Re: Authorisation with Syncope 2.x

2016-07-12 Thread Adrian Gonzalez
Hi Fabio,
I was thinking about creating my own apps (let's say PhotoGalleryApp).
With a service like :    @PreAuthorize("hasRole('photo.read')")    public Photo 
find(Long id) {    ..bla
    }
    @PreAuthorize("hasRole('photo.update')")    public Photo update(Photo 
photo) {    ..bla
    }
}

This is really a basic sample (it won't be Cruds only).How can I customize 
Syncope in order to have photo.read and photo.update for instance ?
Moreover, I'm not at ease if customisation requires code modification for each 
new entitlement since I'm gonna have a lot of apps.
Thanks for your insights,
Adrian

  De : Fabio Martelli 
 À : user@syncope.apache.org 
 Envoyé le : Mardi 12 juillet 2016 12h03
 Objet : Re: Authorisation with Syncope 2.x
   
 Il 11/07/2016 16:27, Adrian Gonzalez ha scritto:
  
  Hello, Sorry once more :(
   
 Hi Adrian, do not apologize.
 Thank you, instead. Reporting and interaction in public ML is always welcome.
 See below for my comments.
 
 Best regards, 
 F.
 
 
  
  I would like to use Syncope in my app (using Spring Security) for user 
authentication and authorisation. 
 I would like to know if mapping GrantedAuthority to Syncope's role is the way 
to go ? I'm a bit lost, since there's also the notion of entitlements and 
groups. 
  In fact, when I look into syncope's code, I see :     
@PreAuthorize("hasRole('" + StandardEntitlement.ROLE_CREATE + "')")
     public RoleTO create(final RoleTO roleTO) {
  So I would say I should use entitlements and not roles.  
 
 You have to use the entitlements.
 You can assign entitlements to a user by assigning them to a role and a role 
to the user: the user owning that role will own those entitlements.
 
 This is the standard for Apache Syncope.
 Therefore you can think to add your own authorization method for some 
customizations. Please, if you will do in this way do it carefully.
 
 
  But entitlement appears to be fixed (in StandardEntitlement class) and for 
syncope 'internal' use [1] and [2] (aka checking if user has right to perform 
an action on syncope - and not checking if user has right to peform action on 
whatever application).  
 
 Exactly! BTW you can perform some customization in order to extends the set of 
entitlements in order to use them to authorize access to some custom rest 
methods provided for your specific aims.
 
 This customization is not simple but feasible if strongly required.
 
 
  
  Thanks, Adrian 
  P.S. Using Syncope 2.0.0-M2 
  [1] 
http://syncope-user.1051894.n5.nabble.com/Entitlements-how-do-we-create-change-these-tp5707009p5707010.html
 entitlements are not meant to be extended: their primary purpose is to 
define security constraints on RESTful methods. 
  [2] 
https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization
   
 
 
 -- 
Fabio Martelli

Tirasa - Open Source Excellence
http://www.tirasa.net/

Apache Syncope PMC
http://people.apache.org/~fmartelli/ 

  

Re: Authorisation with Syncope 2.x

2016-07-12 Thread Fabio Martelli

Il 11/07/2016 16:27, Adrian Gonzalez ha scritto:

Hello, Sorry once more :(

Hi Adrian, do not apologize.
Thank you, instead. Reporting and interaction in public ML is always 
welcome.

See below for my comments.

Best regards,
F.



I would like to use Syncope in my app (using Spring Security) for user 
authentication and authorisation.


I would like to know if mapping GrantedAuthority to Syncope's role is 
the way to go ?

I'm a bit lost, since there's also the notion of entitlements and groups.

In fact, when I look into syncope's code, I see :
@PreAuthorize("hasRole('" + StandardEntitlement.ROLE_CREATE + "')")
public RoleTO create(final RoleTO roleTO) {
So I would say I should use entitlements and not roles.


You have to use the entitlements.
You can assign entitlements to a user by assigning them to a role and a 
role to the user: the user owning that role will own those entitlements.


This is the standard for Apache Syncope.
Therefore you can think to add your own authorization method for some 
customizations. Please, if you will do in this way do it carefully.


But entitlement appears to be fixed (in StandardEntitlement class) and 
for syncope 'internal' use [1] and [2] (aka checking if user has right 
to perform an action on syncope - and not checking if user has right 
to peform action on whatever application).


Exactly! BTW you can perform some customization in order to extends the 
set of entitlements in order to use them to authorize access to some 
custom rest methods provided for your specific aims.


This customization is not simple but feasible if strongly required.



Thanks,
Adrian

P.S. Using Syncope 2.0.0-M2

[1] 
http://syncope-user.1051894.n5.nabble.com/Entitlements-how-do-we-create-change-these-tp5707009p5707010.html
entitlements are not meant to be extended: their primary 
purpose is to define security constraints on RESTful methods.


[2] 
https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization



--
Fabio Martelli

Tirasa - Open Source Excellence
http://www.tirasa.net/

Apache Syncope PMC
http://people.apache.org/~fmartelli/



Re: Custom attributes for roles in syncope 2.x

2016-07-12 Thread Fabio Martelli

Il 11/07/2016 15:52, Adrian Gonzalez ha scritto:

Hello,

I would like to know if there's a way to define custom attributes for 
roles (such as for User and Groups).


I'm using syncope 2.0.0.M2.

Thanks,
Adrian


Hi Adrian, unfortunately there is no way to add attribute to roles.
Kind regards,
F.

--
Fabio Martelli

Tirasa - Open Source Excellence
http://www.tirasa.net/

Apache Syncope PMC
http://people.apache.org/~fmartelli/



Re: Realm Provisioning

2016-07-12 Thread Jonas Israelsson



On 12/07/16 07:24, Fabio Martelli wrote:

Hi Jonas, I'm happy to see you have solved your issues.
International characters should be supported by templates. If you have 
some trouble using them please open a new issue on jira.
I was more thinking about the realm names. If trying to create a realm 
with a name outside "A-Z 0-9" (such as custo-mer or räksmörgås) it 
complains about

malformed path.

Is this limitation attentional ? It's not really a big issue. I was 
thinking of placing each customer in a realm, but that name can by all 
mean be mapped to overcome this issue.