> Mobile 0772182255 >> > > > > -- > > *Isura Dilhara Karunaratne* > Associate Technical Lead | WSO2 > Email: is...@wso2.com > Mob : +94 772 254 810 <+94%2077%20225%204810> > Blog : http://isurad.blogspot.com/ > > > > -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [Architecture] [IAM] Service Provider Standard Claim Dialects
Hi, Please find the following suggested approach for introducing multiple SP standard claim dialects for IS. Following UI changes will be affected (i.e. please refer the following draft image). - With this implementation, in order to configure SP requested claims, there will be an option for using a standard claim dialect. - If that is configured, can select multiple SP standard claim dialects from UI. - Requested Claims and Subject Claim URI will be populated with all the claims configured in all the SP standard dialects. Following database schema change will be affected. - SP standard dialects will be stored in SP_APP table in following field as comma separated values. SP_DIALECT VARCHAR (1024) Please find the following scenarios of requested attribute configurations which are to be considered with this implementation. - *Wso2 claim dialect is selected and configured requested claims* - This is as per the current behavior. We will be sending all the requested claims in the response. - *Other standard dialects are selected and configured requested claims* - All the configured requested claims will be sent in the response. - *Other standard dialects are selected and not configured requested claims* - This means there are no requested claim configurations in SP. - If the claims are requesting from the authentication request, this standard dialects will be used to retrieve the user claims (i.e. by mapping with the relevant wso2 claim URIs) - If the claims are not requesting from the authentication request, all the claims configured under all the SP standard dialects will be considered as requested claims. Appreciate your suggestions and comments on the above approach. Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [Architecture] [IAM] Consent Management with Requested Claims in Authentication Request
Hi, Please find the following information on current implementation of consent management in IS 5.5.0. - Claims to populate in the consent page, will be retrieved from the claim mapping configuration in SP (i.e. claims which is configured as requested). - If the claims configured in SP are mentioned as mandatory (i.e. without those claims application cannot work), consent MUST be given by user, to proceed. - When user have provided the consent first time, consent receipt will be generated for that application and for that user. Then after consent page will be shown, if there are any more mandatory claims which user has not provided the consent to share with the application. - If there are no SP configurations, consider that as a federated scenario and populate all the authenticated user attributes as mandatory claims in the consent. Following is the suggested approach for handling consent management when the requested claims are send dynamically from the authentication request. - *Requested/Mandatory claims are only configured in SP* - Populate all the claims configured in SP, in the consent page. - *Requested/Mandatory claims are not configured in SP and requested in authentication request* - From framework, set all the requested attributes to the authenticated user (i.e. values as null for the attributes which are not available for the user) and set the required property of the claims to true/false. - In the consent service, validate the required property and populate the consent page. Since mandatory is a property which we have introduced in IS, that won't be affected for the requested claims in authentication request. - All the requested claims in authentication request will be populated in the consent page whether user have a attribute value or not. - We assume that all the user attributes for which the user consent is needed, will be send in the first authentication request. For later requests, consent page will not be shown. This is because, consent page will be populated only for mandatory claims, if a consent receipt is available for the user. - Filter out and remove the null user attribute values from framework and send to the inbound component or can be handled null values in inbound component. - Federated claims will also be treated same way as above. - *Requested/Mandatory claims are configured in SP and requested in authentication request* - Populate all the claims configured in SP, in the consent page. - Here we will be not considering about the requested claims in the request when showing the consent page. Appreciate your suggestions and comments on this. Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [Architecture] [IAM] eIDAS profile support for SAML
Hi, Thanks for all of your ideas. Please note that with this implementation, following extensions in SAML has been introduced for the following reasons. EidasExtensionProcessor - process the SAML extension and retrieve the required attribute list. EidasSAMLAssertionBuilder - validate whether all the required set of attributes are present and set the name format URI as required. EidasSPInitSSOAuthnRequestValidator - Validate the authentication request as per the eIDAS specification (Comaprison of RequestedAuthnContext should be minimum, ForceAuthn MUST be set to true, isPassive SHOULD be set to false, NameIDPolicy SHOULD be included etc). As I have mentioned in [1], there are set of Requirements for Cryptography in eIDAS specification. Most of requirements can be achieved currently, there were few to be considered, currently analyzing them. [1] https://docs.google.com/document/d/1uF7qV780SspZHa4hCoiMvaZq jdF9Iapnj8kSNaEUJDU/edit?usp=sharing On Mon, Mar 12, 2018 at 12:15 PM, Johann Nallathamby <joh...@wso2.com> wrote: > > > On Mon, Mar 12, 2018 at 10:58 AM, Indunil Upeksha Rathnayake < > indu...@wso2.com> wrote: > >> Hi, >> >> In order to support eIDAS profile in IS, as per the 4 eIDAS >> specifications in [1], there are a set of requirements to be considered >> including message format, cryptographic requirements etc. Those >> requirements has been summarized in [2]. >> >> This is regarding the handling and inclusion of attributes into exchanged >> messages in eIDAS network. As per the eIDAS SAML attribute profile >> specification, requesting user attributes MUST be carried out dynamically >> by including them in a . There are a set of mandatory >> and optional attributes according to the eIDAS minimum data sets for >> natural and legal persons (i.e. Natural person is one who can be >> identified, directly or indirectly, in particular by reference to an >> identifier such as a name [3]. A legal person is any human being, firm, or >> government agency that is recognized as having legal rights and >> obligations, such as having the ability to enter into contracts, to sue, >> and to be sued [4]). >> >> The eIDAS attribute profile support has been currently implemented as >> follows. >> >>1. Include eIDAS attribute profile support in travelocity sample for >>testing purposes. >>2. Process the eIDAS attributes in authentication request and send to >>the requested attributes to framework. >>3. Introduced a new dialect for "http://eidas.europa.eu/attributes; >>and configure it in the SP Claim Configuration as the SP Claim mapping >>Dialect. Include support for multiple SP dialects considering the support >>for multiple SAML attribute profiles as eIDAS. >> >> +1 for this. This is something we planned to have in IS 5.3.0, but > couldn't complete due to time constraints. > >> >>1. >>2. In order to get the user claims which are mapped to the SP >>dialect, in the framework side filter out based on the SP dialect to local >>claim mappings, if SP claim dialect is configured. >> >> How would you choose which dialect to use in the runtime, if one SP can > have multiple dialects? Remember in our implementation claim is not unique. > Dialect + claim is unique. So if we don't have the dialect in the > authentication request, it might be not straightforward to map claims > between dialects. > >> >>1. Process the response retrieved from the framework and send the >>response to eIDAS network, in appropriate format. >> >> >> >> Appreciate your comments and suggestions on above approach and please >> find the following concerns. >> >>- With the requested attributes in the authentication request, as per >>the specification, we may send the AttributeConsumingServiceIndex as well. >>Currently we have only the basic attribute profile support in SAML. So >> when >>filtering out the requested claims, we need to send both the requested >>claims in SP configuration and the claims in the request, if >>AttributeConsumingServiceIndex is retrieved. WDYT? >> >> I would rather prefer to have it like the following. > 1. If configured claim set is null and service provider is requesting > attributes, send those attributes. > 2. If at least one claim has been configured in service provider, send the > intersection of configured claims and requested claims. > > This will give us a way to control requested claims if needed. But also > not force the admins to always configure requested claims for each service > provider. I don't see any pu
Re: [Dev] [Architecture] [IAM] eIDAS profile support for SAML
On Thu, Mar 15, 2018 at 6:55 AM, Harsha Thirimanna <hars...@wso2.com> wrote: > > > On Mon, 12 Mar 2018, 13:48 Johann Nallathamby, <joh...@wso2.com> wrote: > >> >> >> On Mon, Mar 12, 2018 at 10:58 AM, Indunil Upeksha Rathnayake < >> indu...@wso2.com> wrote: >> >>> Hi, >>> >>> In order to support eIDAS profile in IS, as per the 4 eIDAS >>> specifications in [1], there are a set of requirements to be considered >>> including message format, cryptographic requirements etc. Those >>> requirements has been summarized in [2]. >>> >>> This is regarding the handling and inclusion of attributes into >>> exchanged messages in eIDAS network. As per the eIDAS SAML attribute >>> profile specification, requesting user attributes MUST be carried out >>> dynamically by including them in a . There are a set >>> of mandatory and optional attributes according to the eIDAS minimum data >>> sets for natural and legal persons (i.e. Natural person is one who can be >>> identified, directly or indirectly, in particular by reference to an >>> identifier such as a name [3]. A legal person is any human being, firm, or >>> government agency that is recognized as having legal rights and >>> obligations, such as having the ability to enter into contracts, to sue, >>> and to be sued [4]). >>> >>> The eIDAS attribute profile support has been currently implemented as >>> follows. >>> >>>1. Include eIDAS attribute profile support in travelocity sample for >>>testing purposes. >>>2. Process the eIDAS attributes in authentication request and send >>>to the requested attributes to framework. >>>3. Introduced a new dialect for "http://eidas.europa.eu/attributes; >>>and configure it in the SP Claim Configuration as the SP Claim mapping >>>Dialect. Include support for multiple SP dialects considering the support >>>for multiple SAML attribute profiles as eIDAS. >>> >>> +1 for this. This is something we planned to have in IS 5.3.0, but >> couldn't complete due to time constraints. >> >>> >>>1. >>>2. In order to get the user claims which are mapped to the SP >>>dialect, in the framework side filter out based on the SP dialect to >>> local >>>claim mappings, if SP claim dialect is configured. >>> >>> How would you choose which dialect to use in the runtime, if one SP can >> have multiple dialects? Remember in our implementation claim is not unique. >> Dialect + claim is unique. So if we don't have the dialect in the >> authentication request, it might be not straightforward to map claims >> between dialects. >> > > Yes , this will not possible as Johan said. > > Because of internal data structure and the implementation, there can be > same claim Uri in multiple dialect. > But theoretically claim Uri is kind of a name space and dialect is just > grouping of multiple claims. So the namespace should be unique in any > place. Don't we need to enforce that in our documentation even we support > it internally to have same claims in multiple dialect. Is that prcticle to > have such a same claim in different dialect ? > This is been implemented as follows. Multiple SP dialects can be configured from UI, so that "http://eidas.europa.eu/attributes/naturalperson; and " http://eidas.europa.eu/attributes/legalperson; will be considered as two dialects and all the eIDAS claims will be shipped by default in product. So we will be configured them as full claim URIs with appended claim dialect. > > > >>>1. Process the response retrieved from the framework and send the >>>response to eIDAS network, in appropriate format. >>> >>> >>> >>> Appreciate your comments and suggestions on above approach and please >>> find the following concerns. >>> >>>- With the requested attributes in the authentication request, as >>>per the specification, we may send the AttributeConsumingServiceIndex as >>>well. Currently we have only the basic attribute profile support in SAML. >>>So when filtering out the requested claims, we need to send both the >>>requested claims in SP configuration and the claims in the request, if >>>AttributeConsumingServiceIndex is retrieved. WDYT? >>> >>> I would rather prefer to have it like the following. >> 1. If configured claim set is null and service provider is requesting >> attributes, send those attri
Re: [Dev] [Architecture] [IAM] eIDAS profile support for SAML
Hi, In order to support eIDAS profile in IS, as per the 4 eIDAS specifications in [1], there are a set of requirements to be considered including message format, cryptographic requirements etc. Those requirements has been summarized in [2]. This is regarding the handling and inclusion of attributes into exchanged messages in eIDAS network. As per the eIDAS SAML attribute profile specification, requesting user attributes MUST be carried out dynamically by including them in a . There are a set of mandatory and optional attributes according to the eIDAS minimum data sets for natural and legal persons (i.e. Natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name [3]. A legal person is any human being, firm, or government agency that is recognized as having legal rights and obligations, such as having the ability to enter into contracts, to sue, and to be sued [4]). The eIDAS attribute profile support has been currently implemented as follows. 1. Include eIDAS attribute profile support in travelocity sample for testing purposes. 2. Process the eIDAS attributes in authentication request and send to the requested attributes to framework. 3. Introduced a new dialect for "http://eidas.europa.eu/attributes; and configure it in the SP Claim Configuration as the SP Claim mapping Dialect. Include support for multiple SP dialects considering the support for multiple SAML attribute profiles as eIDAS. 4. In order to get the user claims which are mapped to the SP dialect, in the framework side filter out based on the SP dialect to local claim mappings, if SP claim dialect is configured. 5. Process the response retrieved from the framework and send the response to eIDAS network, in appropriate format. Appreciate your comments and suggestions on above approach and please find the following concerns. - With the requested attributes in the authentication request, as per the specification, we may send the AttributeConsumingServiceIndex as well. Currently we have only the basic attribute profile support in SAML. So when filtering out the requested claims, we need to send both the requested claims in SP configuration and the claims in the request, if AttributeConsumingServiceIndex is retrieved. WDYT? - As per the current implementation for eIDAS support, first we give priority to the SP configured claims set, if it's not available consider the requested claims in the request. With the oauth request object feature, the logic for filtering out the requested claims is somewhat different (Requested claims should be configured in SP claims configuration, and only sending the requested claims in request which are configured in SP). So I think we need to come up with a common solution, if we moving the requested claim filtering to framework. Shall we use this approach as the common? Appreciate your ideas on this. [1] https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eIDAS+Profile [2] https://docs.google.com/document/d/1uF7qV780SspZHa4hCoiMvaZqjdF9Iapnj8kSNaEUJDU/edit?usp=sharing [3] https://en.wikipedia.org/wiki/Natural_person [4] https://en.wikipedia.org/wiki/Legal_person Thanks and Regards On Mon, Mar 12, 2018 at 10:30 AM, Indunil Upeksha Rathnayake < indu...@wso2.com> wrote: > > > On Wed, Feb 28, 2018 at 5:15 PM, Dulanja Liyanage <dula...@wso2.com> > wrote: > >> If extensions are coming in the SAML AuthnRequest from the SP, then, >> IIRC, that *same extension* will be copied to the AuthnRequest going to >> the Federated IdP. Is that behaviour acceptable for this scenario? Please >> validate that. >> > > If that is a federated scenario, where the IDP is not IS, we need to > disable the eIDAS extension processing and just forwarded the request as it > is. > > >> >> On Wed, Feb 28, 2018 at 7:56 AM, Johann Nallathamby <joh...@wso2.com> >> wrote: >> >>> Hi Indunil, >>> >>> On Tue, Feb 27, 2018 at 3:56 PM, Indunil Upeksha Rathnayake < >>> indu...@wso2.com> wrote: >>> >>>> Hi, >>>> >>>> eIDAS (electronic IDentification, Authentication and trust Services) is >>>> an EU regulation on electronic identification and trust services for >>>> electronic transactions in the internal market. The eIDAS interoperability >>>> framework including its national entities (eIDAS-Connector and >>>> eIDAS-Service) need to exchange messages including personal and technical >>>> attributes to support cross-border identification and authentication >>>> processes (Please refer [1] for more information). For the exchange of >>>> messages, the use of the SAML 2.0 specifications has been agreed and there >>&
Re: [Dev] [Architecture] [IAM] eIDAS profile support for SAML
On Wed, Feb 28, 2018 at 5:15 PM, Dulanja Liyanage <dula...@wso2.com> wrote: > If extensions are coming in the SAML AuthnRequest from the SP, then, IIRC, > that *same extension* will be copied to the AuthnRequest going to the > Federated IdP. Is that behaviour acceptable for this scenario? Please > validate that. > If that is a federated scenario, where the IDP is not IS, we need to disable the eIDAS extension processing and just forwarded the request as it is. > > On Wed, Feb 28, 2018 at 7:56 AM, Johann Nallathamby <joh...@wso2.com> > wrote: > >> Hi Indunil, >> >> On Tue, Feb 27, 2018 at 3:56 PM, Indunil Upeksha Rathnayake < >> indu...@wso2.com> wrote: >> >>> Hi, >>> >>> eIDAS (electronic IDentification, Authentication and trust Services) is >>> an EU regulation on electronic identification and trust services for >>> electronic transactions in the internal market. The eIDAS interoperability >>> framework including its national entities (eIDAS-Connector and >>> eIDAS-Service) need to exchange messages including personal and technical >>> attributes to support cross-border identification and authentication >>> processes (Please refer [1] for more information). For the exchange of >>> messages, the use of the SAML 2.0 specifications has been agreed and there >>> are eIDAS compliant set of technical specifications in [2], which Member >>> States of EU to use to develop their own eIDAS-compliant implementation. >>> >>> >>> As per the "eIDAS SAML Message Format" specification, handling and >>> inclusion of attributes into exchanged messages is defined as follows. >>> >>>- Attributes MUST be requested as and >>> * >>>MUST be included in the element of the SAML >>>AuthnRequest.* >>> >>> Ex: >>> >>> >> xmlns:ds="http://www.w3.org/2000/09/xmldsig#; >>> *xmlns:eidas="http://eidas.europa.eu/saml-extensions >>> <http://eidas.europa.eu/saml-extensions>"* ...> >>> >>> ** >>>*public* >>> ** >>>>> >>> Name="http://eidas.europa.eu/attributes/legalperson/D-2012-17-EUIdentifier; >>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" >>> isRequired="false" /> >>>>> >>> Name="http://eidas.europa.eu/attributes/legalperson/LegalPersonIdentifier; >>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" >>> isRequired="true" /> >>> >>> >>> . >>> >>> >>> >>>- Apart from the attributes, for indicating whether an >>>authentication request is made by a private sector or public sector SP, >>> the >>>defined element * MUST be present* either in the >>> element of SAML metadata or in the >>>element of a . >>> >>> >>> As per the SAML Core specification in [3], SAML Extensions is an >>> optional element in SAML 2.0, allowing arbitrary information to be passed >>> to the identity provider which are agreed on between the communicating >>> parties. As mentioned above, eIDAS attributes should be included within >>> SAML extension element. >>> >>> >>> Currently in IS, *SAML Extensions processing *has not taken into the >>> consideration. So that, in order to have eIDAS profile support for SAML, >>> that should be considered. Please find the following proposed >>> implementation. >>> >>>1. *Register a set of SAML Extension Processors* - extensible >>>mechanism where we can include any extension processing >>>2. *eIDAS Extension Processor *- specifically handled the eIDAS >>>extension >>>3. *Invoke the processors when building the SAML assertion* >>> - Consider that all the necessary attributes are configured as >>> the SP requested claims >>>- In the eIDAS processor, filtering out the requested attributes >>> based on the "RequestedAttributes" elements in the authentication >>> request >>> >>> >> +1 for the approach. But make sure we don't have to configure FQCN in >> files and make only one processor work at a given time. Processors should >> be picked dynamically based on the request. I think like the other >> processors we have
[Dev] [Architecture] [IAM] eIDAS profile support for SAML
Hi, eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation on electronic identification and trust services for electronic transactions in the internal market. The eIDAS interoperability framework including its national entities (eIDAS-Connector and eIDAS-Service) need to exchange messages including personal and technical attributes to support cross-border identification and authentication processes (Please refer [1] for more information). For the exchange of messages, the use of the SAML 2.0 specifications has been agreed and there are eIDAS compliant set of technical specifications in [2], which Member States of EU to use to develop their own eIDAS-compliant implementation. As per the "eIDAS SAML Message Format" specification, handling and inclusion of attributes into exchanged messages is defined as follows. - Attributes MUST be requested as and * MUST be included in the element of the SAML AuthnRequest.* Ex: http://www.w3.org/2000/09/xmldsig#; *xmlns:eidas="http://eidas.europa.eu/saml-extensions <http://eidas.europa.eu/saml-extensions>"* ...> ** *public* ** http://eidas.europa.eu/attributes/legalperson/D-2012-17-EUIdentifier; NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false" /> http://eidas.europa.eu/attributes/legalperson/LegalPersonIdentifier; NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true" /> . - Apart from the attributes, for indicating whether an authentication request is made by a private sector or public sector SP, the defined element * MUST be present* either in the element of SAML metadata or in the element of a . As per the SAML Core specification in [3], SAML Extensions is an optional element in SAML 2.0, allowing arbitrary information to be passed to the identity provider which are agreed on between the communicating parties. As mentioned above, eIDAS attributes should be included within SAML extension element. Currently in IS, *SAML Extensions processing *has not taken into the consideration. So that, in order to have eIDAS profile support for SAML, that should be considered. Please find the following proposed implementation. 1. *Register a set of SAML Extension Processors* - extensible mechanism where we can include any extension processing 2. *eIDAS Extension Processor *- specifically handled the eIDAS extension 3. *Invoke the processors when building the SAML assertion* - Consider that all the necessary attributes are configured as the SP requested claims - In the eIDAS processor, filtering out the requested attributes based on the "RequestedAttributes" elements in the authentication request Really appreciate your suggestions and comments. [1] https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/How+does+it+work+-+eIDAS+solution [2] https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/2016/12/16/eIDAS+Technical+Specifications+v.+1.1 [3] https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Need of importing the CA certificate to JVM trust store in mutual SSL with X509 authenticator
Hi, I have tested and verified that, it's not needed to add the trusted certificates in JVM trust store for X509 authenticator, if we have properly configured the trust store in catalina-server.xml. It's not correct to add those certificates in JVM trust store, since it'll be affected globally for all the wso2 and non wso2 products as well. We should update the wso2 documentation correctly, created a doc Jira in [1]. [1] https://wso2.org/jira/browse/DOCUMENTATION-7697 Thanks and Regards On Wed, Jan 24, 2018 at 9:33 AM, Shakila Sasikaran <shak...@wso2.com> wrote: > Hi, > > As I understand, If we want to make SSL connection and the certificate > issued by the CA is not listed in the Java trust store, the connection will > fail even if the root certificate is recognised by the browser. Because > when the SSL connection is made, the runtime validates the server’s > identity against the CA certificate which is included in the local database. > > Therefore, IMO we have to add it to the JVM. > > Thanks > > On Wed, Jan 24, 2018 at 8:46 AM, Samisa Abeysinghe <sam...@wso2.com> > wrote: > >> My message got blocked due to customer name and got that removed. >> >> You have copied internal groups with the dev mails. (dev@org with >> iam-group) This is asking for trouble. Either keep it public or private. >> >> Thanks, >> Samisa... >> >> >> Samisa Abeysinghe >> >> Chief Engineering and Delivery Officer >> >> WSO2 Inc. >> http://wso2.com >> >> >> On Wed, Jan 24, 2018 at 8:34 AM, Indunil Upeksha Rathnayake < >> indu...@wso2.com> wrote: >> >>> Hi Samisa, >>> >>> This mail has been sent to dev@wso2.org, before the support ticket was >>> raised. Please note that the rajas is the person who worked with X509 >>> authenticator, so added his personal email, since this is a discussion in >>> dev. >>> >>> Thanks and Regards >>> >>> On Wed, Jan 24, 2018 at 8:21 AM, Samisa Abeysinghe <sam...@wso2.com> >>> wrote: >>> >>>> Who is hmrajas1...@gmail.com and why have we copied that email address >>>> in a private company discussion that is security related??? >>>> >>>> Also, is this related to support.wso2.com/jira/browse/NGTDEV-5? >>>> >>>> If yes, we need to get back to support ticket and respond within today! >>>> >>>> Thanks, >>>> Samisa... >>>> >>>> >>>> Samisa Abeysinghe >>>> >>>> Chief Engineering and Delivery Officer >>>> >>>> WSO2 Inc. >>>> http://wso2.com >>>> >>>> >>>> On Fri, Jan 19, 2018 at 10:02 AM, Indunil Upeksha Rathnayake < >>>> indu...@wso2.com> wrote: >>>> >>>>> Adding rajas and connector team members >>>>> >>>>> On Thu, Jan 18, 2018 at 5:58 PM, Indunil Upeksha Rathnayake < >>>>> indu...@wso2.com> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> As per the documentation in [1], the certificate of CA, which issued >>>>>> the client certificate, should be added into the JVM trust store. Please >>>>>> find the following concerns regarding this. >>>>>> >>>>>>- We should add the CA certificate which issued the client >>>>>>certificate, as a certificate authority in the browser. So that will >>>>>> be >>>>>>added to the root certificate store in browser. >>>>>> >>>>>> The CA certificates in root certificate store, will determine which >>>>>> endpoints we will be allowed to communicate with, in this case it will >>>>>> allow the client to connect to whichever server presents a certificate >>>>>> which was signed by one of the certificate authorities. >>>>>> >>>>>>- During the mutual SSL with X509 authenticator, there is no need >>>>>>to consider JVM trust store in client side, since this is a direct >>>>>> call >>>>>>from browser to the server. >>>>>> >>>>>> >>>>>>- During the mutual SSL with X509 authenticator, there is no need >>>>>>to consider JVM trust store in server side, since in server side, we >>>>>> have a >>>>>>configured trust store. JVM trsust store is needed, if only the server >&
Re: [Dev] Define tomcat connector as first in the order in catalina-server.xml for mutual SSL with X509 authenticator
Adding rajas and connector team members
On Thu, Jan 18, 2018 at 4:55 PM, Indunil Upeksha Rathnayake <
indu...@wso2.com> wrote:
> Hi,
>
> Each of the elements in catalina-server.xml, defines one port
> number on which tomcat will listen for requests. AFIK, the trust store file
> use to validate client certificates of the connections for a particular
> port, should be what defined in the connector configuration. This will
> essentially tell tomcat to use the specified trust store instead of the
> default cacerts trust store which tomcat loads.
>
> For mutual SSL with X509 authenticator, we can configure a new tomcat http
> connector, as follows in catalina-server.xml. This supports the HTTP/1.1
> protocol and listening to a specific TCP port (8443) for connections.
> protocol="HTTP/1.1"
> port="8443" maxThreads="200"
> scheme="https" secure="true" SSLEnabled="true"
> keystoreFile="/path/to/keystore.jks" keystorePass="keystorepwd"
> truststoreFile="/path/to/truststore.jks" truststorePass="
> truststorespassword"
> clientAuth="want" sslProtocol="TLS"/>
>
> Noted that, with X509 authenticator, during the authentication, the client
> certificate in the browser will be considered as trusted and sent to the IS
> server, *if only if, the tomcat connector defined for port "8443" is
> configured as 1st in the order*.
>
> Otherwise when mutual SSL happens, the already existing connector (9443)
> will be picked up and certificate will not retrieved correctly. If so, the
> certificate of the CA, which issued the client certificate, should be added
> into the server client-truststore.jks.
>
> Noticed that, when we configure connector for 8443 in 1st in order, wso2
> carbon console will be hosted in both port 8443 ("https://localhost:8443/
> carbon/") and 9443.
>
> Is this an expected behavior? Anyone knows the reason for this behavior in
> tomcat level? Appreciate your help on this.
>
> If this is an expected behavior, we need to mention that in the
> documentation [1].
>
>
> [1] https://docs.wso2.com/display/ISCONNECTORS/Configuring+
> X509Certificate+Authenticator#ConfiguringX509CertificateAuthenticator-
> ConfiguringtheX509Certificatefortheapp
>
> Thanks and Regards
> --
> Indunil Upeksha Rathnayake
> Software Engineer | WSO2 Inc
> Emailindu...@wso2.com
> Mobile 0772182255
>
--
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Emailindu...@wso2.com
Mobile 0772182255
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Need of importing the CA certificate to JVM trust store in mutual SSL with X509 authenticator
Adding rajas and connector team members On Thu, Jan 18, 2018 at 5:58 PM, Indunil Upeksha Rathnayake < indu...@wso2.com> wrote: > Hi, > > As per the documentation in [1], the certificate of CA, which issued the > client certificate, should be added into the JVM trust store. Please find > the following concerns regarding this. > >- We should add the CA certificate which issued the client >certificate, as a certificate authority in the browser. So that will be >added to the root certificate store in browser. > > The CA certificates in root certificate store, will determine which > endpoints we will be allowed to communicate with, in this case it will > allow the client to connect to whichever server presents a certificate > which was signed by one of the certificate authorities. > >- During the mutual SSL with X509 authenticator, there is no need to >consider JVM trust store in client side, since this is a direct call from >browser to the server. > > >- During the mutual SSL with X509 authenticator, there is no need to >consider JVM trust store in server side, since in server side, we have a >configured trust store. JVM trsust store is needed, if only the server >configured trust store is not loaded into the SSLContext. > > > So that, AFAIU, it is not needed to add CA certificate into JVM trust > store either in client or server side. WDYT? > > Appreciate your ideas on this. > > [1] https://docs.wso2.com/display/ISCONNECTORS/Configuring+ > X509Certificate+Authenticator#ConfiguringX509CertificateAuthenticator- > Workingwithcertificates > > Thanks and Regards > -- > Indunil Upeksha Rathnayake > Software Engineer | WSO2 Inc > Emailindu...@wso2.com > Mobile 0772182255 > -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Need of importing the CA certificate to JVM trust store in mutual SSL with X509 authenticator
Hi, As per the documentation in [1], the certificate of CA, which issued the client certificate, should be added into the JVM trust store. Please find the following concerns regarding this. - We should add the CA certificate which issued the client certificate, as a certificate authority in the browser. So that will be added to the root certificate store in browser. The CA certificates in root certificate store, will determine which endpoints we will be allowed to communicate with, in this case it will allow the client to connect to whichever server presents a certificate which was signed by one of the certificate authorities. - During the mutual SSL with X509 authenticator, there is no need to consider JVM trust store in client side, since this is a direct call from browser to the server. - During the mutual SSL with X509 authenticator, there is no need to consider JVM trust store in server side, since in server side, we have a configured trust store. JVM trsust store is needed, if only the server configured trust store is not loaded into the SSLContext. So that, AFAIU, it is not needed to add CA certificate into JVM trust store either in client or server side. WDYT? Appreciate your ideas on this. [1] https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator#ConfiguringX509CertificateAuthenticator-Workingwithcertificates Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Define tomcat connector as first in the order in catalina-server.xml for mutual SSL with X509 authenticator
Hi,
Each of the elements in catalina-server.xml, defines one port
number on which tomcat will listen for requests. AFIK, the trust store file
use to validate client certificates of the connections for a particular
port, should be what defined in the connector configuration. This will
essentially tell tomcat to use the specified trust store instead of the
default cacerts trust store which tomcat loads.
For mutual SSL with X509 authenticator, we can configure a new tomcat http
connector, as follows in catalina-server.xml. This supports the HTTP/1.1
protocol and listening to a specific TCP port (8443) for connections.
Noted that, with X509 authenticator, during the authentication, the client
certificate in the browser will be considered as trusted and sent to the IS
server, *if only if, the tomcat connector defined for port "8443" is
configured as 1st in the order*.
Otherwise when mutual SSL happens, the already existing connector (9443)
will be picked up and certificate will not retrieved correctly. If so, the
certificate of the CA, which issued the client certificate, should be added
into the server client-truststore.jks.
Noticed that, when we configure connector for 8443 in 1st in order, wso2
carbon console will be hosted in both port 8443 ("
https://localhost:8443/carbon/;) and 9443.
Is this an expected behavior? Anyone knows the reason for this behavior in
tomcat level? Appreciate your help on this.
If this is an expected behavior, we need to mention that in the
documentation [1].
[1]
https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator#ConfiguringX509CertificateAuthenticator-ConfiguringtheX509Certificatefortheapp
Thanks and Regards
--
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Emailindu...@wso2.com
Mobile 0772182255
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IAM] Access Token revocation in OAuthAdminService
Hi,
Please find the in line comments.
On Wed, Jan 17, 2018 at 10:50 AM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:
> Hi All,
>
> In the method [1] which is used to revoke access tokens by resource
> owners, it iterates all ACTIVE or EXPIRED access tokens for the particular
> client authorized by the user.
>
> // retrieve all ACTIVE or EXPIRED access tokens for particular client
> authorized by this user
>
>
>
> Set accessTokenDOs = OAuthTokenPersistenceFactory.g
> etInstance()
>
> .getAccessTokenDAO().getAccessTokens(appDTO.getOauthConsumerKey(),
>
> user, userStoreDomain, true);
> Inside the foreach the auth cache is cleared for the tokens one by one
> which is fetched from the accessTokenDOs.
>
> for (AccessTokenDO accessTokenDO : accessTokenDOs) { ...
>
> OAuthUtil.clearOAuthCache(accessTokenDO.getAccessToken());
>
>
> // retrieve latest access token for particular client, user and scope
> combination if its ACTIVE or EXPIRED
> scopedToken = OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO().
> getLatestAccessToken(appDTO.getOauthConsumerKey(), user, userStoreDomain,
> Auth2Util.buildScopeString(accessTokenDO.getScope()), true); //Revoking
> token from database
> OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO()
> .revokeAccessTokens(new String[]{scopedToken.getAccessToken()});
>
>
> ...
> }
>
> Then inside the for each it self it retrieves the latest access token for
> the particular client, user and for the particular scope if the token is
> ACTIVE or EXPIRED. This token is revoked from the db inside the for each.
>
> I have two questions here.
>
> 1. We clear the auth cache based on the access token which is fetched from
> accessTokensDo and revoke the scopedToken from the db which can be
> different.
>
> 2. As there are multiple db calls are happening here can't we move the
> logic of revoking token from db to out side of the for each as the DAO
> method is supporting for batch operations.
>
No need to get all the access tokens to do cache clean up for the entries
against consumer key + authorize user, which can be done as follows.
*OAuthUtil.clearOAuthCache(appDTO.getOauthConsumerKey(), user);*
Since we remove all the AccessTokenDO entries stored in cache, against all
the access tokens as follows, I think we need to retrieve all ACTIVE or
EXPIRED access tokens for particular client authorized by the user.
*OAuthUtil.clearOAuthCache(accessTokenDO.getAccessToken());*
If there are multiple access tokens available in the database for
particular client, user and scope combination, actually here we are not
revoking the latest access token (ACTIVE or EXPIRED), but revoking multiple
entries while iterating through all the access tokens. In order to revoke
the latest access token for particular client, user and scope combination,
we can use following approach.
- Get the scopes for particular client authorized by the user
- Iterate through the scopes and revoke the latest access token issued
for client, user and scope combination using database batch operation
- Remove the corresponding entries in cache for consumer key + authorize
user + scope as follows.
* OAuthUtil**.clearOAuthCache(appDTO.getOauthConsumerKey(), user,
scope));*
>
> Highly appreciate your feedback on this.
>
> [1] https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/blob/master/components/org.wso2.carbon.
> identity.oauth/src/main/java/org/wso2/carbon/identity/
> oauth/OAuthAdminService.java#L627
>
> Thanks.
>
> --
>
> Hasanthi Dissanayake
>
> Senior Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com <http://wso2.com/>
>
--
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Emailindu...@wso2.com
Mobile 0772182255
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Illegal Characters for Registry Resource Path
Hi,
For a registry resource path, we have considered following characters as
illegal characters (Refer [1]).
*~!@#;%^*()+={}|\\<>\"\',*
Anyone knows why we have considered that as a limitation in registry?
Appreciate your help on this.
[1]
https://github.com/wso2/carbon-kernel/blob/4.4.x/core/org.wso2.carbon.registry.core/src/main/java/org/wso2/carbon/registry/core/jdbc/Repository.java#L261
Thanks and Regards
--
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Emailindu...@wso2.com
Mobile 0772182255
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] Usage of "kid" JWT header parameter
Hi, On Mon, Aug 28, 2017 at 12:07 PM, Gayan Gunawardana <ga...@wso2.com> wrote: > > > On Mon, Aug 28, 2017 at 11:48 AM, Indunil Upeksha Rathnayake < > indu...@wso2.com> wrote: > >> Hi, >> >> In IS, when signing the ID token, we are passing the "kid" header >> parameter in the response. >> https://github.com/wso2-extensions/identity-inbound-auth- >> oauth/blob/master/components/org.wso2.carbon.identity. >> oauth/src/main/java/org/wso2/carbon/identity/openidconnect/ >> DefaultIDTokenBuilder.java#L122 >> >> As per the specification (Refer [1]) : >> >>> *The kid value is a key identifier used in identifying the key to be >>> used to verify the signature.If the kid value is unknown to the RP, it >>> needs to retrieve the contents of the OP's JWK Set again to obtain the OP's >>> current set of keys. * >>> >> >> We have hard coded this "kid" value in the implementation level. What >> happens if the signing key is a different one than the default one? >> >> Seems like this "kid" is like a hint to identify which specific key to be >> used to validate the signature, when there are multiple keys. Is it a valid >> use case in IS, since there cannot be multiple certs available in resident >> IDP? And also is it correct to use a hard coded value from back-end? >> > Having hard coded value is not correct. "kid" value should be generated > based on certificate "thumbprint". Hard coded value would work for super > tenant default keystore. > Thanks. I have created a public JIRA in [1] to handle this. [1] https://wso2.org/jira/browse/IDENTITY-6311 > >> >> >> >> This is hard coded in JwksEndpoint as well. >> https://github.com/wso2-extensions/identity-inbound-auth- >> oauth/blob/master/components/org.wso2.carbon.identity. >> oauth.endpoint/src/main/java/org/wso2/carbon/identity/ >> oauth/endpoint/jwks/JwksEndpoint.java#L54 >> >> But in JWTTokenGenerator, we are not setting the "kid" parameter. >> https://github.com/wso2-extensions/identity-inbound-auth- >> oauth/blob/master/components/org.wso2.carbon.identity. >> oauth/src/main/java/org/wso2/carbon/identity/oauth2/ >> authcontext/JWTTokenGenerator.java#L293 >> >> In which scenarios, this "kid" header parameter should be sent and should >> not be sent? Recently we have implemented to sign the user info JWT >> response and need to verify whether "kid" parameter should be sent there as >> well. >> >> >> >> Appreciate your ideas on above concerns. >> >> [1] http://openid.net/specs/openid-connect-core-1_0.html >> >> >> Thanks and Regards >> -- >> Indunil Upeksha Rathnayake >> Software Engineer | WSO2 Inc >> Emailindu...@wso2.com >> Mobile 0772182255 >> > > > > -- > Gayan Gunawardana > Senior Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: ga...@wso2.com > Mobile: +94 (71) 8020933 > -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [IS] Usage of "kid" JWT header parameter
Hi, In IS, when signing the ID token, we are passing the "kid" header parameter in the response. https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/DefaultIDTokenBuilder.java#L122 As per the specification (Refer [1]) : > *The kid value is a key identifier used in identifying the key to be used > to verify the signature.If the kid value is unknown to the RP, it needs to > retrieve the contents of the OP's JWK Set again to obtain the OP's current > set of keys. * > We have hard coded this "kid" value in the implementation level. What happens if the signing key is a different one than the default one? Seems like this "kid" is like a hint to identify which specific key to be used to validate the signature, when there are multiple keys. Is it a valid use case in IS, since there cannot be multiple certs available in resident IDP? And also is it correct to use a hard coded value from back-end? This is hard coded in JwksEndpoint as well. https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/jwks/JwksEndpoint.java#L54 But in JWTTokenGenerator, we are not setting the "kid" parameter. https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authcontext/JWTTokenGenerator.java#L293 In which scenarios, this "kid" header parameter should be sent and should not be sent? Recently we have implemented to sign the user info JWT response and need to verify whether "kid" parameter should be sent there as well. Appreciate your ideas on above concerns. [1] http://openid.net/specs/openid-connect-core-1_0.html Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] Need to get the consent page back in SSO flow
Hi, On Fri, Aug 18, 2017 at 3:12 PM, Naduni Pamudika <nad...@wso2.com> wrote: > Hi All, > > In the SSO flow, first the login page appears and then the consent page where > the scopes are being approved by the user. I have put "Approve Always" for > the scopes showing in the consent page and then the consent page does not > appear in the login flow. > > I want to get the normal flow back, i.e. I want to go through the consent > page and see the scopes. > > I tried deleting the application from the IS side and it did not work. > Even after deleting and creating a new application, "Approve Always" is > still enabled. > There was an issue when removing an authorized app, the consent was not get removed from IDN_OPENID_USER_RPS table and it was fixed with [1]. In order to remove the authorized app, you use "Remove Application" in "Authorized Apps" gadget [2]? If so, it should remove the consent for that application. [1] https://wso2.org/jira/browse/IDENTITY-4832 [2] https://docs.wso2.com/display/IS530/Using+the+End+User+Dashboard#UsingtheEndUserDashboard-Workingwithyourauthorizedapplications > > How can I get it disabled? > > Thank you, > Naduni > > -- > *Naduni Pamudika* > Software Engineer | WSO2 > Mobile: +94 719 143658 <+94%2071%20914%203658> > [image: http://wso2.com/signature] <http://wso2.com/signature> > -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] Need to get the consent page back in SSO flow
Hi Naduni, This was an improvement for IS 5.2.0 (Refer [1] for more information). As isura mentioned, you can use " updateApproveAlwaysForAppConsentByResourceOwner" in OAuthAdminService to revoke the approve always consent for OAuth apps. Please refer the IDN_OPENID_USER_RPS table in IS. When users login to oauth applications, the consent details are stored in this table. In there, TRUSTED_ALWAYS column contains the value of "TRUE" or "FALSE" which indicates whether the user has given the “Approve Always” or “Approve” options. We are setting the TRUSTED_ALWAYS column by the value provided for "state" when invoking "updateApproveAlwaysForAppConsentByResourceOwner" service method. So in order to revoke the "Approve Always" consent, you need to provide "state" as "FALSE". [1] https://wso2.org/jira/browse/IDENTITY-4832 On Fri, Aug 18, 2017 at 5:34 PM, Naduni Pamudika <nad...@wso2.com> wrote: > Hi Isura, > > On Fri, Aug 18, 2017 at 4:17 PM, Isura Karunaratne <is...@wso2.com> wrote: > >> Hi Nipuni, >> >> You can use updateApproveAlwaysForAppConsentByResourceOwner method in >> oauthAdminSevice to revoke the approve always consent. >> >> http://schemas. > xmlsoap.org/soap/envelope/ > <http://www.google.com/url?q=http%3A%2F%2Fschemas.xmlsoap.org%2Fsoap%2Fenvelope%2F=D=1=AFQjCNGNF5DdaQ9wHKRy5fjl5UBgSE9-HA>" > xmlns:xsd="http://org.apache.axis2/xsd > <http://www.google.com/url?q=http%3A%2F%2Forg.apache.axis2%2Fxsd=D=1=AFQjCNEQeayJxS4-8ESpde7Zv4MukwYQ-g> > "> > > > > > ? > > ? > > > > > What do we need to put as "state" here? > > For the "appName", is it okay to put the Service Provider ID. > > > > Thanks, > Naduni > > Thanks >> Isura >> >> On Fri, Aug 18, 2017 at 3:24 PM Farasath Ahamed <farasa...@wso2.com> >> wrote: >> >>> + Indunil >>> >>> Farasath Ahamed >>> Software Engineer, WSO2 Inc.; http://wso2.com >>> Mobile: +94777603866 >>> Blog: blog.farazath.com >>> Twitter: @farazath619 <https://twitter.com/farazath619> >>> <http://wso2.com/signature> >>> >>> >>> >>> On Fri, Aug 18, 2017 at 3:12 PM, Naduni Pamudika <nad...@wso2.com> >>> wrote: >>> >>>> Hi All, >>>> >>>> In the SSO flow, first the login page appears and then the consent page >>>> where >>>> the scopes are being approved by the user. I have put "Approve Always" for >>>> the scopes showing in the consent page and then the consent page does >>>> not appear in the login flow. >>>> >>>> I want to get the normal flow back, i.e. I want to go through the consent >>>> page and see the scopes. >>>> >>>> I tried deleting the application from the IS side and it did not work. >>>> Even after deleting and creating a new application, "Approve Always" is >>>> still enabled. >>>> >>>> How can I get it disabled? >>>> >>>> Thank you, >>>> Naduni >>>> >>>> -- >>>> *Naduni Pamudika* >>>> Software Engineer | WSO2 >>>> Mobile: +94 719 143658 <+94%2071%20914%203658> >>>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>>> >>> >>> ___ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >> -- >> >> *Isura Dilhara Karunaratne* >> Associate Technical Lead | WSO2 >> Email: is...@wso2.com >> Mob : +94 772 254 810 <+94%2077%20225%204810> >> Blog : http://isurad.blogspot.com/ >> >> >> >> > > > -- > *Naduni Pamudika* > Software Engineer | WSO2 > Mobile: +94 719 143658 <+94%2071%20914%203658> > [image: http://wso2.com/signature] <http://wso2.com/signature> > -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] Admin/Tenant Admin Users cannot be filtered to get the SCIM ID
Hi,
On Fri, Jul 21, 2017 at 2:29 PM, Gayan Gunawardana <ga...@wso2.com> wrote:
> Whatever the implementation behavior should be identical among user list
> command and user filter command. With new implementation if admin user has
> SCIM ID it will be returned from both list and filter.
>
Yes. I have created a JIRA to handle this issue.
[1] https://wso2.org/jira/browse/IDENTITY-6177
> On Fri, Jul 21, 2017 at 2:17 PM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi Indunil,
>>
>> Please refer following mail in Architecture [1]. Seems Sathya is going to
>> provide SCIM support for admin users by generating admin users' SCIM
>> userId. After this implementation it seems this issue will be fixed.
>>
>> [1] mail : [Architecture] [IS] SCIM Support for Admin Users
>>
>> Thanks,
>>
>> Hasanthi Dissanayake
>>
>> Software Engineer | WSO2
>>
>> E: hasan...@wso2.com
>> M :0718407133| http://wso2.com <http://wso2.com/>
>>
>> On Fri, Jul 21, 2017 at 2:11 PM, Gayan Gunawardana <ga...@wso2.com>
>> wrote:
>>
>>>
>>>
>>> On Fri, Jul 21, 2017 at 2:06 PM, Indunil Upeksha Rathnayake <
>>> indu...@wso2.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I have checked followings with IS 5.3.0 WUM updated pack.
>>>>
>>>> 1) List users
>>>> curl -v -k --user admin:admin https://localhost:9443/wso2/scim/Users
>>>> Result: *{"Errors":[{"description":"Users not found in the user
>>>> store.","code":"404"}]}*
>>>>
>>>> 2) Filter admin user
>>>> curl -v -k --user admin:admin https://localhost:9443/wso2/sc
>>>> im/Users?filter=userName+Eq+%22admin%22
>>>> Result:
>>>> *{"schemas":["urn:scim:schemas:core:1.0"],"totalResults":1,"Resources":[{"userName":"admin"}]}*
>>>>
>>>> Seems like there is a contradiction here. When listing all the users,
>>>> admin user details won't retrieved, but retrieved with the filtering. Since
>>>> admin user doesn't have a SCIM ID, it shouldn't retrieved in any scenarios.
>>>> WDT?
>>>>
>>> Yes so filter command should not return admin user if it doesn't have
>>> SCIM ID.
>>>
>>>>
>>>> Thanks and Regards
>>>>
>>>>
>>>> On Fri, Nov 6, 2015 at 9:33 AM, Nadeesha Meegoda <nadees...@wso2.com>
>>>> wrote:
>>>>
>>>>> Thanks Chamila. Unerstood!
>>>>>
>>>>> On Thu, Nov 5, 2015 at 9:48 PM, Chamila Wijayarathna <cham...@wso2.com
>>>>> > wrote:
>>>>>
>>>>>> Hi Nadeesha,
>>>>>>
>>>>>> As I mentioned in my previous mail, super admin and tenant admin are
>>>>>> not created with a SCIM ID, so you can't retrieve them using SCIM GET.
>>>>>>
>>>>>> I was suggesting above request to get other users of tenant, if you
>>>>>> are interested, since the command you were using previously for
>>>>>> retrieving
>>>>>> tenant users were wrong.
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> On Thu, Nov 5, 2015 at 5:03 PM, Nadeesha Meegoda <nadees...@wso2.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> So I requested to get the SCIM ID as what Chamila mentioned by the
>>>>>>> following command
>>>>>>> curl -v -k --user ten...@new.com:123456
>>>>>>> https://localhost:9443/wso2/scim/Users?filter=userNameEqtenant
>>>>>>>
>>>>>>> But still this doesn't give any result only a http 404 error. So
>>>>>>> tenant admins also are considered for the special flaw?
>>>>>>>
>>>>>>> On Thu, Nov 5, 2015 at 3:41 PM, Gayan Gunawardana <ga...@wso2.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Nov 5, 2015 at 3:13 PM, Darshana Gunawardana <
>>>>>>>> darsh...@wso2.com> wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thu, Nov 5, 2015
Re: [Dev] [IS] Admin/Tenant Admin Users cannot be filtered to get the SCIM ID
gt;>> >>>>>>>>> Hi Nadeesha, >>>>>>>>> >>>>>>>>> What is the value of SCIMEnabled configuration in your >>>>>>>>> user-mgt.xml? >>>>>>>>> >>>>>>>>> Are you using LDAP or JDBC user store manager? >>>>>>>>> >>>>>>>> @Chamila >>>>>> >>>>>> admin user is added in very fist server start up by calling >>>>>> "addInitialAdminData" in AbstractUserStoreManager. In embedded ldap >>>>>> scenario concrete "doAddUser" method will be invoked in >>>>>> ReadWriteLDAPUserStoreManager so user will be directly added to user >>>>>> store >>>>>> without going through SCIM listener (without going through any listener). >>>>>> Since there is no SCIM listener engagement SCIM ID will not be added to >>>>>> user store. >>>>>> >>>>>> I am not sure about we are not getting SCIM ID just because of admin >>>>>> user is a special user or kind of implementation we have right now. >>>>>> >>>>> >>>>> Chamila checked with me on this and he meant admin user is special due >>>>> to the same reason you explained above. Basically admin user is created >>>>> through special flow compared to normal users. >>>>> >>>> If we generate SCIM ID even in that special flaw. Is that correct ? >>>> >>>>> >>>>> Thanks, >>>>> >>>>>> >>>>>> Adding Johann. >>>>>> >>>>>>> >>>>>>>>> Thanks >>>>>>>>> >>>>>>>>> On Wed, Nov 4, 2015 at 6:20 PM, Nadeesha Meegoda < >>>>>>>>> nadees...@wso2.com> wrote: >>>>>>>>> >>>>>>>>>> Hi IS Team, >>>>>>>>>> >>>>>>>>>> I was trying to filter and get admin users SCIM ID and failed, >>>>>>>>>> even tried for tenant admin and still I couldn't filter and get the >>>>>>>>>> SCIM ID >>>>>>>>>> >>>>>>>>>> Command used : >>>>>>>>>> curl -v -k --user admin:admin https://localhost:9443/wso2/ >>>>>>>>>> scim/Users?filter=userNameEqadmin >>>>>>>>>> curl -v -k --user admin:admin https://localhost:9443/wso2/ >>>>>>>>>> scim/Users?filter=usernameeqten...@hello.com >>>>>>>>>> >>>>>>>>>> Searching through the jira found out that in the past, listing >>>>>>>>>> admin users as scim users were removed as per [1] >>>>>>>>>> >>>>>>>>>> How can we filter and get the admin/tenant admin SCIM ID? >>>>>>>>>> >>>>>>>>>> [1] - https://wso2.org/jira/browse/IDENTITY-503 >>>>>>>>>> >>>>>>>>>> Thanks >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> *Nadeesha Meegoda* >>>>>>>>>> Software Engineer - QA >>>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>>> lean.enterprise.middleware >>>>>>>>>> email : nadees...@wso2.com >>>>>>>>>> mobile: +94783639540 >>>>>>>>>> <%2B94%2077%202273555> >>>>>>>>>> >>>>>>>>>> ___ >>>>>>>>>> Dev mailing list >>>>>>>>>> Dev@wso2.org >>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Chamila Dilshan Wijayarathna,* >>>>>>>>> Software Engineer >>>>>>>>> Mobile:(+94)788193620 >>>>>>>>> WSO2 Inc., http://wso2.com/ >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Nadeesha Meegoda* >>>>>>>> Software Engineer - QA >>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>> lean.enterprise.middleware >>>>>>>> email : nadees...@wso2.com >>>>>>>> mobile: +94783639540 >>>>>>>> <%2B94%2077%202273555> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Chamila Dilshan Wijayarathna,* >>>>>>> Software Engineer >>>>>>> Mobile:(+94)788193620 >>>>>>> WSO2 Inc., http://wso2.com/ >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Gayan Gunawardana >>>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>>> Email: ga...@wso2.com >>>>>> Mobile: +94 (71) 8020933 >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Regards, >>>>> >>>>> >>>>> *Darshana Gunawardana*Senior Software Engineer >>>>> WSO2 Inc.; http://wso2.com >>>>> >>>>> *E-mail: darsh...@wso2.com <darsh...@wso2.com>* >>>>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware >>>>> >>>> >>>> >>>> >>>> -- >>>> Gayan Gunawardana >>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>> Email: ga...@wso2.com >>>> Mobile: +94 (71) 8020933 >>>> >>> >>> >>> >>> -- >>> *Nadeesha Meegoda* >>> Software Engineer - QA >>> WSO2 Inc.; http://wso2.com >>> lean.enterprise.middleware >>> email : nadees...@wso2.com >>> mobile: +94783639540 >>> <%2B94%2077%202273555> >>> >> >> >> >> -- >> *Chamila Dilshan Wijayarathna,* >> Software Engineer >> Mobile:(+94)788193620 >> WSO2 Inc., http://wso2.com/ >> > > > > -- > *Nadeesha Meegoda* > Software Engineer - QA > WSO2 Inc.; http://wso2.com > lean.enterprise.middleware > email : nadees...@wso2.com > mobile: +94783639540 > <%2B94%2077%202273555> > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] xml based IdP configuration within a tenant
Hi, To make a file based IDP visible across tenants and in the SP registration UI as federated IDP, you can add the prefix "SHARED_" before the IDP name to the element. SHARED_identityProvider1 But then that IDP will be shared for all the SPs in all the tenants. AFAIK, we can't configure a file based IDP to make it visible in only one tenant. Thanks and Regards On Thu, Jul 13, 2017 at 6:15 PM, Hanen Ben Rhouma <hanen...@gmail.com> wrote: > Yes this is not an issue, all we're trying to achieve is a specific IdP > config residing within a tenant attached to a SaaS based SP config residing > within the super tenant. Is such scenario possible for a federation case? > > > > > Regards, > Hanen > > On Thu, Jul 13, 2017 at 12:56 PM, Indunil Upeksha Rathnayake < > indu...@wso2.com> wrote: > >> Hi Hanen, >> >> In the current IS release version, file based SP and IDPs will not be >> visible in the management console. >> >> Thanks and Regards >> >> On Thu, Jul 13, 2017 at 3:53 PM, Hanen Ben Rhouma <hanen...@gmail.com> >> wrote: >> >>> Hello Guys, >>> >>> Is it possible to create an IdP via xml file and make it visible only to >>> a specific tenant? >>> >>> >>> Regards, >>> Hanen >>> >>> ___ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Indunil Upeksha Rathnayake >> Software Engineer | WSO2 Inc >> Emailindu...@wso2.com >> Mobile 0772182255 <07%2072%2018%2022%2055> >> > > -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] xml based IdP configuration within a tenant
Hi Hanen, In the current IS release version, file based SP and IDPs will not be visible in the management console. Thanks and Regards On Thu, Jul 13, 2017 at 3:53 PM, Hanen Ben Rhouma <hanen...@gmail.com> wrote: > Hello Guys, > > Is it possible to create an IdP via xml file and make it visible only to a > specific tenant? > > > Regards, > Hanen > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [Swagger] swagger2cxf-maven-plugin to generate server stub for CXF
Hi,
I have used the Swagger Codegen to generation the server stubs from a
Swagger definition of a REST API for IS 5.4.0.
In there I have added the following plugin to generate server stub for CXF.
> org.wso2.maven.plugins
> swagger2cxf-maven-plugin
> 1.0-SNAPSHOT
>
>
> ${project.basedir}/src/main/resources/api.identity.oauth2.scope.endpoint.yaml
>
>
>
Also add the following maven build helper plugin.
> org.codehaus.mojo
> build-helper-maven-plugin
>
>
> add-source
> generate-sources
>
> add-source
>
>
>
> src/gen/java
>
>
>
>
>
>
Then use "mvn swagger2cxf:generate" command to generate the server stubs
and in src/gen/java folder, set of factories are generated and in main/Java
folder, a set of impl files are generated.
I have following concerns regarding server stubs generation from Swagger.
- Is this can be automated to do in component build? Or normally this is
the way it should handled and need to commit all the generated files to git
as well?
- If we are committing the generated files to git, is it recommended to
add class comments in those?
Thanks and Regards
--
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Emailindu...@wso2.com
Mobile 0772182255
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Please increase the TOKEN_SCOPE column length in IDN_OAUTH2_ACCESS_TOKEN_SCOPE table
Hi, Created a JIRA for this in [1], will be fixed in 5.4.0-m2. [1] https://wso2.org/jira/browse/IDENTITY-6093 Thanks and Regards On Thu, Jun 22, 2017 at 11:54 AM, Naduni Pamudika <nad...@wso2.com> wrote: > Hi IS Team, > > I am working on the SSO Login feature in APIM, and there I need to have a > bit longer scopes list. When I was trying to send the access token request > it gave an error saying "Value too long for column "TOKEN_SCOPE > VARCHAR(60) NOT NULL"". > > Noticed that you have size 2048 for the scopes in other places [1,2]. Can > you please increase this [3] as well? > > [1] https://github.com/wso2/carbon-identity-framework/ > blob/master/features/identity-core/org.wso2.carbon.identity. > core.server.feature/resources/dbscripts/mysql.sql#L31 > [2] https://github.com/wso2/carbon-identity-framework/ > blob/master/features/identity-core/org.wso2.carbon.identity. > core.server.feature/resources/dbscripts/mysql.sql#L86 > [3] https://github.com/wso2/carbon-identity-framework/ > blob/master/features/identity-core/org.wso2.carbon.identity. > core.server.feature/resources/dbscripts/mysql.sql#L105 > > Thank you. > Naduni > > -- > *Naduni Pamudika* > Software Engineer | WSO2 > Mobile: +94 719 143658 <+94%2071%20914%203658> > [image: http://wso2.com/signature] <http://wso2.com/signature> > -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Regarding SCIM Extension
Hi Supun,
This can be reproducible in default IS 5.3.0 pack. I have created a public
JIRA for this in [1] and will be targeting to get it fixed in the next
release.
[1] https://wso2.org/jira/browse/IDENTITY-6079
Thanks and Regards
On Wed, Jun 7, 2017 at 8:21 AM, Omindu Rathnaweera <omi...@wso2.com> wrote:
> Hi Supun,
>
> Can you have a look at the blog post [1]. The post has explained
> configuring the scim extension in detail.
>
> [1] - https://medium.com/@Dilshani/scim-extension-in-wso2-is-d30e8b0e8bc6
>
> Thanks,
> Omindu.
>
> On Mon, Jun 5, 2017 at 3:46 PM, Supun Madushanka <supun...@cse.mrt.ac.lk>
> wrote:
>
>>
>>
>> Hi All,
>>
>> I am working with WSO2 IS (5.3.0) for one of my projects. I can
>> successfully register a user using SCIM. But there are some attributes that
>> I need which are not provided by SCIM by default. After a bit of search I
>> found SCIM extension feature provided .So I configured IS according to
>> following instructions.
>>
>> https://docs.wso2.com/display/IS530/Extensible+SCIM+User+Sch
>> emas+With+WSO2+Identity+Server.
>>
>> When I send the registration request with a custom attribute (in this
>> case "organization" ), in the immediate response I can find that attribute.
>>
>> request:
>>
>> curl -v -k --user admin:admin --data
>> '{"schemas":[],"userName":"SureshAtt","password":"Wso2@123","wso2Extension":{"organization":"WSO2Org"}}'
>> --header "Content-Type:application/json"
>> https://localhost:9446/wso2/scim/Users
>>
>> response:
>> {"wso2Extension":{"organization":"WSO2Org"},"meta":{"created":"2017-06-05T05:39:17","location":"https://localhost:9443/wso2/scim/Users/0a034368-abe5-4e36-a20f-21e37eb9935a","lastModified":"2017-06-05T05:39:17"},"schemas":["urn:scim:schemas:core:1.0","urn:scim:schemas:extension:wso2:1.0"],"id":"0a034368-abe5-4e36-a20f-21e37eb9935a","userName":"SureshAtt"}
>>
>>
>>
>> But when I try to get the user details by user Id using a separate
>> request, I do not get the custom attribute in the response.
>>
>> request:
>> curl -v -k --user admin:admin
>> https://localhost:9446/wso2/scim/Users/0a034368-abe5-4e36-a20f-21e37eb9935a
>>
>> response:
>> {"meta":{"created":"2017-06-05T05:39:17","location":"https://localhost:9443/wso2/scim/Users/0a034368-abe5-4e36-a20f-21e37eb9935a","lastModified":"2017-06-05T05:39:17"},"schemas":["urn:scim:schemas:core:1.0"],"id":"0a034368-abe5-4e36-a20f-21e37eb9935a","userName":"SureshAtt"}
>>
>>
>> What could be the possible cause ? please be kind enough to assist.
>>
>> Thank
>> --
>> Best Regards,
>> *Supun Madushanka*
>> [Undergraduate]
>> University of Moratuwa. http://www.mrt.ac.lk
>> Department of Computer Science and Engineering. http://cse.mrt.ac.lk
>> Mobile: +94 71 1135012 <%2B94%280%29%20711135012>
>> E-mail: supun...@cse.mrt.ac.lk
>>
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Omindu Rathnaweera
> Senior Software Engineer, WSO2 Inc.
> Mobile: +94 771 197 211 <+94%2077%20119%207211>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
--
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Emailindu...@wso2.com
Mobile 0772182255
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Ask password cannot be configured from management console when using identity REST API
a:37) >>>>>> at >>>>>> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) >>>>>> at >>>>>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) >>>>>> at >>>>>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68) >>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>>>>> at >>>>>> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) >>>>>> at >>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) >>>>>> at >>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>> at >>>>>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) >>>>>> at >>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>>> at >>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>> at >>>>>> org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:120) >>>>>> at >>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>>> at >>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>> at >>>>>> org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) >>>>>> at >>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>>> at >>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>> at >>>>>> org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:120) >>>>>> at >>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>>> at >>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>> at >>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218) >>>>>> at >>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >>>>>> at >>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) >>>>>> at >>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) >>>>>> at >>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) >>>>>> at >>>>>> org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:72) >>>>>> at >>>>>> org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:91) >>>>>> at >>>>>> org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:60) >>>>>> at >>>>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99) >>>>>> at >>>>>> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) >>>>>> at >>>>>> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57) >>>>>> at >>>>>> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) >>>>>> at >>>>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62) >>>>>> at >>>>>> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159) >>>>>> at >>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:958) >>>>>> at >>>>>> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) >>>>>> at >>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >>>>>> at >>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:452) >>>>>> at >>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087) >>>>>> at >>>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) >>>>>> at >>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1756) >>>>>> at >>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1715) >>>>>> at >>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>>>>> at >>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>>>>> at >>>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>> >>>>>> >>>>>> >>>>>> [1] https://wso2.org/jira/browse/IDENTITY-6025 >>>>>> >>>>>> Thanks & Regards >>>>>> Danushka Fernando >>>>>> Associate Tech Lead >>>>>> WSO2 inc. http://wso2.com/ >>>>>> Mobile : +94716332729 <+94%2071%20633%202729> >>>>>> >>>>> -- >>>>> >>>>> *Isura Dilhara Karunaratne* >>>>> Senior Software Engineer | WSO2 >>>>> Email: is...@wso2.com >>>>> Mob : +94 772 254 810 <+94%2077%20225%204810> >>>>> Blog : http://isurad.blogspot.com/ >>>>> >>>>> >>>>> >>>>> >>>>> ___ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> >>>> *Johann Dilantha Nallathamby* >>>> Senior Technical Lead - WSO2 Identity Server >>>> Governance Technologies Team >>>> WSO2, Inc. >>>> lean.enterprise.middleware >>>> >>>> Mobile - *+9476950* >>>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >>>> >>> >>> -- >> >> *Isura Dilhara Karunaratne* >> Senior Software Engineer | WSO2 >> Email: is...@wso2.com >> Mob : +94 772 254 810 <+94%2077%20225%204810> >> Blog : http://isurad.blogspot.com/ >> >> >> >> > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [Architecture] [IS] Features to be included in IS 5.4.0 which required for APIM 3.0
Adding lakmal and sanjeewa
On Wed, Jun 14, 2017 at 7:28 PM, Indunil Upeksha Rathnayake <
indu...@wso2.com> wrote:
> Hi,
>
> Thanks all of your valuable feedbacks. Currently we are implementing
> following REST endpoints. We have modeled the the rest API using swagger
> and you can find the attached swagger definition as well. Really appreciate
> your comments and suggestions on the specified endpoints, please mention if
> there are other required endpoints.
>
>
> Endpoint Method Usage Request Body Response
> /scopes POST Create Scopes [{"key": "openid", "name": "openid",
> "description": "openid scope", "bindings": ["role1", "role2"]}] "HTTP/1.1
> 201 Created"
>
> DELETE Delete Scopes ["key1", "key2"] "HTTP/1.1 201 Deleted"
>
> PUT Update Scopes [{"key": "openid", "name": "openid", "description":
> "openid scope", "bindings": ["role3"]}] "HTTP/1.1 201 Updated"
> /scopes?filter=maxResults+Eq+100 GET Get all available Scopes
> [{"key": "openid", "name": "openid", "description": "openid scope",
> "bindings": []}]
>
> /scopes/by-bindings GET Get Scopes by Binding/s {"bindings": ["role1",
> "role2"]} [{"key": "openid", "name": "openid", "description": "openid
> scope", "bindings": ["role1", "role2"]}]
>
> /scopes/keys GET Get all the available
> Scope Keys
> ["key1", "key2"]
>
> /scopes/keys/by-bindings GET Get Scope keys
> by Binding/s {"bindings": ["role1", "role2"]} ["key1", "key2"]
>
> /scopes/{scope_key} GET Get a Scope by Scope Key
> {"key": "openid", "name": "openid", "description": "openid scope",
> "bindings": []}
>
> DELETE Delete a Scope by
> Scope Key
> "HTTP/1.1 201 Deleted"
>
> PUT Update a Scope by
> Scope Key {"key": "openid", "name": "openid", "description": "openid
> scope", "bindings": ["role3", "role4"]} "HTTP/1.1 201 Updated"
>
>
> @Nuwan: We have a suggestion to modified the database schema as follows to
> properly store bindings (considering the performance issues in using comma
> separated values and renaming the "ROLES" field to a generic name), but
> need to discuss about this and finalize.
>
>
>
> Appreciate your comments and suggestions and I will arrange a meeting
> tomorrow to have a further discussion on this.
>
> Thanks and Regards
>
>
> On Mon, Jun 12, 2017 at 2:53 AM, Nuwan Dias <nuw...@wso2.com> wrote:
>
>>
>> On Fri, Jun 9, 2017 at 5:46 AM Indunil Upeksha Rathnayake <
>> indu...@wso2.com> wrote:
>>
>>> Hi,
>>>
>>> We are currently working on implementing following features which are
>>> needed for APIM 3.0. You can find the initial discussion details in [1].
>>>
>>>1. Sign UserInfo JWT response
>>>2. Scope registration and Scope binding
>>>3. DCRM
>>>
>>>
>>> *Sign UserInfo JWT response:*
>>> JWT user info response signing implementation is in [1].
>>>
>>> Currently in APIM, there is a key manager global wise configuration to
>>> configure needed claims which needed to be send in user info response. We
>>> need to consider, when no SP wise requested claims are configured as in
>>> APIM, whether we need to send all the claims bound for a specific scope in
>>> oidc-scope-config.xml.
>>> Currently in IS, we are sending only those claims which are common in
>>> both OIDC scope config and SP claim configuration (ie. intersection of
>>> claim in both these configs).
>>>
>>> *Shall we send all the bounded claims if requested claims are not
>>> defined?*
>>>
>>> *Scope registration and Scope binding:*
>>> New endpoints will be exposed in IS 5.4.0 to handle Scope register,
>>> bind, update, delete, list etc.
>>>
>>> As per the current implementation of APIM and IoT, following things can
>>> be noticed and have following concerns.
>>>
>>>- Scope can be bound with roles or permissions - Uses scope to role
>>>binding in APIM and uses scope to permission binding in IoT.
&
Re: [Dev] [Architecture] [IS] Features to be included in IS 5.4.0 which required for APIM 3.0
Hi,
Thanks all of your valuable feedbacks. Currently we are implementing
following REST endpoints. We have modeled the the rest API using swagger
and you can find the attached swagger definition as well. Really appreciate
your comments and suggestions on the specified endpoints, please mention if
there are other required endpoints.
Endpoint Method Usage Request Body Response
/scopes POST Create Scopes [{"key": "openid", "name": "openid",
"description": "openid scope", "bindings": ["role1", "role2"]}] "HTTP/1.1
201 Created"
DELETE Delete Scopes ["key1", "key2"] "HTTP/1.1 201 Deleted"
PUT Update Scopes [{"key": "openid", "name": "openid", "description":
"openid scope", "bindings": ["role3"]}] "HTTP/1.1 201 Updated"
/scopes?filter=maxResults+Eq+100 GET Get all available Scopes
[{"key": "openid", "name": "openid", "description": "openid scope",
"bindings": []}]
/scopes/by-bindings GET Get Scopes by Binding/s {"bindings": ["role1",
"role2"]} [{"key": "openid", "name": "openid", "description": "openid
scope", "bindings": ["role1", "role2"]}]
/scopes/keys GET Get all the available
Scope Keys
["key1", "key2"]
/scopes/keys/by-bindings GET Get Scope keys
by Binding/s {"bindings": ["role1", "role2"]} ["key1", "key2"]
/scopes/{scope_key} GET Get a Scope by Scope Key
{"key": "openid", "name": "openid", "description": "openid scope",
"bindings": []}
DELETE Delete a Scope by
Scope Key
"HTTP/1.1 201 Deleted"
PUT Update a Scope by
Scope Key {"key": "openid", "name": "openid", "description": "openid
scope", "bindings": ["role3", "role4"]} "HTTP/1.1 201 Updated"
@Nuwan: We have a suggestion to modified the database schema as follows to
properly store bindings (considering the performance issues in using comma
separated values and renaming the "ROLES" field to a generic name), but
need to discuss about this and finalize.
Appreciate your comments and suggestions and I will arrange a meeting
tomorrow to have a further discussion on this.
Thanks and Regards
On Mon, Jun 12, 2017 at 2:53 AM, Nuwan Dias <nuw...@wso2.com> wrote:
>
> On Fri, Jun 9, 2017 at 5:46 AM Indunil Upeksha Rathnayake <
> indu...@wso2.com> wrote:
>
>> Hi,
>>
>> We are currently working on implementing following features which are
>> needed for APIM 3.0. You can find the initial discussion details in [1].
>>
>>1. Sign UserInfo JWT response
>>2. Scope registration and Scope binding
>>3. DCRM
>>
>>
>> *Sign UserInfo JWT response:*
>> JWT user info response signing implementation is in [1].
>>
>> Currently in APIM, there is a key manager global wise configuration to
>> configure needed claims which needed to be send in user info response. We
>> need to consider, when no SP wise requested claims are configured as in
>> APIM, whether we need to send all the claims bound for a specific scope in
>> oidc-scope-config.xml.
>> Currently in IS, we are sending only those claims which are common in
>> both OIDC scope config and SP claim configuration (ie. intersection of
>> claim in both these configs).
>>
>> *Shall we send all the bounded claims if requested claims are not
>> defined?*
>>
>> *Scope registration and Scope binding:*
>> New endpoints will be exposed in IS 5.4.0 to handle Scope register, bind,
>> update, delete, list etc.
>>
>> As per the current implementation of APIM and IoT, following things can
>> be noticed and have following concerns.
>>
>>- Scope can be bound with roles or permissions - Uses scope to role
>>binding in APIM and uses scope to permission binding in IoT.
>>
>>
>>- Both of the above bindings are stored in "IDN_OAUTH2_SCOPE" table
>>where roles and permissions both are stored as a comma separated string in
>>same column named "ROLES". AFAIU, there is no indication with a prefix in
>>scope registration, where to separate the two bindings. *There can be
>>other bindings which will be added in future, isn't it better to renamed
>>the field as "BINDINGS"? There can be a situation where both set of roles
>>and
[Dev] [Architecture] [IS] Features to be included in IS 5.4.0 which required for APIM 3.0
Hi,
We are currently working on implementing following features which are
needed for APIM 3.0. You can find the initial discussion details in [1].
1. Sign UserInfo JWT response
2. Scope registration and Scope binding
3. DCRM
*Sign UserInfo JWT response:*
JWT user info response signing implementation is in [1].
Currently in APIM, there is a key manager global wise configuration to
configure needed claims which needed to be send in user info response. We
need to consider, when no SP wise requested claims are configured as in
APIM, whether we need to send all the claims bound for a specific scope in
oidc-scope-config.xml.
Currently in IS, we are sending only those claims which are common in both
OIDC scope config and SP claim configuration (ie. intersection of claim in
both these configs).
*Shall we send all the bounded claims if requested claims are not defined?*
*Scope registration and Scope binding:*
New endpoints will be exposed in IS 5.4.0 to handle Scope register, bind,
update, delete, list etc.
As per the current implementation of APIM and IoT, following things can be
noticed and have following concerns.
- Scope can be bound with roles or permissions - Uses scope to role
binding in APIM and uses scope to permission binding in IoT.
- Both of the above bindings are stored in "IDN_OAUTH2_SCOPE" table
where roles and permissions both are stored as a comma separated string in
same column named "ROLES". AFAIU, there is no indication with a prefix in
scope registration, where to separate the two bindings.
*There can be other bindings which will be added in future, isn't it better
to renamed the field as "BINDINGS"? There can be a situation where both set
of roles and permissions are bound to a scope? *
- In scope validation, currently there are validators for role based and
permission based. The corresponding validator will be selected based on the
prefix (ex: Permission based scope validator only validates the scope which
are having "perm" as the prefix of the scopes) and if scope prefix is not
defined, those will directly go to the default role based scope
validator. *How
this prefix has to be considered and validated in scope registration with
the bindings?*
- In scope registration, AFAIU, scope key and name are the essential
details to be included. *What is the difference of theses and where
these values will be used? scope key is the unique value which need to be
considered in scope binding?*
1. Scope Register and Bind
There can be following scenarios a scope can be registered and bound.
CreateScope - scope key, scope name, roles
CreateScope - scope key, scope name, permissions
CreateScope - scope key, scope name
So that we have implemented "/api/identity/oauth2/scope/v0.9/registerScope"
endpoint to register set of scopes with the bindings. "key" and "name"
cannot be null and bindings(added a generic property rather adding two
properties for roles and permissions) will be stored as comma separated
values in IDN_OAUTH2_SCOPE table.
> {"scope": [{"key": "openid", "name": "openid", "description": "openid
> scope", "bindings": ["role1", "role2"]}]}
>
2. Scope Update
"/updateScope" endpoint to update a set of scopes with the bindings which
need to be added and deleted.
> {"scope": [{"key": "openid", "addedBindings": ["role3"],
> "deletedBindings": ["role2"]}]}
>
3. Scope Delete
"/deleteScope" endpoint to delete a set of scopes.
> {"scope": ["scope_key_1", "scope_key_2"]}
>
4. Scope List
Endpoints for following scenarios.
1. Get scope by key
2. Get scope key list by role/s - given a role or role list, return the
list of scope keys that includes all of those roles
3. Get scope key list by permission/s - given a permission or permission
list, return the list of scope keys that includes all of those permissions
4. Get scopes by role/s - for a given role or role list, return the list of
scopes that includes all of those roles with all the details
5. Get scopes by permission/s - for a given permission or permission list,
return the list of scopes that includes all of those permissions with all
the details
6. Get all the available scope keys
7. Get all the available scopes with their description and allocated
roles/permissions
Appreciate your comments and suggestions on this.
*DCRM:*
Abilashini is working on this as a GSoC project and discussion is in [3].
[1] Discussion on features which required for APIM to be incl... @ Tue May
30, 2017 10:30am - 12pm (IST) (WSO2 Engineering Group)
[2] https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/385
[3] [Dev] GSOC : OAuth 2.0 Dynamic Client Registration Management Protocol
Support
Thanks and Regards
--
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Emailindu...@wso2.com
Mobile 0772182255
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] When engaging a workflow, invoke axis2 service from servlet transport rather than local transport
Adding Dev
On Sun, May 7, 2017 at 3:17 PM, Indunil Upeksha Rathnayake <indu...@wso2.com
> wrote:
> Hi,
>
> I have configured a workflow named "workflow1" in a tenant "tenant1.com"
> to enable approval process for user creation in IS 5.3.0. When creating the
> wokflow, an axis2 service is deployed named "workflow1TaskService". *In
> the process of engaging the workflow in user creation, when the axis2
> service is invoked, it always calls the axis2 service through local
> transport("local://axis2services/workflow1Service"), not through servlet
> transport("https://localhost:9443/services/t/tenant1.com/workflow1TaskService
> <https://localhost:9443/services/t/tenant1.com/workflow1TaskService>").*
> Is there a way we can change to invoke axis2 service with https request?
> Seems like can't achieve from changing the ServerUrl in carbon.xml.
>
>
> As per the implementation, AFAIU, Workflow engagement request flow is as
> follows.
>
>- From a workflow RequestExecutor we are calling an axis2 ServiceClient
>- ServiceClinet passes the request to AxisEngine
>- AxisEngine calls the MultitenantMessageReceiver to locate the tenant
>specific axis configurations
>- MultitenantMessageReceiver process the request message and invoke
>the axis2 service
>
> When going through the flow, I found that *MultitenantMessageReceiver
> changes the EndpointReference to use local transport
> ("local://axis2services") and based on the property named "doingREST" which
> is available in message context, it invokes the axis2 service through SOAP
> or REST* ([1], [2]).
>
> When going through the axis2 implementation, found that the doingREST
> property is set by either of the following ways.
> 1) when initializing the message context, based on the content-type, it
> sets the doingREST to "true" (if content type is "text/xml", doingREST=
> false etc.) [3]
> 2) If a property named "enableREST" in axis2 message context, it sets the
> doingREST to "true" [4]
>
> As per the workflow implementation, when we are invoking the corresponding
> axis2 service from the workflow request executor through an axis2
> ServiceClient, we set content type as "text/xml"[5] and endpoint reference
> as https://localhost:9443/services/t/tenant1.com/workflow1TaskService[6].
> Even-though we put the https endpoint in the request from the
> ServiceClient, through the axis2 engine it is not invoking this https
> endpoint.
>
> *Can we change this "doingREST" property from a configuration? or it has
> to be send request wise? Can this property be used to invoke axis2 service
> through https transport? Is there any other way?*
>
> Appreciate your help on this.
>
> [2] https://github.com/wso2/carbon-kernel/blob/4.4.x/core/
> org.wso2.carbon.core/src/main/java/org/wso2/carbon/core/multitenancy/
> MultitenantMessageReceiver.java#L232
> [3] https://github.com/wso2/carbon-kernel/blob/4.4.x/core/
> org.wso2.carbon.core/src/main/java/org/wso2/carbon/core/multitenancy/
> MultitenantMessageReceiver.java#L260
> [4] https://github.com/wso2/wso2-axis2/blob/master/modules/
> transport/http/src/org/apache/axis2/transport/http/
> HTTPTransportUtils.java#L225
> [5] https://github.com/wso2/wso2-axis2/blob/master/modules/
> kernel/src/org/apache/axis2/transport/TransportUtils.java#L668
> [6] https://github.com/wso2-extensions/identity-workflow-
> impl-bps/blob/master/components/org.wso2.carbon.
> identity.workflow.impl/src/main/java/org/wso2/carbon/
> identity/workflow/impl/RequestExecutor.java#L143
> [7] https://github.com/wso2-extensions/identity-workflow-
> impl-bps/blob/master/components/org.wso2.carbon.
> identity.workflow.impl/src/main/java/org/wso2/carbon/
> identity/workflow/impl/RequestExecutor.java#L136
>
> Thanks and Regards
>
> --
> Indunil Upeksha Rathnayake
> Software Engineer | WSO2 Inc
> Emailindu...@wso2.com
> Mobile 0772182255
>
--
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Emailindu...@wso2.com
Mobile 0772182255
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [DEV] [IS] Improvements for scope awareness in consent management and token revocation in IS
Hi, Currently both consent management and token revocation in IS, lack of scope awareness. Please find the following concerns and it will be better if we include at least some of the improvements for the next IS 5.4.0 release. Note that some of them are actual customer requirements. *User Consent Management* 1) We are storing the user consent for applications in IDN_OPENID_USER_RPS table [1]. Currently, stored consent is based on user name, tenant and application. *We are not considering the scope when we store consents in IDN_OPENID_USER_RPS*, but I think it should be differ scope wise, so that added a JIRA in [2]. 2) We haven't consider about *consent expiration*. Currently we have to invoke updateApproveAlwaysForAppConsentByResourceOwner of OAuthAdminService and change the state of the consent [3]. Isn't it better to include a *global/application wise configuration* to mention the expiration time of a consent? Or provide a way for a *user to change the expiration of a consent in UI*? 3) Currently we can update the consent of a particular application for a particular user in a particular tenant using OAuthAdminService. So that if the user has selected the consent as "approve always", we can change it and then client will have to ask for the consent again. Shall we also provide ways to: - *revoke all consents given for a particular scope/ particular application/ particular user?* - *get a list of user consents for a particular scope/ particular application/ particular user?* - *get a list of the current OAuth consents with scope and expiration date?* *Token Revocation* 1) Currently in IS, access tokens can be revoked for particular client, user and scope combination if its ACTIVE or EXPIRED. And it can be done using revokeAuthzForAppsByResoureOwner method of OAuthAdminService [4]. When we revoking the tokens, it will revoke the consents for particular client, user and tenant combination. Isn't is better to concern about the following scenarios as well? - *Revoke access token/refresh token based on the consent (Revoke tokens with the consent "approve always")* - *Revoke access token/refresh token for given client and a scope* Appreciate your ideas on this. Add please add if I have missed any other scenarios in consent management and token revocation where the scope should be aware. [1] https://github.com/wso2/carbon-identity-framework/blob/master/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql-5.7.sql#L146 [2] https://wso2.org/jira/browse/IDENTITY-5899 [3] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminService.java#L679 [4] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminService.java#L570 Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] Issue while trying to call oauth2 userinfo
Hi Hanen, In order to get a set of user claims, you can configure the claims as requested claims in the Service Provider configuration. And from IS 5.2.0 onwards we have introduced OpenIDConnect claim scopes. When you are requesting an OIDC token, you can specify a scope value that is bound to a set of claims, in your case you have specified the "openid" scope. And with OpenIDConnect claim scopes in IS 5.2.0, when you invoke the user info endpoint with that OIDC token, only the claims which are common in both OIDC scope configuration and SP configuration will be returned. If you need, you can add any claim as supported claims for a scope in oidc-scope-config.xml (or you can configure this using 'oidc' file found in the registry at /_system/config/oidc) and configure that in SP requested claims, in order to retrieve that claim when invoking the user info endpoint. Thanks and Regards On Mon, Mar 27, 2017 at 1:26 PM, Hanen Ben Rhouma <hanen...@gmail.com> wrote: > Thanks Farasath, > > That returned the sub attribute, how can I retrieve more information about > the user knowing that I'm using client_credentials as a grant type? > > Regards, > Hanen > > On Fri, Mar 24, 2017 at 8:17 PM, Farasath Ahamed <farasa...@wso2.com> > wrote: > >> Hi Hanen, >> >> This error usually means that in the initially, you have obtained an >> access token that does not contain 'openid' scope and used it on the >> userinfo endpoint. Here, 'openid' is not related to the OpenID protocol. >> >> Can you try adding 'openid' as a scope in your initial OAuth2 token >> request and use that token to invoke the https://host:9443/oauth2/u >> serinfo endpoint? >> >> For example, >> If you are using password grant type, >> >> curl -k -v --user *:* -d >> "grant_type=password=**=**=scope1 >> openid" https://localhost:9443/oauth2/token >> >> And then do a get on the user info endpoint >> >> curl -k -H "Authorization: Bearer* *" >> https://localhost:9443/oauth2/userinfo?schema=openid >> >> >> Thanks, >> Farasath. >> >> >> Farasath Ahamed >> Software Engineer, WSO2 Inc.; http://wso2.com >> Mobile: +94777603866 >> Blog: blog.farazath.com >> Twitter: @farazath619 <https://twitter.com/farazath619> >> <http://wso2.com/signature> >> >> >> >> On Fri, Mar 24, 2017 at 10:05 PM, Hanen Ben Rhouma <hanen...@gmail.com> >> wrote: >> >>> Hi, >>> >>> Do I need extra params to invoke the userinfo endpoint ( >>> https://host:9443/oauth2/userinfo) ? >>> >>> I'm getting >>> "error_description": "Access token does not have the openid scope", >>> "error": "insufficient_scope" >>> >>> Eventhough I'm using Oauth2 without OpenID >>> >>> Regards, >>> Hanen >>> >>> ___ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS 6.0.0] [SCIM 2.0] Extend SCIM2.0 meta data in the SCIM response to include User Life cycle State
Hi,
I have implemented this by adding "state" attribute from a SCIM extension
and adding it to the response separately. I will send a PR and will get it
merged. There is a RM issue to track this in [1]. When I'm upgrading the
identity.mgt.version in scim2 repository [2] , found several issues in SCIM
response codes and created a JIRA for that in [3], but still couldn't work
on fixing those.
[1] https://redmine.wso2.com/issues/5815
[2] https://github.com/wso2-extensions/identity-inbound-provisioning-scim2
[3] https://wso2.org/jira/browse/IDENTITY-5817
Thanks and Regards
On Fri, Mar 24, 2017 at 12:16 PM, Sagara Gunathunga <sag...@wso2.com> wrote:
>
>
> On Wed, Mar 1, 2017 at 1:58 PM, Gayan Gunawardana <ga...@wso2.com> wrote:
>
>>
>>
>> On Wed, Mar 1, 2017 at 1:38 PM, Indunil Upeksha Rathnayake <
>> indu...@wso2.com> wrote:
>>
>>> Hi,
>>>
>>> In IS 6.0.0 with SCIM 2.0 support, we are planning to Extend SCIM2.0
>>> meta data in the SCIM response to include User Life cycle State. Currently,
>>> in database level, "state" parameter is getting saved in the "IDM_USER"
>>> table (Refer [1]).
>>>
>>> As per the SCIM2 Core specification(Refer [2]), there are specifically
>>> defined sub attributes for the "meta" attribute. So that, I think it's
>>> invalid to include "state" inside the meta attributes in the response as
>>> below.
>>>
>>> "meta":{*"state":"CREATED"*, "created":"2017-02-28T11:50:12Z","location"
>>> :"http://localhost:9292/scim/v2/Users/1.945a6def-d139-4abc-9090-
>>> e4dd10217580","lastModified":"2017-02-28T11:50:12Z","resourceType":
>>> "User"}
>>>
>>> "state" is not defined as a core attribute in the specification, so that
>>> it need to be considered as an extended attribute and need to be added from
>>> a SCIM extension. If so, "state" can't be added for the list of meta
>>> attributes since, extended attributes are kept in their own sub-attribute
>>> namespace identified by the schema extension URI [2].
>>>
>> Meta attributes are common set of attributes shared across all entities
>> such as User, Group ...etc. IMO we shouldn't and we can't include "state"
>> attribute under meta attributes.
>>
>>>
>>> Is it appropriate to add "state" attribute from a SCIM extension and add
>>> it to the response separately as below?
>>>
>>
>>> {"meta":{"created":"2017-02-28T11:50:12Z","location":"http:/
>>> /localhost:9292/scim/v2/Users/1.945a6def-d139-4abc-9090-e4dd10217580",
>>> "lastModified":"2017-02-28T11:50:12Z","resourceType":"User"},"schemas":[
>>> "urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:
>>> scim:schemas:extension:enterprise:2.0:User"],"name":{"familyName":
>>> "user1"},"id":"1.945a6def-d139-4abc-9090-e4dd10217580","userName":"user
>>> 1", *"EnterpriseUser"**:{"state":"CREATED"}*}
>>>
>>> +1 to have enterprise user extension for "state" attribute. What are the
>> available values for "state" attribute and also check "active" attribute in
>> standard schema.
>>
>
> +1 As we use SCIM 2.0 schema and protocol as IS user mgt remote API we
> have to extend the schema/protocol based on our remote API requirements.
> BTW in this specific case for 'state' we can't predefine all possible
> values because we are getting those state values from SCXML file and user
> can define new state values in addition to default values we ship.
>
> Have we done this improvement ? do we have a RM to track the progress ?
>
> Thanks !
>
>> Appreciate your ideas.
>>>
>>> [1] https://github.com/wso2/carbon-identity-mgt/blob/master/
>>> feature/org.wso2.carbon.identity.mgt.feature/resources/
>>> dbscripts/identity-mgt/h2.sql#L29
>>> [2] https://tools.ietf.org/html/rfc7643#section-3.1
>>>
>>> Thanks and Regards
>>> --
>>> Indunil Upeksha Rathnayake
>>> Software Engineer | WSO2 Inc
>>> Emailindu...@wso2.com
>>> Mobile 0772182255
>>>
>>
>>
>>
>> --
>> Gayan Gunawardana
>> Software Engineer; WSO2 Inc.; http://wso2.com/
>> Email: ga...@wso2.com
>> Mobile: +94 (71) 8020933
>>
>
>
>
> --
> Sagara Gunathunga
>
> Associate Director / Architect; WSO2, Inc.; http://wso2.com
> V.P Apache Web Services;http://ws.apache.org/
> Linkedin; http://www.linkedin.com/in/ssagara
> Blog ; http://ssagara.blogspot.com
>
>
--
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Emailindu...@wso2.com
Mobile 0772182255
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [IS 6.0.0] [SCIM 2.0] SCIM meta attributes directly get connected to User object
hi, As per the SCIM 2.0 Core specification (Refer [1]), there are *resource meta attributes such as resourceType, created, lastModified, location and version* which are Common Attributes for all the resources. As in the specification: "*Each SCIM resource (Users, Groups, etc.) includes the following common attributes. With the exception of the "ServiceProviderConfig" and "ResourceType" server discovery endpoints and their associated resources, these attributes MUST be defined for all resources, including any extended resource types.*". Currently the SCIM meta attributes of a user, saved in the "UM_USER_ATTRIBUTES" table with the other user attributes. We are planning to move all the SCIM meta attributes to "IDM_USER" table([2]) and make it part of User, basically this is to have performance improvements when querying for list users(in list users need only to return meta data unless client specifically asks for other attributes) etc. But is it correct to move the meta attributes to "IDM_USER" table, since those are common attributes which are not directly related to the "User" Resource Schema? Appreciate your idea on this. [1] https://tools.ietf.org/html/rfc7643#section-3.1 [2] https://github.com/wso2/carbon-identity-mgt/blob/master/feature/org.wso2.carbon.identity.mgt.feature/resources/dbscripts/identity-mgt/h2.sql#L21 Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [IS 6.0.0] [SCIM 2.0] Extend SCIM2.0 meta data in the SCIM response to include User Life cycle State
Hi,
In IS 6.0.0 with SCIM 2.0 support, we are planning to Extend SCIM2.0 meta
data in the SCIM response to include User Life cycle State. Currently, in
database level, "state" parameter is getting saved in the "IDM_USER" table
(Refer [1]).
As per the SCIM2 Core specification(Refer [2]), there are specifically
defined sub attributes for the "meta" attribute. So that, I think it's
invalid to include "state" inside the meta attributes in the response as
below.
"meta":{*"state":"CREATED"*, "created":"2017-02-28T11:50:12Z","location":"
http://localhost:9292/scim/v2/Users/1.945a6def-d139-4abc-9090-e4dd10217580;,
"lastModified":"2017-02-28T11:50:12Z","resourceType":"User"}
"state" is not defined as a core attribute in the specification, so that it
need to be considered as an extended attribute and need to be added from a
SCIM extension. If so, "state" can't be added for the list of meta
attributes since, extended attributes are kept in their own sub-attribute
namespace identified by the schema extension URI [2].
Is it appropriate to add "state" attribute from a SCIM extension and add it
to the response separately as below?
{"meta":{"created":"2017-02-28T11:50:12Z","location":"
http://localhost:9292/scim/v2/Users/1.945a6def-d139-4abc-9090-e4dd10217580;,
"lastModified":"2017-02-28T11:50:12Z","resourceType":"User"},"schemas":[
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"name":{
"familyName":"user1"},"id":"1.945a6def-d139-4abc-9090-e4dd10217580",
"userName":"user1", *"EnterpriseUser"**:{"state":"CREATED"}*}
Appreciate your ideas.
[1]
https://github.com/wso2/carbon-identity-mgt/blob/master/feature/org.wso2.carbon.identity.mgt.feature/resources/dbscripts/identity-mgt/h2.sql#L29
[2] https://tools.ietf.org/html/rfc7643#section-3.1
Thanks and Regards
--
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Emailindu...@wso2.com
Mobile 0772182255
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Security Considerations in Carbon UUF Framework
Hi, In the process of implementing C5 based products, we need to follow secure coding patterns, specially HTML encoding to prevent Cross-Site Scripting (XSS) etc. Since C5 based products are using the UUF framework, I think it's better to enforce most of the UI security best practices from the framework side. Currently is that support available in the framework? If so, what are the security considerations? If available, I think it's better if you can document it for the references. If you haven't still consider it, you can refer [1] and follow applicable guidelines when implementing. And also you can update [1] with the supported practices in UUF. [1] https://docs.google.com/document/d/1vhKMFRygUJwJ3cx-Bat3qVYRfTv-_ZyxaLXCLMGFDLY/edit# Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [UUF] Boolean values are not get stored properly in injected js variable from sendToClient()
Hi Manuranga,
Thanks for your response.
1) Yeah we can do like that as well, if we only using the existing
attributes in the object which retrieved from the service. But here, we are
passing some values which are not directly exposed from the service (ex:
claimLabel - from the OSGI service we get the claim URI, but here we are
passing the URI without the claim dialect). Since UUF still not supporting
custom helpers, it's not possible to write a function helper and handle it
in hbs side right? or is there some other way to handle it?
2) We are getting set of claims that need to be shown in UI, by calling an
OSGI service(claims which relates to a specific claim profile). So that
those are not already defined in hbs. Every field
labels/validations(required fields/regex patterns/read only fields etc) in
the UI, will be populated from those claims. So that all the claims should
be sent to the front-end JS.
Thanks and Regards
On Fri, Jan 20, 2017 at 3:04 PM, Manuranga Perera <m...@wso2.com> wrote:
> @Indunil
> 1. Without the for loop can we just do sendToClient("signupClaims",
> claimProfile.claims); will that work?
> 2. Why do need to send all the claims to front-end JS anyway? aren't those
> already used in HBS?
>
> @Sajith
> 1. I keep seeing people trying to manually convert java to json. Can we
> give a better option? maybe have callOSGiServiceAsJson?
>
>
>
> On Fri, Jan 20, 2017 at 7:17 AM, Indunil Upeksha Rathnayake <
> indu...@wso2.com> wrote:
>
>> Hi,
>>
>> Thanks all for your responses. Yes in my case it doesn't need to convert
>> boolean to string. But if needed, as sajith mentioned, seems like have to
>> import that class in the script with Java.type Nashorn extension.
>>
>> Thanks and Regards
>>
>> On Fri, Jan 20, 2017 at 10:52 AM, SajithAR Ariyarathna <sajit...@wso2.com
>> > wrote:
>>
>>> Hi Indunil,
>>>
>>> Seems like the problem is in your script.
>>>
>>> Boolean.toString(claimForProfile[i].getRequired())
>>>
>>> I believe your intention here is to call java.lang.Boolean#toString(boolean
>>> b) method, right? But Nashorn doesn't know that, because you haven't
>>> imported java.lang.Boolean class in your script. In order to use a Java
>>> class in your script, first you have to import that class in your script
>>> with Java.type Nashorn extension [1]. (see 'call Java class' sample in
>>> the features-app sample)
>>> Since you haven't imported java.lang.Boolean class, Nashorn thinks
>>> Boolean.toString is a JS function, thus it is serialized to "function
>>> Boolean() { [native code] }".
>>>
>>> Anyway, You don't need to convert boolean values to strings here. So
>>> let's remove Boolean.toString
>>>
>>> [1] https://docs.oracle.com/javase/8/docs/technotes/guides/s
>>> cripting/prog_guide/javascript.html#A1147187
>>>
>>> Thanks.
>>>
>>> On Fri, Jan 20, 2017 at 10:13 AM, SajithAR Ariyarathna <
>>> sajit...@wso2.com> wrote:
>>>
>>>> Hi Indunil,
>>>>>
>>>>> claimProfileMap["required"] = Boolean.toString(claimForProfile[i].
>>>>> getRequired());
>>>>>
>>>> I don't see a particular reason to convert boolean to string. You can
>>>> just use the boolean value directly.
>>>>
>>>> Anyhow, we will fix this.
>>>> Thanks.
>>>>
>>>> On Fri, Jan 20, 2017 at 7:47 AM, Indunil Upeksha Rathnayake <
>>>> indu...@wso2.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> The code segment I have used as follows.
>>>>>
>>>>> function getProfile() {
>>>>> var claimProfile;
>>>>> try {
>>>>> // Get Claim Profile
>>>>> claimProfile =
>>>>> callOSGiService("org.wso2.is.portal.user.client.api.ProfileMgtClientService",
>>>>> "getProfile", ["self-signUp"]);
>>>>> } catch(e) {
>>>>> return {errorMessage: "Failed to retrieve the claim profile."};
>>>>> }
>>>>> var claimForProfile = claimProfile.claims;
>>>>>
>>>>> var claimProfileArray = [];
>>>>>
>>>>> for (var i = 0; i < claimForProfile.length; i++) {
>>>>> var claimProfileMap = {};
>>>>> claimProfileMap["displayName"] =
>
Re: [Dev] [UUF] Boolean values are not get stored properly in injected js variable from sendToClient()
Hi,
Thanks all for your responses. Yes in my case it doesn't need to convert
boolean to string. But if needed, as sajith mentioned, seems like have to
import that class in the script with Java.type Nashorn extension.
Thanks and Regards
On Fri, Jan 20, 2017 at 10:52 AM, SajithAR Ariyarathna <sajit...@wso2.com>
wrote:
> Hi Indunil,
>
> Seems like the problem is in your script.
>
> Boolean.toString(claimForProfile[i].getRequired())
>
> I believe your intention here is to call java.lang.Boolean#toString(boolean
> b) method, right? But Nashorn doesn't know that, because you haven't
> imported java.lang.Boolean class in your script. In order to use a Java
> class in your script, first you have to import that class in your script
> with Java.type Nashorn extension [1]. (see 'call Java class' sample in
> the features-app sample)
> Since you haven't imported java.lang.Boolean class, Nashorn thinks
> Boolean.toString is a JS function, thus it is serialized to "function
> Boolean() { [native code] }".
>
> Anyway, You don't need to convert boolean values to strings here. So let's
> remove Boolean.toString
>
> [1] https://docs.oracle.com/javase/8/docs/technotes/
> guides/scripting/prog_guide/javascript.html#A1147187
>
> Thanks.
>
> On Fri, Jan 20, 2017 at 10:13 AM, SajithAR Ariyarathna <sajit...@wso2.com>
> wrote:
>
>> Hi Indunil,
>>>
>>> claimProfileMap["required"] = Boolean.toString(claimForProfile[i].
>>> getRequired());
>>>
>> I don't see a particular reason to convert boolean to string. You can
>> just use the boolean value directly.
>>
>> Anyhow, we will fix this.
>> Thanks.
>>
>> On Fri, Jan 20, 2017 at 7:47 AM, Indunil Upeksha Rathnayake <
>> indu...@wso2.com> wrote:
>>
>>> Hi,
>>>
>>> The code segment I have used as follows.
>>>
>>> function getProfile() {
>>> var claimProfile;
>>> try {
>>> // Get Claim Profile
>>> claimProfile =
>>> callOSGiService("org.wso2.is.portal.user.client.api.ProfileMgtClientService",
>>> "getProfile", ["self-signUp"]);
>>> } catch(e) {
>>> return {errorMessage: "Failed to retrieve the claim profile."};
>>> }
>>> var claimForProfile = claimProfile.claims;
>>>
>>> var claimProfileArray = [];
>>>
>>> for (var i = 0; i < claimForProfile.length; i++) {
>>> var claimProfileMap = {};
>>> claimProfileMap["displayName"] =
>>> claimForProfile[i].getDisplayName();
>>> claimProfileMap["claimURI"] = claimForProfile[i].getClaimURI();
>>> if (claimForProfile[i].getDefaultValue()) {
>>> claimProfileMap["defaultValue"] =
>>> claimForProfile[i].getDefaultValue();
>>> }
>>> claimProfileMap["claimLabel"] =
>>> claimForProfile[i].getClaimURI().replace("http://wso2.org/claims/;, "");
>>> claimProfileMap["required"] =
>>> Boolean.toString(claimForProfile[i].getRequired());
>>> claimProfileMap["regex"] = claimForProfile[i].getRegex();
>>> claimProfileMap["readonly"] =
>>> Boolean.toString(claimForProfile[i].getReadonly());
>>> claimProfileMap["dataType"] = claimForProfile[i].getDataType();
>>> claimProfileArray[i] = claimProfileMap;
>>> }
>>> sendToClient("signupClaims", claimProfileArray);
>>> return {
>>> "signupClaims": claimProfileArray
>>> };
>>> }
>>>
>>>
>>> Thanks and Regards
>>>
>>>
>>> On Thu, Jan 19, 2017 at 10:03 PM, Manuranga Perera <m...@wso2.com>
>>> wrote:
>>>
>>>> when sending boolean value as a string(converting boolean to string
>>>>> using "Boolean.toString()"
>>>>
>>>> Not very clear what you are saying here. Can you please show the code.
>>>>
>>>> On Thu, Jan 19, 2017 at 4:23 PM, Danushka Fernando <danush...@wso2.com>
>>>> wrote:
>>>>
>>>>> HI
>>>>> Seems its calling [1] and [2] is something its getting called. When we
>>>>> have a boolean as a string probably that happens. But not sure that's
>>>>> expected.
>>>>>
>>>>> [1] https://github.com/google/gson/blob/0
Re: [Dev] [UUF] Boolean values are not get stored properly in injected js variable from sendToClient()
Hi,
The code segment I have used as follows.
function getProfile() {
var claimProfile;
try {
// Get Claim Profile
claimProfile =
callOSGiService("org.wso2.is.portal.user.client.api.ProfileMgtClientService",
"getProfile", ["self-signUp"]);
} catch(e) {
return {errorMessage: "Failed to retrieve the claim profile."};
}
var claimForProfile = claimProfile.claims;
var claimProfileArray = [];
for (var i = 0; i < claimForProfile.length; i++) {
var claimProfileMap = {};
claimProfileMap["displayName"] = claimForProfile[i].getDisplayName();
claimProfileMap["claimURI"] = claimForProfile[i].getClaimURI();
if (claimForProfile[i].getDefaultValue()) {
claimProfileMap["defaultValue"] =
claimForProfile[i].getDefaultValue();
}
claimProfileMap["claimLabel"] =
claimForProfile[i].getClaimURI().replace("http://wso2.org/claims/;,
"");
claimProfileMap["required"] =
Boolean.toString(claimForProfile[i].getRequired());
claimProfileMap["regex"] = claimForProfile[i].getRegex();
claimProfileMap["readonly"] =
Boolean.toString(claimForProfile[i].getReadonly());
claimProfileMap["dataType"] = claimForProfile[i].getDataType();
claimProfileArray[i] = claimProfileMap;
}
sendToClient("signupClaims", claimProfileArray);
return {
"signupClaims": claimProfileArray
};
}
Thanks and Regards
On Thu, Jan 19, 2017 at 10:03 PM, Manuranga Perera <m...@wso2.com> wrote:
> when sending boolean value as a string(converting boolean to string using
>> "Boolean.toString()"
>
> Not very clear what you are saying here. Can you please show the code.
>
> On Thu, Jan 19, 2017 at 4:23 PM, Danushka Fernando <danush...@wso2.com>
> wrote:
>
>> HI
>> Seems its calling [1] and [2] is something its getting called. When we
>> have a boolean as a string probably that happens. But not sure that's
>> expected.
>>
>> [1] https://github.com/google/gson/blob/0636635cbffa08157bdb
>> d558b1212e4d806474eb/gson/src/main/java/com/google/gson/Gson.java#L580
>> [2] https://developer.mozilla.org/en-US/docs/Web/JavaScript/
>> Reference/Global_Objects/Object/toSource
>>
>> Thanks & Regards
>> Danushka Fernando
>> Senior Software Engineer
>> WSO2 inc. http://wso2.com/
>> Mobile : +94716332729 <+94%2071%20633%202729>
>>
>> On Thu, Jan 19, 2017 at 7:43 PM, Indunil Upeksha Rathnayake <
>> indu...@wso2.com> wrote:
>>
>>> Hi,
>>>
>>> It's returning {"signupClaims": claimProfileArray} from the onRequest()
>>> method. claimProfileArray is an array with several map objects. I have
>>> just tested and found that this error comes when sending boolean value as a
>>> string(converting boolean to string using "Boolean.toString()").
>>> As an example like this.
>>> [{"claimURI":"http://wso2.org/claims/givenname","required":"true"},
>>> {"claimURI":"http://wso2.org/claims/lastname","required":"true"}].
>>>
>>> But passing as a boolean value it works. Is that an acceptable behavior?
>>>
>>> Thanks and Regards
>>>
>>> On Thu, Jan 19, 2017 at 7:08 PM, Kishanthan Thangarajah <
>>> kishant...@wso2.com> wrote:
>>>
>>>> We are using gson to serialize the json sent to client [1]. But we need
>>>> the sample data used here to test what could be the issue.
>>>>
>>>> [1] https://github.com/wso2/carbon-uuf/blob/master/component
>>>> s/uuf-renderablecreator-hbs/src/main/java/org/wso2/carbon/uu
>>>> f/renderablecreator/hbs/impl/js/JsFunctionsImpl.java#L152
>>>>
>>>> On Thu, Jan 19, 2017 at 7:04 PM, Manuranga Perera <m...@wso2.com>
>>>> wrote:
>>>>
>>>>> I think it's a java object. I think we need to use something like gson
>>>>> here
>>>>>
>>>>> On Thu, Jan 19, 2017 at 1:30 PM, Kishanthan Thangarajah <
>>>>> kishant...@wso2.com> wrote:
>>>>>
>>>>>> Can we have the json object to investigate this?
>>>>>>
>>>>>> On Thu, Jan 19, 2017 at 6:22 PM, SajithAR Ariyarathna <
>>>>>> sajit...@wso2.com> wrote:
>>>>>>
>>>>>>> +{UUF Team]
>>>>>>>
>>>>>>> On Thu, Jan 19, 2017 at
Re: [Dev] [UUF] Boolean values are not get stored properly in injected js variable from sendToClient()
Hi,
It's returning {"signupClaims": claimProfileArray} from the onRequest()
method. claimProfileArray is an array with several map objects. I have just
tested and found that this error comes when sending boolean value as a
string(converting boolean to string using "Boolean.toString()").
As an example like this.
[{"claimURI":"http://wso2.org/claims/givenname","required":"true"},
{"claimURI":"http://wso2.org/claims/lastname","required":"true"}].
But passing as a boolean value it works. Is that an acceptable behavior?
Thanks and Regards
On Thu, Jan 19, 2017 at 7:08 PM, Kishanthan Thangarajah <kishant...@wso2.com
> wrote:
> We are using gson to serialize the json sent to client [1]. But we need
> the sample data used here to test what could be the issue.
>
> [1] https://github.com/wso2/carbon-uuf/blob/master/components/uuf-
> renderablecreator-hbs/src/main/java/org/wso2/carbon/uuf/
> renderablecreator/hbs/impl/js/JsFunctionsImpl.java#L152
>
> On Thu, Jan 19, 2017 at 7:04 PM, Manuranga Perera <m...@wso2.com> wrote:
>
>> I think it's a java object. I think we need to use something like gson
>> here
>>
>> On Thu, Jan 19, 2017 at 1:30 PM, Kishanthan Thangarajah <
>> kishant...@wso2.com> wrote:
>>
>>> Can we have the json object to investigate this?
>>>
>>> On Thu, Jan 19, 2017 at 6:22 PM, SajithAR Ariyarathna <sajit...@wso2.com
>>> > wrote:
>>>
>>>> +{UUF Team]
>>>>
>>>> On Thu, Jan 19, 2017 at 5:34 PM, Indunil Upeksha Rathnayake <
>>>> indu...@wso2.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Having some problem when using sendToClient() method in the UUF Server
>>>>> Side JS API. I am trying to send an array with a set of map elements as in
>>>>> [1] including some boolean values. When we are sending this value to
>>>>> client
>>>>> side using the sendToClient(), it's injecting the variables to the
>>>>> "js" placeholder in the layout. But when evaluating the variable, boolean
>>>>> values are not stored as it is but as follows.
>>>>> *function Boolean() { [native code] }*
>>>>>
>>>>> Seems like in there, it's getting the value of
>>>>> "booleanVaribale.constructor". I'm using uuf version "1.0.0-m9". Is
>>>>> this expectable or an issue?
>>>>>
>>>>> [1] [ {"claimURI":"http://wso2.org/claims/givenname
>>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.org%2Fclaims%2Fgivenname=D=1=AFQjCNHhpHtMY1eVUFZfM8A2n2iOnajUvg>
>>>>> ","required":"function Boolean() { [native code] }"},
>>>>> {"claimURI":"http://wso2.org/claims/lastname
>>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.org%2Fclaims%2Flastname=D=1=AFQjCNGDQuIZMXiN8WMbgitjy9uIJ_jKDw>
>>>>> ","required":"function Boolean() { [native code] }"}]
>>>>>
>>>>> Thanks and Regards
>>>>> --
>>>>> Indunil Upeksha Rathnayake
>>>>> Software Engineer | WSO2 Inc
>>>>> Emailindu...@wso2.com
>>>>> Mobile 0772182255
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Sajith Janaprasad Ariyarathna
>>>> Software Engineer; WSO2, Inc.; http://wso2.com/
>>>> <https://wso2.com/signature>
>>>>
>>>
>>>
>>>
>>> --
>>> *Kishanthan Thangarajah*
>>> Technical Lead,
>>> Platform Technologies Team,
>>> WSO2, Inc.
>>> lean.enterprise.middleware
>>>
>>> Mobile - +94773426635 <+94%2077%20342%206635>
>>> Blog - *http://kishanthan.wordpress.com
>>> <http://kishanthan.wordpress.com>*
>>> Twitter - *http://twitter.com/kishanthan
>>> <http://twitter.com/kishanthan>*
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> With regards,
>> *Manu*ranga Perera.
>>
>> phone : 071 7 70 20 50
>> mail : m...@wso2.com
>>
>
>
>
> --
> *Kishanthan Thangarajah*
> Technical Lead,
> Platform Technologies Team,
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - +94773426635 <+94%2077%20342%206635>
> Blog - *http://kishanthan.wordpress.com <http://kishanthan.wordpress.com>*
> Twitter - *http://twitter.com/kishanthan <http://twitter.com/kishanthan>*
>
--
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Emailindu...@wso2.com
Mobile 0772182255
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [UUF] [IS] Support for refresh fragments in a page
Hi, In IS user portal, we are including fragments in a page which is having a tab menu (content for each tab gets populated through a fragment). So that when we are rendering the page all the fragments get loaded. But there is a problem when we select tabs. In each tab previously shown error/success messages are not getting automatically closed when we are moving from tabs in the tab menu. I think that should be implemented in UUF side, to refresh fragments each time or providing a refresh time interval. Appreciate your ideas on this. Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [UUF] Boolean values are not get stored properly in injected js variable from sendToClient()
Hi,
Having some problem when using sendToClient() method in the UUF Server Side
JS API. I am trying to send an array with a set of map elements as in [1]
including some boolean values. When we are sending this value to client
side using the sendToClient(), it's injecting the variables to the "js"
placeholder in the layout. But when evaluating the variable, boolean values
are not stored as it is but as follows.
*function Boolean() { [native code] }*
Seems like in there, it's getting the value of
"booleanVaribale.constructor". I'm using uuf version "1.0.0-m9". Is this
expectable or an issue?
[1] [ {"claimURI":"http://wso2.org/claims/givenname
<http://www.google.com/url?q=http%3A%2F%2Fwso2.org%2Fclaims%2Fgivenname=D=1=AFQjCNHhpHtMY1eVUFZfM8A2n2iOnajUvg>
","required":"function Boolean() { [native code] }"},
{"claimURI":"http://wso2.org/claims/lastname
<http://www.google.com/url?q=http%3A%2F%2Fwso2.org%2Fclaims%2Flastname=D=1=AFQjCNGDQuIZMXiN8WMbgitjy9uIJ_jKDw>","required":"function
Boolean() { [native code] }"}]
Thanks and Regards
--
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Emailindu...@wso2.com
Mobile 0772182255
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [IS 6.0.0] [User Portal] Challenge Questions in Self sign-up page of user portal
Hi, Currently we are working on implementing C5 user portal in IS. Appreciate your suggestions/ideas for the following concerns regarding challenge questions. *1) Is it necessary to include challenge questions in IS 6.0.0 as a recovery option?* Seems like secret questions are neither secure nor reliable enough to be used as a account recovery mechanism. And also most of the vendors has completely removed support for security questions including google. In C5, security question sets will be some what strengthen the recovery and makes it hard to guess the questions. But seems like need to consider whether it need to be implemented or not. *2) Is it necessary to include security questions in user self sign-up page? If needed, following way is appropriate?* As we have planned, in C5, admin can create several security question sets and can configure the minimum number of questions that need to be answered by a user. So that in self sign up UI when populating security questions to a user, - security questions need to be categorized according to the security question sets - all the sets need to be populated for the user - user can select any number of security questions from different sets not from a same set - need to validate whether the user has answered for the minimum number of questions Appreciate your ideas on this. Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [UUF] Document onRequest() method in the UUF developer's guide
Hi UUF team, I think it's better to give some description about the "onRequest()" method and how it works in [1], since for a beginner, it might be somewhat difficult to understand. [1] https://docs.google.com/document/d/10UDdArHV1eYEfiONu8saqPnnJyUjH3vxOrv0k0rK5hc/edit Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [Architecture] [IS] [C5] Self sign-up in C5 User Portal
Hi, I'm having following concerns regarding claim profile, user store domain and credentials with related to self sign-up. *1) Selecting a claim profile for loading claims related to user self sign-up* - Use default claim-profile - Only a single profile called "self sign-up" - There can be several claim profiles based on the service provider/user store domain - Have a default claim profile for self sign-up as "self-signUp-default" and for each service provider we can define claim profiles with the prefix "self-signUp" (ex: "self-signUp-serviceProvider1"). *2) User store domain where users getting added in self sign-up* - In the UI, it's not appropriate to expose all the user store domains which supports self sign-up, so that user has to added the user name with the user store domain (ex: "US1/user1") - Admin has to configure the user store domains that supports self sign-Up. And in each SP, can configuration where the users getting added. *3) Suitable field in UI to add credentials* - There can be multiple options for adding credentials, all should be included in the UI by default. - Configure Credential profiles for self sign-up etc. Appreciate your ideas on selecting appropriate ways of handling above mentioned scenarios. Thanks and Regards On Sun, Jan 8, 2017 at 11:20 AM, Gayan Gunawardana <ga...@wso2.com> wrote: > > > On Fri, Jan 6, 2017 at 5:12 PM, Indunil Upeksha Rathnayake < > indu...@wso2.com> wrote: > >> Hi, >> >> Thanks for all of your ideas and suggestions. As I have mentioned, >> currently for M1, we are planning to cover user self sign-up without any >> email notification(user will be registered and automatically get logged >> in). But I think, including your ideas following things would be good >> improvements to have in future releases. >> >> *1) Configurable option to enable/disable email confirmation* >> >>- Admin should be having flexibility to configure self sign-up with >>email verification and uncontrolled sign up for user store domains >> >> *2) Self sign-up configured in user store level* >> >>- Allow anyone to sign up(no restrictions) or restrict users to >>specific domains >>- Should be able to configure a particular user store where self sign >>up users should go, since there can be multiple user store domains and >> some >>are read only etc >> >> As I understood both of above configurations are user store level > configurations. In user store level there should be a configurations to say > Enable/Disable self sign-up. If self sign-up enabled then next > configuration is to enable email verification or uncontrolled sign up. > Also does end-user need to know user store domain they are going to > sign-up or all self sign-up users are gone to single user store based on > admin configuration ? > >> *3) Administrators should receive en email when a new account is created* >> >> Need to discuss further about these and make user stories if needed. >> >> Thanks and Regards >> >> On Fri, Jan 6, 2017 at 5:08 PM, Indunil Upeksha Rathnayake < >> indu...@wso2.com> wrote: >> >>> Hi Nuwan, >>> >>> Thanks for your reply. For M1, we are planning to cover user self >>> sign-up without any email notification(user will be registered and >>> automatically get logged in). For future releases captcha should be >>> included and that need to be covered in the user stories. >>> >>> Thanks and Regards >>> >>> On Wed, Jan 4, 2017 at 9:41 AM, Nuwan Dias <nuw...@wso2.com> wrote: >>> >>>> Having a captcha should be supported OOTB in the default portal. I >>>> assume we've considered that to be so in C5? >>>> >>>> On Wed, Jan 4, 2017 at 9:22 AM, Dimuthu Leelarathne <dimut...@wso2.com> >>>> wrote: >>>> >>>>> >>>>> >>>>> On Tue, Jan 3, 2017 at 1:00 PM, Ishara Karunarathna <isha...@wso2.com> >>>>> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Tue, Jan 3, 2017 at 12:52 PM, Johann Nallathamby <joh...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> What are the new user stories we are trying to implement that are >>>>>>> not already there in IS 5.3.0? Can we come up with a list of new >>>>>>> requirements? Isn't most of the above user stories already there in IS >>>>>>> 5.3.0? >>>>>>> >>>>
Re: [Dev] [Architecture] [IS] [C5] Self sign-up in C5 User Portal
Hi, Thanks for all of your ideas and suggestions. As I have mentioned, currently for M1, we are planning to cover user self sign-up without any email notification(user will be registered and automatically get logged in). But I think, including your ideas following things would be good improvements to have in future releases. *1) Configurable option to enable/disable email confirmation* - Admin should be having flexibility to configure self sign-up with email verification and uncontrolled sign up for user store domains *2) Self sign-up configured in user store level* - Allow anyone to sign up(no restrictions) or restrict users to specific domains - Should be able to configure a particular user store where self sign up users should go, since there can be multiple user store domains and some are read only etc *3) Administrators should receive en email when a new account is created* Need to discuss further about these and make user stories if needed. Thanks and Regards On Fri, Jan 6, 2017 at 5:08 PM, Indunil Upeksha Rathnayake <indu...@wso2.com > wrote: > Hi Nuwan, > > Thanks for your reply. For M1, we are planning to cover user self sign-up > without any email notification(user will be registered and automatically > get logged in). For future releases captcha should be included and that > need to be covered in the user stories. > > Thanks and Regards > > On Wed, Jan 4, 2017 at 9:41 AM, Nuwan Dias <nuw...@wso2.com> wrote: > >> Having a captcha should be supported OOTB in the default portal. I assume >> we've considered that to be so in C5? >> >> On Wed, Jan 4, 2017 at 9:22 AM, Dimuthu Leelarathne <dimut...@wso2.com> >> wrote: >> >>> >>> >>> On Tue, Jan 3, 2017 at 1:00 PM, Ishara Karunarathna <isha...@wso2.com> >>> wrote: >>> >>>> >>>> >>>> On Tue, Jan 3, 2017 at 12:52 PM, Johann Nallathamby <joh...@wso2.com> >>>> wrote: >>>> >>>>> What are the new user stories we are trying to implement that are not >>>>> already there in IS 5.3.0? Can we come up with a list of new requirements? >>>>> Isn't most of the above user stories already there in IS 5.3.0? >>>>> >>>> Yes in 5.3.0 we have almost complete user store. But when it comes to >>>> C5 implementation we can't cover it with a single milestone release,So we >>>> need to start with a simple user story and use different version of that >>>> adding other use cases associated with that. >>>> >>>> >>> First we need to envision what we are going to achieve in the long run. >>> Then we need to start with the simplest case. For C5 are we trying to >>> achieve something different to what we already have? >>> >>> thanks, >>> Dimuthu >>> >>> -Ishara >>>> >>>> >>>>> On Tue, Jan 3, 2017 at 10:30 AM, Ishara Karunarathna <isha...@wso2.com >>>>> > wrote: >>>>> >>>>>> Hi Indunil, >>>>>> >>>>>> When we think about self sign up. >>>>>> basic use case is User comes to self sign up page and add his user >>>>>> informations, system will create a account and let user to login. >>>>>> >>>>>> But there are lot of associated use cases with this. For example. >>>>>> 1. Once user self signed up need to send a verification mail. >>>>>> 2. self sign up should go through a approval process. >>>>>> 3. User should be assign to a particular roles. >>>>>> >>>>>> To cater those requirements we need additional features. And we may >>>>>> need several version of this user story to complete this feature. >>>>>> For the 1st implementation better to implement the simple case. where >>>>>> use self sign up and login (with login permission only ) >>>>>> >>>>>> Thanks, >>>>>> -Ishara >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Jan 3, 2017 at 9:54 AM, Indunil Upeksha Rathnayake < >>>>>> indu...@wso2.com> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> In IS C5, we are currently implementing self sign-up in the User >>>>>>> Portal and having following considerations regarding the self sign-up >>>>>>> functionality. >>>>>>> >>>>>>> what wou
Re: [Dev] [Architecture] [IS] [C5] Self sign-up in C5 User Portal
Hi Nuwan, Thanks for your reply. For M1, we are planning to cover user self sign-up without any email notification(user will be registered and automatically get logged in). For future releases captcha should be included and that need to be covered in the user stories. Thanks and Regards On Wed, Jan 4, 2017 at 9:41 AM, Nuwan Dias <nuw...@wso2.com> wrote: > Having a captcha should be supported OOTB in the default portal. I assume > we've considered that to be so in C5? > > On Wed, Jan 4, 2017 at 9:22 AM, Dimuthu Leelarathne <dimut...@wso2.com> > wrote: > >> >> >> On Tue, Jan 3, 2017 at 1:00 PM, Ishara Karunarathna <isha...@wso2.com> >> wrote: >> >>> >>> >>> On Tue, Jan 3, 2017 at 12:52 PM, Johann Nallathamby <joh...@wso2.com> >>> wrote: >>> >>>> What are the new user stories we are trying to implement that are not >>>> already there in IS 5.3.0? Can we come up with a list of new requirements? >>>> Isn't most of the above user stories already there in IS 5.3.0? >>>> >>> Yes in 5.3.0 we have almost complete user store. But when it comes to C5 >>> implementation we can't cover it with a single milestone release,So we need >>> to start with a simple user story and use different version of that adding >>> other use cases associated with that. >>> >>> >> First we need to envision what we are going to achieve in the long run. >> Then we need to start with the simplest case. For C5 are we trying to >> achieve something different to what we already have? >> >> thanks, >> Dimuthu >> >> -Ishara >>> >>> >>>> On Tue, Jan 3, 2017 at 10:30 AM, Ishara Karunarathna <isha...@wso2.com> >>>> wrote: >>>> >>>>> Hi Indunil, >>>>> >>>>> When we think about self sign up. >>>>> basic use case is User comes to self sign up page and add his user >>>>> informations, system will create a account and let user to login. >>>>> >>>>> But there are lot of associated use cases with this. For example. >>>>> 1. Once user self signed up need to send a verification mail. >>>>> 2. self sign up should go through a approval process. >>>>> 3. User should be assign to a particular roles. >>>>> >>>>> To cater those requirements we need additional features. And we may >>>>> need several version of this user story to complete this feature. >>>>> For the 1st implementation better to implement the simple case. where >>>>> use self sign up and login (with login permission only ) >>>>> >>>>> Thanks, >>>>> -Ishara >>>>> >>>>> >>>>> >>>>> On Tue, Jan 3, 2017 at 9:54 AM, Indunil Upeksha Rathnayake < >>>>> indu...@wso2.com> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> In IS C5, we are currently implementing self sign-up in the User >>>>>> Portal and having following considerations regarding the self sign-up >>>>>> functionality. >>>>>> >>>>>> what would be the correct way of achieving self sign-up and would >>>>>> like to know how it has been implemented in other C5 based products. >>>>>> If self sign up is enabled, *users should be create their own user >>>>>> accounts and will be able to logged in immediately?* or there should >>>>>> be an *account confirmation through the email* which helps to >>>>>> confirm an actual user? or there should be configurations to >>>>>> enable/disable >>>>>> both registration and account confirmation? >>>>>> >>>>>> And when it comes to self sign-up, specially if there are no account >>>>>> confirmation, in C5, I think it's better to include improvements such as >>>>>> a >>>>>> way to *allow anyone to sign up (no restrictions) or restrict users >>>>>> to specific domains* and also a way to choose whether *administrators >>>>>> should receive an email when a new account is created*. >>>>>> >>>>>> I would appreciate your ideas/suggestions on this. >>>>>> >>>>>> Thanks and Regards >>>>>> -- >>>>>> Indunil Upeksha Rathnayake >>>>>> Software Engineer |
Re: [Dev] [Architecture] [IS] [C5] Self sign-up in C5 User Portal
Hi Dimuthu, For M1, we are planning to cover user self sign-up without any email notification(user will be registered and automatically get logged in). We need to discuss about how it will be handled in the long run, haven't covered all the user stories yet. Currently(IS 5.3.0) in self sign-up process, it creates the user and locks the user account until the user confirmation is received and an email will be send to the user. Need to discuss whether this will be the same in IS 6.0.0(C5) as well. Thanks and Regards On Wed, Jan 4, 2017 at 9:22 AM, Dimuthu Leelarathne <dimut...@wso2.com> wrote: > > > On Tue, Jan 3, 2017 at 1:00 PM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> >> >> On Tue, Jan 3, 2017 at 12:52 PM, Johann Nallathamby <joh...@wso2.com> >> wrote: >> >>> What are the new user stories we are trying to implement that are not >>> already there in IS 5.3.0? Can we come up with a list of new requirements? >>> Isn't most of the above user stories already there in IS 5.3.0? >>> >> Yes in 5.3.0 we have almost complete user store. But when it comes to C5 >> implementation we can't cover it with a single milestone release,So we need >> to start with a simple user story and use different version of that adding >> other use cases associated with that. >> >> > First we need to envision what we are going to achieve in the long run. > Then we need to start with the simplest case. For C5 are we trying to > achieve something different to what we already have? > > thanks, > Dimuthu > > -Ishara >> >> >>> On Tue, Jan 3, 2017 at 10:30 AM, Ishara Karunarathna <isha...@wso2.com> >>> wrote: >>> >>>> Hi Indunil, >>>> >>>> When we think about self sign up. >>>> basic use case is User comes to self sign up page and add his user >>>> informations, system will create a account and let user to login. >>>> >>>> But there are lot of associated use cases with this. For example. >>>> 1. Once user self signed up need to send a verification mail. >>>> 2. self sign up should go through a approval process. >>>> 3. User should be assign to a particular roles. >>>> >>>> To cater those requirements we need additional features. And we may >>>> need several version of this user story to complete this feature. >>>> For the 1st implementation better to implement the simple case. where >>>> use self sign up and login (with login permission only ) >>>> >>>> Thanks, >>>> -Ishara >>>> >>>> >>>> >>>> On Tue, Jan 3, 2017 at 9:54 AM, Indunil Upeksha Rathnayake < >>>> indu...@wso2.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> In IS C5, we are currently implementing self sign-up in the User >>>>> Portal and having following considerations regarding the self sign-up >>>>> functionality. >>>>> >>>>> what would be the correct way of achieving self sign-up and would like >>>>> to know how it has been implemented in other C5 based products. >>>>> If self sign up is enabled, *users should be create their own user >>>>> accounts and will be able to logged in immediately?* or there should >>>>> be an *account confirmation through the email* which helps to confirm >>>>> an actual user? or there should be configurations to enable/disable both >>>>> registration and account confirmation? >>>>> >>>>> And when it comes to self sign-up, specially if there are no account >>>>> confirmation, in C5, I think it's better to include improvements such as a >>>>> way to *allow anyone to sign up (no restrictions) or restrict users >>>>> to specific domains* and also a way to choose whether *administrators >>>>> should receive an email when a new account is created*. >>>>> >>>>> I would appreciate your ideas/suggestions on this. >>>>> >>>>> Thanks and Regards >>>>> -- >>>>> Indunil Upeksha Rathnayake >>>>> Software Engineer | WSO2 Inc >>>>> Emailindu...@wso2.com >>>>> Mobile 0772182255 <077%20218%202255> >>>>> >>>> >>>> >>>> >>>> -- >>>> Ishara Karunarathna >>>> Associate Technical Lead >>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>
Re: [Dev] [UUF] [IS] Invoke an OSGI service from a client side JS
Hi Sajith,
Thanks for your reply. That cater the requirement.
Best Regards
On Thu, Jan 5, 2017 at 10:07 AM, SajithAR Ariyarathna <sajit...@wso2.com>
wrote:
> Hi Indunil,
>
> Can you explain your exact requirement? Seems that what you want to do is,
> save some data (obtained in a HTML form) using an OSGi service in a form
> POST submit.
>
> If so, then you can do this in the onRequest function. Don't specify any
> 'action' for your HTML form, so when you submit it the POST request goes to
> the same page (URL). In the onRequest function of your page, you can
> check whether the request is a POST or not with env.request.method ==
> "POST" condition. If that condition is true, then you can extract POST
> parameters from the request and call the desired OSGi service.
>
> e.g.
>
> function onRequest(env) {
> if (env.request.method == "POST") {
> // this is a POST request, so lets call the OSGi service
> callOSGiService("org.wso2.Foo", "barMethod", ["some", "parameters"]);
> // more stuff you want to do ...
> }
> }
>
> Please refer the file upload sample [1][2] in the "Feature App" sample
> (URL https://localhost:9292/Features-app/file-upload).
>
> [1] https://github.com/wso2/carbon-uuf/blob/v1.0.0-m7/
> samples/apps/org.wso2.carbon.uuf.sample.features-app/src/
> main/pages/file-upload.js
> [2] https://github.com/wso2/carbon-uuf/blob/v1.0.0-m7/
> samples/apps/org.wso2.carbon.uuf.sample.features-app/src/
> main/pages/file-upload.hbs
>
> Thanks.
>
>
> On Thu, Jan 5, 2017 at 9:41 AM, Indunil Upeksha Rathnayake <
> indu...@wso2.com> wrote:
>
>> Hi,
>>
>> As mentioned in the Web App Developer’s Guide for Unified UI Framework
>> [1], "callOSGiService" is a function call of a server side JS API. So that
>> AFAIK, that can't be called from JS files in the public folder, where
>> client side logic resides.
>> I have requirement to call an OSGI service from a client side JS. Is it a
>> way to do that using UUF?
>>
>> Following are the steps of the exact requirement.
>>
>>1. Invoke an OSGI service in onRequest() and will be filled the
>>content of .hbs from the value returned in onRequest().
>>2. Have a "submit" button in .hbs, where the onClick function is been
>>implemented in a JS resides in the "public" folder.
>>3. Inside the onClick function, need to call another OSGI service.
>>
>> Without implementing the onClick function in "public" folder, is there
>> any other way to achieve that and call the OSGI service?
>>
>>
>> And I would like to know how the "module" function works? Is that cater
>> our requirement? Included module will be executed before the onRequest()
>> method or after? Please share if there are any sample using the module
>> function.
>>
>> [1] https://docs.google.com/document/d/10UDdArHV1eYEfiONu8saqPnn
>> JyUjH3vxOrv0k0rK5hc/edit#
>>
>> Thanks and Regards
>> --
>> Indunil Upeksha Rathnayake
>> Software Engineer | WSO2 Inc
>> Emailindu...@wso2.com
>> Mobile 0772182255
>>
>
>
>
> --
> Sajith Janaprasad Ariyarathna
> Software Engineer; WSO2, Inc.; http://wso2.com/
> <https://wso2.com/signature>
>
--
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Emailindu...@wso2.com
Mobile 0772182255
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [UUF] [IS] Invoke an OSGI service from a client side JS
Hi, As mentioned in the Web App Developer’s Guide for Unified UI Framework [1], "callOSGiService" is a function call of a server side JS API. So that AFAIK, that can't be called from JS files in the public folder, where client side logic resides. I have requirement to call an OSGI service from a client side JS. Is it a way to do that using UUF? Following are the steps of the exact requirement. 1. Invoke an OSGI service in onRequest() and will be filled the content of .hbs from the value returned in onRequest(). 2. Have a "submit" button in .hbs, where the onClick function is been implemented in a JS resides in the "public" folder. 3. Inside the onClick function, need to call another OSGI service. Without implementing the onClick function in "public" folder, is there any other way to achieve that and call the OSGI service? And I would like to know how the "module" function works? Is that cater our requirement? Included module will be executed before the onRequest() method or after? Please share if there are any sample using the module function. [1] https://docs.google.com/document/d/10UDdArHV1eYEfiONu8saqPnnJyUjH3vxOrv0k0rK5hc/edit# Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [IS] [C5] Self sign-up in C5 User Portal
Hi, In IS C5, we are currently implementing self sign-up in the User Portal and having following considerations regarding the self sign-up functionality. what would be the correct way of achieving self sign-up and would like to know how it has been implemented in other C5 based products. If self sign up is enabled, *users should be create their own user accounts and will be able to logged in immediately?* or there should be an *account confirmation through the email* which helps to confirm an actual user? or there should be configurations to enable/disable both registration and account confirmation? And when it comes to self sign-up, specially if there are no account confirmation, in C5, I think it's better to include improvements such as a way to *allow anyone to sign up (no restrictions) or restrict users to specific domains* and also a way to choose whether *administrators should receive an email when a new account is created*. I would appreciate your ideas/suggestions on this. Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [IS] [C5] Notification sending in C5
Hi, In IS C5 implementation, we have a requirement for sending email notifications in several scenarios like self-sign up, account recovery etc. AFAIK C5 based products are currently not supporting any notification sending functionality. Is there a *way to achieve notification sending in carbon platform level *since most of the products having requirements for sending several notification including email, SMS etc? If not, isn't it better to include a feature for notification sending in platform level? Appreciate your ideas/suggestions on this. Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [DS] Best Jquery / Javascript charting library to use in a gadget
Hi, I am working on including several graphs into a gadget of an internal dashboard. Appreciate your help on identifying the best suitable jquery/javascript charting library which can be use for an internal purposes, which will be providing more user friendly environment and as well as easy to use. I have found several options as follows. - CanvasJs: Open source and Follows a simple "royalty-free" licensing model based on the number of developers, which allows to integrate & distribute CanvasJS in SaaS and Internal Applications without any royalties. - FushionCharts - D3.js: Open source and released under BSD license - Chart.js: Open source and available under the MIT license - VizGrammer: Open source and JavaScript library that based on d3.js Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Concerns regarding the Permission Refactoring
Hi guys, I have some concerns regarding the permission refactoring that we have worked on. I think following things need to get into consideration. You can refer the changes I have done in user-mgt component with [1]. 1) Added all the permissions in component.xml of both service and UI component Consider a scenario where someone installed only the user-mgt UI feature. In there all the permissions related to user-mgt and role-mgt should be there, in permission tree. And same if someone only installed the user-mgt server feature, all the permissions should have created, in order to invoke the services. 2) Add reference for identityCoreInitializedEventService in both UI and service component Currently we have added the new permissions levels for idp-mgt and application-mgt components. But in there we have included permissions and reference for identityCoreInitializedEventService, only in UI components. Do we need to consider the above scenarios? What is the correct way of doing this? [1] https://github.com/wso2/carbon-identity-framework/pull/588/files Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [VOTE] Release WSO2 Identity Server 5.2.0- RC1
Hi, Tested following scenarios and didn't find any blocking issues. 1) User Management Scenarios 2) Identity Management Scenarios with UserStore Based Identity DataStore/JDBC Identity DataStore 3) OAuth/OpenID Connect with requested claims/sub claim/custom claim mappings for password, client-credentials, implicit and authorization grant types. [+] Stable - go ahead and release Thanks and Regards On Mon, Sep 12, 2016 at 5:08 PM, Chamila Wijayarathna < cdwijayarat...@gmail.com> wrote: > Hi all, > > I tested following functionality in RC pack in Windows 10 with java 8. > >- Dashboard Operations (Login to dashboard, Self Sign Up, Update >Profile, Change Password, Update Challenge Questions, Associate two local >account, Switch between local account) >- Workflow feature with embedded BPS (Create workflow, Create >association, Apply if condition with associations, approve event, reject >event, delete event, dashboard gadget) > > No blocking issues found. Only minor issues found and created jiras[1][2] > for them. > > [+] Stable - go ahead and release > >1. https://wso2.org/jira/browse/IDENTITY-5120 >2. https://wso2.org/jira/browse/IDENTITY-5121 > > > On Sat, Sep 10, 2016 at 12:18 PM, Kasun Bandara <kas...@wso2.com> wrote: > >> Hi All, >> >> This is the 1st Release Candidate of WSO2 Identity Server 5.2.0 >> >> Please download, test the product and vote. Vote will be open for 72 >> hours or as needed. >> >> This release fixes the following issues: >> https://wso2.org/jira/issues/?filter=13329 >> >> Source and distribution >> >> Run-time : https://github.com/wso2/produc >> t-is/releases/tag/v5.2.0-rc1 >> Analytics : https://github.com/wso2/analyt >> ics-is/releases/tag/v5.2.0-rc1 >> >> Please vote as follows. >> [+] Stable - go ahead and release >> [-] Broken - do not release (explain why) >> >> Thanks, >> - WSO2 Identity Server Team - >> >> -- >> Kasun Bandara >> *Software Engineer* >> Mobile : +94 (0) 718 338 360 >> <%2B94%20%280%29%20773%20451194> >> kas...@wso2.com <thili...@wso2.com> >> >> ___ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Chamila Dilshan Wijayarathna, > PhD Research Student > The University of New South Wales (UNSW Canberra) > Australian Centre of Cyber Security > Australian Defence Force Academy > PO Box 7916, Canberra BA ACT 2610 > Australia > Mobile:(+61)416895795 > > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [Architecture] [IS] [Analytics] Improvement to use Siddhi streams to send notifications
Hi Suhothayan, You can refer [1] for the current approach we have taken in IS side when improving notification sending with siddhi streams. As per the discussion we had previously, this approach has been taken in order to avoid the performance degradation due to the redundant loading of email template in IS and analytics. The main reason for the redundant loading is that only in IS side, the user claims can be loaded which needs for filling out the placeholders in email template. As per the current implementation you are having, we can provide the registry path and let the email template get loaded in analytics side. For that there has to be some improvement in analytics side to get the user claims from user store and filling out the template with those claim values. So that without loading the email template from IS side, we can do it in analytics side. So the suggested improvements as follows. *IS side:* *1) Modified the publisher definition to include registry path of the email template, specifying the notification type and locale as placeholders2) When an email notification need to be send, an arbitrary map (including the data needs to load the email template from registry) will be published to the streamAnalytics side:1) Load the email template from the registry (use the arbitrary data values we have provided)2) Extract the placeholders in email template3) Get the user claims from user store and fill out the placeholders in the template with the necessary claim values* We have used two prefixes in placeholders of email templates as "user.claim.identity" and "user.claim", in order to specify that the placeholders has to be filled with an identity claim and other wso2 claim respectively. The claim URIs which we are using when retrieving necessary user claims for the email templates, will be generated appending necessary prefix to the "http://wso2.org/claims/;. As an example if the placeholder is "user.claim.givenname", the claim URI should be "http://wso2.org/claims/ givenname". So that placeholder has to be filled with the user claim value corresponding to the above mentioned claim URI. You can refer [2] for the implementation done in IS side, we can move that logic to analytics side. [1] https://github.com/wso2-extensions/identity-event-handler-notification/pull/26/files [2] https://github.com/wso2-extensions/identity-event-handler-notification/pull/26/files#diff-2200b351eeef81ebbb5ea7f0d1f1ecb7R119 Thanks and Regards On Tue, Aug 9, 2016 at 9:50 PM, Sriskandarajah Suhothayan <s...@wso2.com> wrote: > Based on the chat with Johann he suggested to support claims at event > publisher. > @Indunil, can you get the full requirements and update the thread. > > Regards > Suho > > On Mon, Aug 1, 2016 at 11:24 PM, Mohanadarshan Vivekanandalingam < > mo...@wso2.com> wrote: > >> >> >> On Mon, Aug 1, 2016 at 8:38 PM, Indunil Upeksha Rathnayake < >> indu...@wso2.com> wrote: >> >>> Hi Suhothayan, >>> >>> Hi Indunil, >> >> I like to add some comments on this.. Please find them below.. >> >> >>> There was an issue in EventPublisherServiceDS where >>> setConfigurationContextService() method get invoked after the bundle >>> get activated. Due to that, when we are trying to invoke >>> deployEventPublisherConfiguration() of EventPublisherService from the >>> activate method of an osgi bundle in IS side, it's receiving a null >>> pointer(Since it refers the ConfigurationContextService object in >>> EventPublisherServiceValueHolder). I think you can resolve it by >>> changing the osgi reference cardinality in [1] as "1..1"(Mandatory), if >>> there is no specific reason for making it optional. >>> >> >> There is a valid reason for this.. >> I believe, as you know we cannot guarantee about OSGI bundle loading in >> carbon environment.. In this case, there is a possibility where axis2 >> deployment can start before bundle activation of a OSGI component. To avoid >> this we'll follow a similar approach like below, >> >> >> >>org.wso2.carbon.event.publisher.core.EventPublisherService >> >> >> >> Here, we are adding the reference of the corresponding OSGI service which >> is exposed by relevant OSGI module.. If you want to use above approach >> (Axis2RequiredServices), we cannot have 1..1 mapping for >> ConfigurationContextService since it causes cyclic dependency and affects >> bundle loading.. >> >> In IS side we were able to get rid of the null pointer by adding an osgi >>> reference for ConfigurationContextService in the service component and >>> invoked the deployEventPublisherC
Re: [Dev] [Architecture] [IS] [Analytics] Improvement to use Siddhi streams to send notifications
Hi Suhothayan, There was an issue in EventPublisherServiceDS where setConfigurationContextService() method get invoked after the bundle get activated. Due to that, when we are trying to invoke deployEventPublisherConfiguration() of EventPublisherService from the activate method of an osgi bundle in IS side, it's receiving a null pointer(Since it refers the ConfigurationContextService object in EventPublisherServiceValueHolder). I think you can resolve it by changing the osgi reference cardinality in [1] as "1..1"(Mandatory), if there is no specific reason for making it optional. In IS side we were able to get rid of the null pointer by adding an osgi reference for ConfigurationContextService in the service component and invoked the deployEventPublisherConfiguration() in activate() method. And also there was an issue in filling out dynamic properties of an output adapter from the arbitrary data values, and sent a PR for that. Please review and merge the PR in [2]. [1] https://github.com/wso2/carbon-analytics-common/blob/master/components/event-publisher/org.wso2.carbon.event.publisher.core/src/main/java/org/wso2/carbon/event/publisher/core/internal/ds/EventPublisherServiceDS.java#L56 [2] https://github.com/wso2/carbon-analytics-common/pull/306/files Thanks and Regards On Mon, Aug 1, 2016 at 3:06 PM, Sriskandarajah Suhothayan <s...@wso2.com> wrote: > HI Indunil > > Any update on this? Was the provided solution working? > > We released CEP 4.2-RC1. If we need new features/improvements for this > effort, we can incorporate them in the next component release. > > Regards > Suho > > On Fri, Jul 22, 2016 at 3:10 PM, Sriskandarajah Suhothayan <s...@wso2.com> > wrote: > >> >> >> On Fri, Jul 22, 2016 at 3:00 PM, Johann Nallathamby <joh...@wso2.com> >> wrote: >> >>> >>> >>> On Fri, Jul 22, 2016 at 8:33 AM, Indunil Upeksha Rathnayake < >>> indu...@wso2.com> wrote: >>> >>>> Hi, >>>> >>>> On Fri, Jul 22, 2016 at 12:28 PM, Sriskandarajah Suhothayan < >>>> s...@wso2.com> wrote: >>>> >>>>> >>>>> >>>>> On Fri, Jul 22, 2016 at 12:00 PM, Indunil Upeksha Rathnayake < >>>>> indu...@wso2.com> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Please find the meeting notes in [1]. I have following >>>>>> considerations regarding the improvements we have discussed. >>>>>> >>>>>> (1) Even though we have configured to load the email template from >>>>>> EventPublisher(analytics side), the placeholder values has to be sent as >>>>>> meta data/correlation data/payload data/arbitrary data, since in >>>>>> analytics >>>>>> side, the user claim values are not getting from the user store. >>>>>> In order to send the placeholder values from IS side, anyway we have >>>>>> to load the email template and retrieve the placeholders. So as I have >>>>>> understood, for email notifications, it's not needed to use the email >>>>>> template loading part in analytics, since it'll be a redundant task. >>>>>> (Refer >>>>>> [2]) >>>>>> >>>>> >>>>> Here we can set the claim values as arbitrary data, and the >>>>> notification specific details as the meta, correlation & payload data. >>>>> Then we can use the template loading only at the analytics side. >>>>> >>>> In this case, from IS side, without parsing only the user claims needed >>>> for a particular email template(i.e.user claim values for the placeholders >>>> in email template), we have to pass all the user claims as arbitrary data >>>> values. In that case there's no need for loading the template from the >>>> registry in IS side. So that in analytics side, all the values needed for >>>> filling out the template will be there. Will check on that. >>>> >>> >>> I don't think it will be a good solution. There can be sensitive >>> information in the claims which we can't send. So for this release it's OK >>> if we read the template in both sides - security is more important than >>> performance; or read it only in IS side - but additionally send all those >>> claims as arbitrary data as well, so if some one wants can use them in CEP >>> side by their output adaptors. >>> >> >> I think then we can have a common configuration in IS side to specify >> what are the
Re: [Dev] [IS] EC2 Performance Analysis : Sudden TPS drop in User Add in 500 concurrency with 10million users
Hi,
I have attached the JMeter Script file which we use in adding users[1]. May
be we need to do some modifications to the script. Appreciate your
comments.
@Ishara: I'll send those results.
[1]
https://drive.google.com/a/wso2.com/folderview?id=0Bz_EQkE2mOgBMmFDNzFpNk5CTFE=sharing
On Fri, Jul 29, 2016 at 3:05 PM, Ishara Karunarathna <isha...@wso2.com>
wrote:
> Hi Indunil,
>
> Can we get the distribution of the throughput then we can figure out how
> its coming down
> and better if we can get the resource utilization of servers.
>
> Thanks,
> Ishara
>
> On Fri, Jul 29, 2016 at 2:57 PM, Indunil Upeksha Rathnayake <
> indu...@wso2.com> wrote:
>
>> Hi,
>>
>> We are currently engaged into a performance analysis where we are
>> analyzing performance for User Add, Update, Authentication operations. The
>> testing has been carried out in a following environment with 500
>> concurrency and users up to 10 million.
>>
>> *Environment :*
>>
>> m3.2xlarge ( 8 core, 30GB, SSD 2x80 GB) 3 instances.
>> MySQL 5.7
>> Ubuntu 14.04
>> Openldap-2.4.31
>> IS 5.1.0
>>
>> In order to optimize the MYSQL server, following server parameters have
>> been tuned accordingly. We have referred MYSQL documentation [1] as well as
>> have performed analysis using several MYSQL tuners in [2].
>>
>> (1) *max_connections : 1000* (The maximum permitted number of
>> simultaneous client connections.)
>>
>> (2) *join_buffer_size : 259968* (The minimum size of the buffer that is
>> used for plain index scans, range index scans, and joins that do not use
>> indexes and thus perform full table scans.)
>>
>> (3) *innodb_buffer_pool_size : 5207959552 <5207959552>* (size of the
>> memory area where InnoDB caches table and index data)
>>
>> (4) *innodb_log_buffer_size : 16777216* (size of the buffer for
>> transactions that have not been committed yet)
>>
>> (5) *innodb_buffer_pool_instances : 1* (The number of buffer pool
>> instances. According to the mysql documentation[1], on systems with a large
>> amount of memory, we can improve concurrency by dividing the buffer pool
>> into multiple buffer pool instances. But couldn't change since it's a read
>> only variable)
>>
>> (6) *key_buffer_size : 38400* (size of the buffer used for index
>> blocks)
>>
>> (7) *table_open_cache : 4000* (The number of open tables for all
>> threads)
>>
>> (8) *sort_buffer_size : 400* (Each session that must perform a sort
>> allocates a buffer of this size)
>>
>> (9) *read_buffer_size : 100* (Each thread that does a sequential
>> scan for a table allocates a buffer of this size for each table it scans.
>> If we do many sequential scans, we might want to increase this value)
>>
>> (10) *query_cache_type : 0 *
>>
>> (11) *query_cache_limit : 1048576* (Do not cache results that are larger
>> than this number of bytes)
>>
>> (12) *query_cache_size : 1048576* (The amount of memory allocated for
>> caching query results)
>>
>> (13) *thread_stack : 262144* (The stack size for each thread)
>>
>> (14) *net_buffer_length : 16384* (Each client thread is associated with
>> a connection buffer and result buffer. Both begin with a size given by
>> net_buffer_length but are dynamically enlarged up to max_allowed_packet
>> bytes as needed)
>>
>> (15) *max_allowed_packet : 4194304* (The maximum size of one packet or
>> any generated/intermediate string)
>>
>> (16) *thread_cache_size : 30* (no of threads the server should cache for
>> reuse)
>>
>>
>>
>> IS has been configured as follows to optimize the performance.
>>
>> (1) JVM Heap Settings (-Xms -Xmx) changed as follows:
>>
>> *Xms : 2g *
>>
>> *Xmx : 2g *
>>
>> (2) Removed following entry from
>> /repository/conf/tomcat/catalina-server.xml to disable http access
>> logs.
>>
>> > directory="${carbon.home}/repository/logs" prefix="http_access_"
>> suffix=".log" pattern="combined" />
>>
>> (3) Tuned following parameters in axis2client.xml file.
>>
>> 1000
>>
>> 3
>>
>> (4) Added following additional parameters to optimize database connection
>> pool.
>>
>> 6
>>
>> 600
>>
>> 20
>>
>> (5) Tuning Tomcat parameters in
>> /repository/conf/tomcat/catalina-server.xml.
>>
>> *acceptorThreadCount = 8 *
>>
>> *maxThreads="750" *
>>
>> *minSpareThreads
[Dev] [IS] EC2 Performance Analysis : Sudden TPS drop in User Add in 500 concurrency with 10million users
Hi, We are currently engaged into a performance analysis where we are analyzing performance for User Add, Update, Authentication operations. The testing has been carried out in a following environment with 500 concurrency and users up to 10 million. *Environment :* m3.2xlarge ( 8 core, 30GB, SSD 2x80 GB) 3 instances. MySQL 5.7 Ubuntu 14.04 Openldap-2.4.31 IS 5.1.0 In order to optimize the MYSQL server, following server parameters have been tuned accordingly. We have referred MYSQL documentation [1] as well as have performed analysis using several MYSQL tuners in [2]. (1) *max_connections : 1000* (The maximum permitted number of simultaneous client connections.) (2) *join_buffer_size : 259968* (The minimum size of the buffer that is used for plain index scans, range index scans, and joins that do not use indexes and thus perform full table scans.) (3) *innodb_buffer_pool_size : 5207959552* (size of the memory area where InnoDB caches table and index data) (4) *innodb_log_buffer_size : 16777216* (size of the buffer for transactions that have not been committed yet) (5) *innodb_buffer_pool_instances : 1* (The number of buffer pool instances. According to the mysql documentation[1], on systems with a large amount of memory, we can improve concurrency by dividing the buffer pool into multiple buffer pool instances. But couldn't change since it's a read only variable) (6) *key_buffer_size : 38400* (size of the buffer used for index blocks) (7) *table_open_cache : 4000* (The number of open tables for all threads) (8) *sort_buffer_size : 400* (Each session that must perform a sort allocates a buffer of this size) (9) *read_buffer_size : 100* (Each thread that does a sequential scan for a table allocates a buffer of this size for each table it scans. If we do many sequential scans, we might want to increase this value) (10) *query_cache_type : 0 * (11) *query_cache_limit : 1048576* (Do not cache results that are larger than this number of bytes) (12) *query_cache_size : 1048576* (The amount of memory allocated for caching query results) (13) *thread_stack : 262144* (The stack size for each thread) (14) *net_buffer_length : 16384* (Each client thread is associated with a connection buffer and result buffer. Both begin with a size given by net_buffer_length but are dynamically enlarged up to max_allowed_packet bytes as needed) (15) *max_allowed_packet : 4194304* (The maximum size of one packet or any generated/intermediate string) (16) *thread_cache_size : 30* (no of threads the server should cache for reuse) IS has been configured as follows to optimize the performance. (1) JVM Heap Settings (-Xms -Xmx) changed as follows: *Xms : 2g * *Xmx : 2g * (2) Removed following entry from /repository/conf/tomcat/catalina-server.xml to disable http access logs. (3) Tuned following parameters in axis2client.xml file. 1000 3 (4) Added following additional parameters to optimize database connection pool. 6 600 20 (5) Tuning Tomcat parameters in /repository/conf/tomcat/catalina-server.xml. *acceptorThreadCount = 8 * *maxThreads="750" * *minSpareThreads="150" * *maxKeepAliveRequests="600" * *acceptCount="600"* JMeter has been configured as follows to optimize the performance. (1) JVM Heap Settings (-Xms -Xmx) changed as follows: *Xms : 1g * *Xmx : 1g * We were able to optimize the environment up to some level. But* currently the TPS is dropping from the initial TPS 1139.5/s to 198.1/s in around 610 user count.(User Add)* Appreciate your help on figuring out whether we need to do any modifications to the optimizations in MYSQL, IS and JMeter servers or to identify the exact issue for this sudden TPS dropping. [1] http://dev.mysql.com/doc/refman/5.7/en/optimizing-server.html [2] http://www.askapache.com/mysql/mysql-performance-tuning.html Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile 0772182255 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [Architecture] [IS] [Analytics] Improvement to use Siddhi streams to send notifications
Hi,
On Fri, Jul 22, 2016 at 12:28 PM, Sriskandarajah Suhothayan <s...@wso2.com>
wrote:
>
>
> On Fri, Jul 22, 2016 at 12:00 PM, Indunil Upeksha Rathnayake <
> indu...@wso2.com> wrote:
>
>> Hi,
>>
>> Please find the meeting notes in [1]. I have following considerations
>> regarding the improvements we have discussed.
>>
>> (1) Even though we have configured to load the email template from
>> EventPublisher(analytics side), the placeholder values has to be sent as
>> meta data/correlation data/payload data/arbitrary data, since in analytics
>> side, the user claim values are not getting from the user store.
>> In order to send the placeholder values from IS side, anyway we have to
>> load the email template and retrieve the placeholders. So as I have
>> understood, for email notifications, it's not needed to use the email
>> template loading part in analytics, since it'll be a redundant task. (Refer
>> [2])
>>
>
> Here we can set the claim values as arbitrary data, and the notification
> specific details as the meta, correlation & payload data.
> Then we can use the template loading only at the analytics side.
>
In this case, from IS side, without parsing only the user claims needed for
a particular email template(i.e.user claim values for the placeholders in
email template), we have to pass all the user claims as arbitrary data
values. In that case there's no need for loading the template from the
registry in IS side. So that in analytics side, all the values needed for
filling out the template will be there. Will check on that.
>
>
>> (2) The email templates has to be changed as follows.
>> i) if the value will be provided in an arbitrary data map, the
>> placeholder should be with a prefix "arbitrary_"
>> (ex:{{arbitrary_givenname}})
>>
> ii) if the value will be provided in an meta data map, the placeholder
>> should be changed as {{...}} (ex:{{givenname}})
>>
>> No we should not use "arbitrary_" for any cases, its internal information
> and the names should not have "arbitrary_" even if its in arbitrary data
> map or otherwise.
>
> (3) Only Text OutputMapping Content can be filled from a value in an
>> arbitrary data map using prefix "arbitrary_" . It's not possible to use a
>> value of an arbitrary data map, in a Dynamic adapter properties, only a
>> value from a meta data/correlation data/payload data map can be used. I
>> think that need to be extended to use even an arbitrary value as a dynamic
>> adapter property.(Refer [3])
>>
>
> @Gobi can you please fix this if that's the case.
>
>
>>
>> (4) The default stream definitions and publisher definitions has to be
>> deployed on super tenant as well as other tenants as well. And when a new
>> tenant is added, those streams and publishers has to be deployed for that
>> particular tenant as well.
>>
>> We can have a tenant creation handler to do this copying during that
> tenant creation time. WDYT?
>
> Really appreciate your ideas/suggestions regarding the above mentioned
>> concerns.
>>
>> [1] Invitation: [Architecture] [Discussion] Improvement to use Siddhi
>> str... @ Wed Jul 20, 2016 4:30pm - 5:30pm (IST) (indu...@wso2.com)
>>
>> [2]
>> https://github.com/wso2/carbon-analytics-common/blob/master/components/event-publisher/org.wso2.carbon.event.publisher.core/src/main/java/org/wso2/carbon/event/publisher/core/internal/type/text/TextOutputMapper.java#L108
>>
>> [3]
>> https://github.com/wso2/carbon-analytics-common/blob/master/components/event-publisher/org.wso2.carbon.event.publisher.core/src/main/java/org/wso2/carbon/event/publisher/core/internal/EventPublisher.java#L311
>>
>> Thanks and Regards
>> --
>> Indunil Upeksha Rathnayake
>> Software Engineer | WSO2 Inc
>> Emailindu...@wso2.com
>> Mobile 0772182255
>>
>>
>>
>
>
> --
>
> *S. Suhothayan*
> Associate Director / Architect & Team Lead of WSO2 Complex Event Processor
> *WSO2 Inc. *http://wso2.com
> * <http://wso2.com/>*
> lean . enterprise . middleware
>
>
> *cell: (+94) 779 756 757 <%28%2B94%29%20779%20756%20757> | blog:
> http://suhothayan.blogspot.com/ <http://suhothayan.blogspot.com/>twitter:
> http://twitter.com/suhothayan <http://twitter.com/suhothayan> | linked-in:
> http://lk.linkedin.com/in/suhothayan <http://lk.linkedin.com/in/suhothayan>*
>
--
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Emailindu...@wso2.com
Mobile 0772182255
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [Architecture] [IS] [Analytics] Improvement to use Siddhi streams to send notifications
Hi,
Thanks for the response. I have arranged a meeting from 4.30pm - 5.30pm
today(20/7/2016).
Best Regards
On Tue, Jul 19, 2016 at 11:58 AM, Sriskandarajah Suhothayan <s...@wso2.com>
wrote:
> Since Option 2 is now possible I think you can move to it now. The
> advantage is, with this approach you are not restricted to emails and you
> can now use SOAP, REST and other adopters to trigger some actions based on
> notifications, which will make IS much more powerful than just sending
> emails.
>
> I'm available from 2.30 pm at PG.
>
> Regards
> Suho
>
> On Tue, Jul 19, 2016 at 11:17 AM, Johann Nallathamby <joh...@wso2.com>
> wrote:
>
>> Hi Suho,
>>
>> On Mon, Jul 18, 2016 at 11:44 PM, Sriskandarajah Suhothayan <
>> s...@wso2.com> wrote:
>>
>>> Hi
>>>
>>> Based on the request of IS team we have recently added support for
>>> loading template files from the registry.
>>> I think with this feature we can do the mapping at Event Publisher side,
>>> then IS can send only the core data for the notification. I think building
>>> the whole message at IS is too much customization for emails.
>>>
>>
>> As discussed previously both methods should work.
>>
>> Replacing placeholder with data in the arbitrary data map was in the
>> master at the time and now it should have been release AFAIU. This is what
>> Indunil was trying.
>>
>> And also you guys have added the support to pick registry templates based
>> on some place holder values in the registry path. What we discussed was to
>> send the 'locale' value as a stream attribute for our use case. If this
>> approach works this is also fine for us.
>>
>> We tried with option1 just to get something working quickly.
>>
>>
>>>
>>> Please set up a meeting so we can discuss the possible ways to
>>> implementing this.
>>>
>>> Regards
>>> Suho
>>>
>>> On Mon, Jul 18, 2016 at 5:52 PM, Indunil Upeksha Rathnayake <
>>> indu...@wso2.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> We are trying to do some improvements to the notification sending
>>>> module where we have integrated analytics common features in IS, in order
>>>> to send several notifications (ex:Email, SMS).
>>>>
>>>> Current implementation is in [1], there only the email notification was
>>>> focused where we are directly publishing to the EmailEventAdapter.
>>>>
>>>> Now we are trying to send notifications via publishing an event to the
>>>> Event stream without directly calling an Output Adapter. The approach we
>>>> have taken is as follows.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *1) In server start up following will be created.i) A stream for each
>>>> and every notification type including the necessary attributes.Ex:
>>>> Email Notification - a Stream with the subject, body and footer as
>>>> attributesii) Event Publishers, registered for each and every stream in the
>>>> required Output event adapter type. Ex: Email Notification - event
>>>> Publisher in email output event adapter type.2) Publishing an event to
>>>> EventStreamService, which includes an arbitrary data map with the necessary
>>>> data needed for the specific notification type. Ex: Email Notification
>>>> - Please find the code segments in [2] for having a better understanding.*
>>>>
>>>> There in IS side, we are selecting a specific email template and will
>>>> be filled out the place holders before sending the subject, body and footer
>>>> as arbitrary map attributes.
>>>>
>>>> But even-though we passed an arbitrary data map, when we are sending an
>>>> email from the EmailEventAdapter, it won't filter out the subject, body or
>>>> header from that arbitrary data map.
>>>> As I have understood, if someone pass an event with an arbitrary data
>>>> map, the email body will be set as [3] (Refer [4]), it won't filter out the
>>>> content(Refer [5]).
>>>> Is this has to be worked if we provide *output mappings* for event
>>>> publisher as* {{subject}{body}{footer}}* to convert the event to the
>>>> supported format?
>>>>
>>>> I have gone through the code [6], where the event data will be passed
>>>> through EventStreamProducer, but ther
Re: [Dev] [Architecture] [IS] [Analytics] Improvement to use Siddhi streams to send notifications
Hi,
Thanks for the response. As you suggested, It's better to discuss and find
a possible way of implementing this. Shall I arrange a meeting
tomorrow(19/7/2016)? If possible, please let me know an available time slot.
Thanks and Regards
On Mon, Jul 18, 2016 at 11:44 PM, Sriskandarajah Suhothayan <s...@wso2.com>
wrote:
> Hi
>
> Based on the request of IS team we have recently added support for loading
> template files from the registry.
> I think with this feature we can do the mapping at Event Publisher side,
> then IS can send only the core data for the notification. I think building
> the whole message at IS is too much customization for emails.
>
> Please set up a meeting so we can discuss the possible ways to
> implementing this.
>
> Regards
> Suho
>
> On Mon, Jul 18, 2016 at 5:52 PM, Indunil Upeksha Rathnayake <
> indu...@wso2.com> wrote:
>
>> Hi,
>>
>> We are trying to do some improvements to the notification sending module
>> where we have integrated analytics common features in IS, in order to send
>> several notifications (ex:Email, SMS).
>>
>> Current implementation is in [1], there only the email notification was
>> focused where we are directly publishing to the EmailEventAdapter.
>>
>> Now we are trying to send notifications via publishing an event to the
>> Event stream without directly calling an Output Adapter. The approach we
>> have taken is as follows.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *1) In server start up following will be created.i) A stream for each and
>> every notification type including the necessary attributes.Ex: Email
>> Notification - a Stream with the subject, body and footer as attributesii)
>> Event Publishers, registered for each and every stream in the required
>> Output event adapter type. Ex: Email Notification - event Publisher in
>> email output event adapter type.2) Publishing an event to
>> EventStreamService, which includes an arbitrary data map with the necessary
>> data needed for the specific notification type. Ex: Email Notification
>> - Please find the code segments in [2] for having a better understanding.*
>>
>> There in IS side, we are selecting a specific email template and will be
>> filled out the place holders before sending the subject, body and footer as
>> arbitrary map attributes.
>>
>> But even-though we passed an arbitrary data map, when we are sending an
>> email from the EmailEventAdapter, it won't filter out the subject, body or
>> header from that arbitrary data map.
>> As I have understood, if someone pass an event with an arbitrary data
>> map, the email body will be set as [3] (Refer [4]), it won't filter out the
>> content(Refer [5]).
>> Is this has to be worked if we provide *output mappings* for event
>> publisher as* {{subject}{body}{footer}}* to convert the event to the
>> supported format?
>>
>> I have gone through the code [6], where the event data will be passed
>> through EventStreamProducer, but there also seems like it's not possible
>> to send an email in required format(subject, body and footer).
>>
>> Really appreciate your comments/suggestions to understand the correct
>> approach to be taken.
>>
>> [1]
>> https://github.com/wso2-extensions/identity-event-handler-email/blob/master/components/event-handler-email/org.wso2.carbon.identity.event.handler.email/src/main/java/org.wso2.carbon.identity.event.handler.email/handler/EmailEventHandler.java#L164
>> [2]
>> https://drive.google.com/a/wso2.com/file/d/0Bz_EQkE2mOgBY00yYVpGelZJNms/view?usp=sharing
>> [3]
>> https://drive.google.com/a/wso2.com/file/d/0Bz_EQkE2mOgBNEMtYjJvSFB2emM/view?usp=sharing
>> [4]
>> https://github.com/wso2/carbon-analytics-common/blob/master/components/event-publisher/org.wso2.carbon.event.publisher.core/src/main/java/org/wso2/carbon/event/publisher/core/internal/type/text/TextOutputMapper.java#L139
>> [5]
>> https://github.com/wso2/carbon-analytics-common/blob/master/components/event-publisher/event-output-adapters/org.wso2.carbon.event.output.adapter.email/src/main/java/org/wso2/carbon/event/output/adapter/email/EmailEventAdapter.java#L233
>> [6]
>> https://github.com/wso2/carbon-event-processing/blob/master/components/event-simulator/org.wso2.carbon.event.simulator.core/src/main/java/org/wso2/carbon/event/simulator/core/internal/CarbonEventSimulator.java#L183
>>
>> Thanks and Regards
>> --
>> Indunil Upeksha Rathnayake
>> Software Engineer | WSO2 Inc
>> Emailindu...@wso2.com
>> Mobile 0772182255
>>
>
>
>
> --
>
> *S. Suhothayan
[Dev] [Architecture] [IS] [Analytics] Improvement to use Siddhi streams to send notifications
Hi,
We are trying to do some improvements to the notification sending module
where we have integrated analytics common features in IS, in order to send
several notifications (ex:Email, SMS).
Current implementation is in [1], there only the email notification was
focused where we are directly publishing to the EmailEventAdapter.
Now we are trying to send notifications via publishing an event to the
Event stream without directly calling an Output Adapter. The approach we
have taken is as follows.
*1) In server start up following will be created.i) A stream for each and
every notification type including the necessary attributes.Ex: Email
Notification - a Stream with the subject, body and footer as attributesii)
Event Publishers, registered for each and every stream in the required
Output event adapter type. Ex: Email Notification - event Publisher in
email output event adapter type.2) Publishing an event to
EventStreamService, which includes an arbitrary data map with the necessary
data needed for the specific notification type. Ex: Email Notification
- Please find the code segments in [2] for having a better understanding.*
There in IS side, we are selecting a specific email template and will be
filled out the place holders before sending the subject, body and footer as
arbitrary map attributes.
But even-though we passed an arbitrary data map, when we are sending an
email from the EmailEventAdapter, it won't filter out the subject, body or
header from that arbitrary data map.
As I have understood, if someone pass an event with an arbitrary data map,
the email body will be set as [3] (Refer [4]), it won't filter out the
content(Refer [5]).
Is this has to be worked if we provide *output mappings* for event
publisher as* {{subject}{body}{footer}}* to convert the event to the
supported format?
I have gone through the code [6], where the event data will be passed
through EventStreamProducer, but there also seems like it's not possible to
send an email in required format(subject, body and footer).
Really appreciate your comments/suggestions to understand the correct
approach to be taken.
[1]
https://github.com/wso2-extensions/identity-event-handler-email/blob/master/components/event-handler-email/org.wso2.carbon.identity.event.handler.email/src/main/java/org.wso2.carbon.identity.event.handler.email/handler/EmailEventHandler.java#L164
[2]
https://drive.google.com/a/wso2.com/file/d/0Bz_EQkE2mOgBY00yYVpGelZJNms/view?usp=sharing
[3]
https://drive.google.com/a/wso2.com/file/d/0Bz_EQkE2mOgBNEMtYjJvSFB2emM/view?usp=sharing
[4]
https://github.com/wso2/carbon-analytics-common/blob/master/components/event-publisher/org.wso2.carbon.event.publisher.core/src/main/java/org/wso2/carbon/event/publisher/core/internal/type/text/TextOutputMapper.java#L139
[5]
https://github.com/wso2/carbon-analytics-common/blob/master/components/event-publisher/event-output-adapters/org.wso2.carbon.event.output.adapter.email/src/main/java/org/wso2/carbon/event/output/adapter/email/EmailEventAdapter.java#L233
[6]
https://github.com/wso2/carbon-event-processing/blob/master/components/event-simulator/org.wso2.carbon.event.simulator.core/src/main/java/org/wso2/carbon/event/simulator/core/internal/CarbonEventSimulator.java#L183
Thanks and Regards
--
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Emailindu...@wso2.com
Mobile 0772182255
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS Authenticator] Issue in logout from mailchimp authenticator
Hi Hariprasath,
This error occurs when session has already been expired, when logout
request is sent. Please try the same scenario, after enabling session
persistence and configuring a higher value for SSO session time out as
follows(Default : 15min).
You can enable session persistence using following property in identity.xml
file.
* true*
After WSO2IS 5.1.0, it has been enabled by default.
You can configure SSO session time out as follows.
If you are using WSO2IS 5.1.0. you can configure it using following
property in repository/conf/identity/identity.xml file
* 15*
If you are using WSO2IS 5.0.0, you can configure it using following
property in repository/conf/tomcat/carbon/WEB-INF/web.xml file
* 15 *
Please refer [1] for more details.
Thanks and Regards
On Thu, Feb 18, 2016 at 11:24 AM, Malithi Edirisinghe <malit...@wso2.com>
wrote:
> Hi Haripasath,
>
> When analyzing the trace that you have attached I noted that the IdP
> hostname has been changed from localhost -> 127.0.0.1 -> localhost. IS
> maintains the logged in session via a cookie set to the IdP Url. These
> cookies are set against the hostname in the browser.
>
> So in your case, after the successful authentication 'samlssoTokenId' is
> set against 127.0.0.1 hostname. But the login request is sent under
> 'localhost' hostname. So the cookie is not sent back to the server there.
> So the server cannot find the session with regard to this logout request.
>
> Please make sure that you use the same hostname along the full flow either
> localhost or 127.0.0.1
>
> Thanks,
> Malithi.
>
> On Thu, Feb 18, 2016 at 12:45 AM, Hariprasath Thanarajah <
> haripras...@wso2.com> wrote:
>
>> Hi All,
>>
>> I couldn't find the reason behind this why is this happening. Can anyone
>> have any idea ?
>>
>> On Fri, Feb 5, 2016 at 12:56 PM, Hariprasath Thanarajah <
>> haripras...@wso2.com> wrote:
>>
>>> Hi Philips,
>>>
>>> Any update on this?
>>>
>>> On Tue, Feb 2, 2016 at 2:57 PM, Hariprasath Thanarajah <
>>> haripras...@wso2.com> wrote:
>>>
>>>> Hi Philips,
>>>>
>>>> You can find the SSO tracer in the following attachment.
>>>>
>>>>
>>>>
>>>> On Tue, Feb 2, 2016 at 2:22 PM, Chamara Philips <chama...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi Hariprasath,
>>>>> It is because the sessionID is null. It will be helpfull, if you can
>>>>> attach the SSO tracer.
>>>>>
>>>>> Thanks.
>>>>>
>>>>> On Tue, Feb 2, 2016 at 11:58 AM, Hariprasath Thanarajah <
>>>>> haripras...@wso2.com> wrote:
>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> I have implemented mailChimp Authenticator for IS. When I logout from
>>>>>> sample webapp(travelocity.com) i got the below error,
>>>>>>
>>>>>> [2016-02-02 11:41:01,907] ERROR
>>>>>> {org.wso2.carbon.identity.sso.saml.processors.SPInitLogoutRequestProcessor}
>>>>>> - ssoTokenId cookie not found in the logout request
>>>>>>
>>>>>>
>>>>>> Any suggestions?
>>>>>>
>>>>>> --
>>>>>>
>>>>>>
>>>>>> *Thank you and Regards**Hariprasath Thanarajah*
>>>>>> Associate Software Engineer | WSO2
>>>>>> E: haripras...@wso2.com
>>>>>> M: +94752806528
>>>>>>
>>>>>>
>>>>>> ___
>>>>>> Dev mailing list
>>>>>> Dev@wso2.org
>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Hareendra Chamara Philips
>>>>> *Software Engineer*
>>>>> Mobile : +94 (0) 767 184161 <%2B94%20%280%29%20773%20451194>
>>>>> chama...@wso2.com <thili...@wso2.com>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>>
>>>> *Thank you and Regards**Hariprasath Thanarajah*
>>>> Associate Software Engineer | WSO2
>>>> E: haripras...@wso2.com
>>>> M: +94752806528
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>>
>>> *Thank you and Regards**Hariprasath Thanarajah*
>>> Associate Software Engineer | WSO2
>>> E: haripras...@wso2.com
>>> M: +94752806528
>>>
>>>
>>
>>
>> --
>>
>>
>> *Thank you and Regards**Hariprasath Thanarajah*
>> Associate Software Engineer | WSO2
>> E: haripras...@wso2.com
>> M: +94752806528
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
>
> *Malithi Edirisinghe*
> Senior Software Engineer
> WSO2 Inc.
>
> Mobile : +94 (0) 718176807
> malit...@wso2.com
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
--
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Emailindu...@wso2.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [VOTE] Release WSO2 Identity Server 5.1.0 RC2
Hi All, I have tested following functionalities in both super tenant and tenant mode with email user name enabled/disabled. 1. SCIM (GET/PUT/PATCH operations, SCIM Extentions, with Basic and OAuth authentication) 2. Provisioning - SCIM 3. Provisioning - Salesforce 4. OAuth/OpenID Connect Federation 5. IdP's default authenticator changes in SP, IDP multi-step authentication No issues found. [x] - Stable - Go ahead and release. On Wed, Dec 23, 2015 at 12:09 PM, Pulasthi Mahawithana <pulast...@wso2.com> wrote: > Hi All, > > Found no issues with IWA Application and carbon authenticators. > > [x] - Stable - Go ahead and release. > > > On Wed, Dec 23, 2015 at 12:04 PM, Kavitha Subramaniyam <kavi...@wso2.com> > wrote: > >> Hi All, >> >> QA has done smoke test on RC pack and there were no blocking issues >> found. Founded minor severity issues has been reported in jira. >> >> >> Thanks, >> Kavitha. >> >> On Wed, Dec 23, 2015 at 11:46 AM, Gayan Gunawardana <ga...@wso2.com> >> wrote: >> >>> Hi All, >>> >>> I have tested following functionalities. >>> >>> 1. Passive STS federation for tenant and super tenant >>> 2. ID token for implicit grant type >>> 3. SCIM patch operation for groups with all basic SCIM operations >>> >>> No issues found. >>> >>> [x] - Stable - Go ahead and release. >>> >>> Thanks, >>> Gayan >>> >>> On Mon, Dec 21, 2015 at 6:29 PM, Hasintha Indrajee <hasin...@wso2.com> >>> wrote: >>> >>>> Hi Devs, >>>> >>>> This is the second release candidate of WSO2 Identity Server 5.1.0. >>>> >>>> This release fixes the following issues: >>>> https://wso2.org/jira/issues/?filter=12586 >>>> >>>> Please download, test and vote. >>>> >>>> Source & binary distribution files: >>>> https://github.com/wso2/product-is/releases/tag/v5.1.0-rc2 >>>> >>>> Maven staging repo: >>>> http://maven.wso2.org/nexus/content/repositories/orgwso2is-218/ >>>> >>>> The tag to be voted upon: >>>> https://github.com/wso2/product-is/tree/v5.1.0-rc2 >>>> >>>> >>>> [ ] Stable - go ahead and release >>>> [ ] Broken - do not release (explain why) >>>> >>>> Thanks and Regards, >>>> WSO2 Identity Server Team. >>>> >>>> -- >>>> Hasintha Indrajee >>>> Software Engineer >>>> WSO2, Inc. >>>> Mobile:+94 771892453 >>>> >>>> >>>> ___ >>>> Dev mailing list >>>> Dev@wso2.org >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Gayan Gunawardana >>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>> Email: ga...@wso2.com >>> Mobile: +94 (71) 8020933 >>> >>> ___ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Kavitha.S >> *Software Engineer -QA* >> Mobile : +94 (0) 771538811 <%2B94%20%280%29%20773%20451194> >> kavi...@wso2.com <thili...@wso2.com> >> >> ___ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > *Pulasthi Mahawithana* > Software Engineer > WSO2 Inc., http://wso2.com/ > Mobile: +94-71-5179022 > Blog: http://blog.pulasthi.org > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [IS] Identifying the Back-channel request format in Spring Security SAML Single Logout
Hi, I am working on the *SP initiated single logout* in identity server, when *Spring Security SAML extension* is involved. In this scenario, a *back-channel request* has to be sent to Spring Security SAML Single Logout endpoint from the identity server. The issue is in identifying the necessary format of the back-channel logout request that need to be sent from the IS to the Spring Security SAML application. I've tried out sending requests in following [1] and [2] formats. But received failed single logout response from with status code [3] and [4] respectively. I've herewith attached the requests which has been tested in IS. Really appreciate any help on identifying the proper format. [1] SAML : .. [2] SAML SOAP binding : http://schemas.xmlsoap.org/soap/envelope/ "> .. [3] Response : Moved Temporarily, Status Code : 302 [4] Response : Internal Server Error, Status Code : 500 Reference : http://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-quick-start.html https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com soap_request Description: Binary data saml_request Description: Binary data ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [DEV] [IS] [user-mgt] Secondary user store domain name case sensitive for scim PATCH operation
Hi Kavitha, Thanks for reporting this issue. Created the JIRA [1] for this and will looking to that. [1] https://wso2.org/jira/browse/IDENTITY-3928 Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [Vote] Release WSO2 Carbon Kernel 4.4.2 RC1
Hi, As per my understanding on the non durable subscription flow in MB, when adding a subscription for a topic (ex:topic1), it will create an internal role if topic1 is not exists. After adding an internal role, it'll add permissions to the role such as publish, subscribe etc. This will update the UM_PERMISSION and UM_ROLE_PERMISSION tables. In UM_PERMISSION table it will add a resourceId per a topic. And the role created for a topic will be deleted with the permissions available to that, when all the subscriptions for the same topic are disconnected. So that the row level changes in UM_PERMISSION will occur when adding and deleting a topic. When adding a topic, an INSERT statement in UM_PERMISSION table, will place an exclusive lock on rows until that has been committed (or rolled back). In there, a SELECT might be blocked, since in the mean time this subscription in another node, will be accessing permissions for the same topic in UM_PERMISSION table, by considering that the permissions are available since the role is created for the topic. But the deadlock occurs in "addAuthorizationForRole" method in JDBCAuthorizationManager class, where it adds permissions for the role. Two nodes can't be adding and giving permissions to the same topic, so that this can't be a row level locking and has to be a table level locking. When deleting a topic, another subscription for same topic can't be exists, so in that scenario also a row level locking can't be occur due to SELECT, but a table level locking can be exists. This may be the reason that this works for oracle but not for mssql and can be because of the Lock Escalation available in SQL Server or as in the [1] some versions of SQL Server doesn't support row level locking. Please refer [1] for the difference in locking mechanism in Oracle and SQL Server . If the reason behind this is lock escalation, that can be avoided by introducing proper indexing mechanism. And "WITH (NOLOCK)" or "WITH (READPAST)" also can be useful in mssql to avoid deadlocks, but it'll lead to invalid results or dirty reads. So as tharindu mentioned, the best way to avoid this can be removing changes done in UM_PERMISSION table. [1] https://docs.oracle.com/cd/E10405_01/appdev.120/e10379/ss_oracle_compared.htm#i1038519 Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [Vote] Release WSO2 Carbon Kernel 4.4.2 RC1
Hi Manuri, The fix is done, it works for oracle and currently testing for mssql. Soon after testing for mssql finishes, will commit the changes to master and 4.4.x branches. Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [Vote] Release WSO2 Carbon Kernel 4.4.2 RC1
Hi, The deadlock issue(https://wso2.org/jira/browse/MB-1326) come up in oracle and mssql when clearResourceAuthorizations where permissions are deleted in UM_ROLE_PERMISSIONS, UM_USER_PERMISSIONS and UM_PERMISSION tables through one transaction. The fix would be using cascade delete for above tables. But I think another issue(foreign key constraint violation) may come up when addAuthorizationForRole, as following example scenario. Ex: Node1 may be retrieve the permission entry in UM_PERMISSION table (in addAuthorizationForRole()) and just after that node2 may delete the entry (in clearResourceAuthorizations()) and after that when node1 trying to delete & add permissions in UM_ROLE_PERMISSIONS (in addAuthorizationForRole()) will return the above exception since the entry in UM_PERMISSION is already deleted. I think the fix need to be, if UM_ROLE_PERMISSIONS and UM_PERMISSION tables are going to update, first have to lock both tables, until all the required operations are finished. Then meanwhile another node can't delete any entries. Please provide your opinions regarding this. Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [Vote] Release WSO2 Carbon Kernel 4.4.2 RC1
Hi Kasun, I'll work on the issue and provide a fix ASAP. The ETA for the fix is as follows. Best Case Estimate: 24/09/2015 Most Likely Estimate: 25/09/2015 Worst Case Estimate: 26/09/2015 Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Please review and merge PR for IDENTITY-3423
Hi, Please review and merge the PR [1] as the fix for the public JIRA [2] that relates to [3]. [1] https://github.com/wso2/carbon4-kernel/pull/386 [2] https://wso2.org/jira/browse/IDENTITY-3423 [3] https://wso2.org/jira/browse/MB-1128 Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Please review and merge PR for IDENTITY-3042
Hi, Please review and merge the PR [1] and [2] as the fix for the public JIRA [3]. [1] https://github.com/wso2/carbon4-kernel/pull/378 [2] https://github.com/wso2/carbon-identity/pull/791 [3] https://wso2.org/jira/browse/IDENTITY-3042 Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Please review and merge PR for IDENTITY-3102
Hi, Please review and merge the PR [1] as the fix for the public JIRA [2]. [1] https://github.com/wso2/carbon-identity/pull/780 [2] https://wso2.org/jira/browse/IDENTITY-3102 Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Please review and merge PR for IDENTITY-2781
Hi, Please review and merge the PR [1] as the fix for the public JIRA [2]. [1] https://github.com/wso2/carbon-identity/pull/776 [2] https://wso2.org/jira/browse/IDENTITY-2781 Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Please review and merge PR for IDENTITY-3488
Hi, Please $subject. The PR [1] as the fix for the public JIRA [2]. [1] https://github.com/wso2/carbon-identity/pull/751 [2] https://wso2.org/jira/browse/IDENTITY-3488 Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Please review and merge PR for IDENTITY-3380
Hi, Please $subject. The PR[1] as the fix for the public JIRA [2]. [1] https://github.com/wso2/carbon-identity/pull/639 [2] https://wso2.org/jira/browse/IDENTITY-3380 Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Please review and merge PR for IDENTITY-3395
Hi, Please $subject. The PR[1] as the fix for the public JIRA [2]. [1] https://github.com/wso2/balana/pull/16 [2] https://wso2.org/jira/browse/IDENTITY-3395 Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Please review and merge PR for IDENTITY-2827
Hi, Please $subject. The PR [1] as the fix for the public JIRA [2]. [1] https://github.com/wso2/carbon-identity/pull/589 [2] https://wso2.org/jira/browse/IDENTITY-2827 Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Please review and merge PR for IDENTITY-3095
Hi, Please $subject. The PR[1] as the fix for the public JIRA [2]. [1] https://github.com/wso2/carbon-identity/pull/570 [2] https://wso2.org/jira/browse/IDENTITY-3095 Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Please review and merge the PR for IDENTITY-2900
Hi, Please $subject. The PR[1] as the fix for Google, Yahoo and Windows Live authenticators in the public JIRA [2]. [1] https://github.com/wso2/carbon-identity/pull/556 [2] https://wso2.org/jira/browse/IDENTITY-2900 Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Please review and merge the PR for IDENTITY-2900
Hi Johann, I'll look into those and resolved the merge conflicts. Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Please review and merge the PR for IDENTITY-2900
Hi, Please $subject. The PR [1] as the fix for the public JIRA [2]. [1] https://github.com/wso2/carbon-identity/pull/552 [2] https://wso2.org/jira/browse/IDENTITY-2900 Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] WSO2 Committers += Pumudu Ruhunage
Hi, Congratz Pumudu. :) Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile +94713695179 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Fwd: Creating the carbon UI component
Hi Jane, The folder where component.xml resides in the UI component, has to be renamed to META-INF. And please check whether the name of the parent-menu is valid or not. Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile +94713695179 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] WSO2 Committers += Maheeka Jayasuriya
Hi Maheeka, Congratzz.. :) Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile +94713695179 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] error in running ESB sample 153
Hi Rukshan, If you are using java 1.7, use the unlimited strength policy files in [1]. [1] http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile +94713695179 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] WSO2 Committers += Dinithi De Silva
Hi Dinithi, Congratzzz.. :D -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile +94713695179 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] WSO2 Committers += Himasha Guruge
Congratz Himasha.!!! -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile +94713695179 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] WSO2 Committers += Vinuri Perera
Congratulations Vinuri !! Best Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile +94713695179 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] Error in building IS from the source
Hi Malithi, The maven version I am using is 3.0.5. Hope that is not the issue. Best Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile +94713695179 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [IS] Error in building IS from the source
Hi all, The following error occurs when trying to build IS from the source. I have built the chunk11 by getting the source from [1]. And also tried to build it, after building orbit and all the kernel patches, but still get the same error. Please help me to fix this. [ERROR] Failed to execute goal org.wso2.maven:carbon-p2-plugin:1.5.3:p2-profile-gen (3-p2-profile-generation) on project identity-profile-gen: P2 publisher return code was 13 - [Help 1] org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.wso2.maven:carbon-p2-plugin:1.5.3:p2-profile-gen (3-p2-profile-generation) on project identity-profile-gen: P2 publisher return code was 13 [1] https://svn.wso2.com/wso2/custom/projects/projects/carbon/turing/platform/trunk/ Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile +94713695179 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] WSO2 Committers += Malithi Edirisinghe
Congratz malithi!!! :) Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile +94713695179 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] WSO2 Committers += Amila Godwin Shrimal
Congratz Godwin! Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile +94713695179 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] WSO2 Committers += Hemika Kodikara
Congratz Hemika!!! :) Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Emailindu...@wso2.com Mobile +94713695179 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
