On 17/04/2012 12:28, Fabio Martelli wrote: > Il giorno 17/apr/2012, alle ore 11.58, Colm O hEigeartaigh ha scritto: > >> Hi all, >> >> A "resource" in Syncope is a remote directory of some sort where you >> can propagate/synchronize attributes to/from. >> >> I'd like to consider an alternative definition of a "resource" in the >> context of web services and if it's feasible or desirable to support >> it. >> >> One can currently use Syncope to authenticate a web service request >> (e.g. is the client's username/password valid) or for authorization, >> where you can retrieve the authenticated client's roles, and check to >> see whether one of these roles is allowed access the local "resource" >> the client is attempting to access. >> >> In other words, the application server must maintain a map of role >> names to resources, where the resource could be a combination of WSDL >> target namespace, service name and operation, or a URI. There may also >> be a permission associated with this mapping such as "read", "write" >> or "execute", etc. Many IDM solutions can accept a resource as a >> String or URI, so the question is whether this is something we should >> add to the roadmap for Syncope or not? >> >> The advantage of adding this kind of functionality to Syncope is that >> all identity and access management is done with the same product, >> instead of having to use Syncope for authentication/retrieving-roles, >> and use something else to find out whether the authenticated user has >> the correct permissions to access the local resource. >> >> Thoughts? How would this kind of functionality work with Syncope? > Hi Colm, if I well understood, you are suggesting to equip Syncope with some > Access Management functionalities, right? > IMO this is a good idea and, looking at your proposal, probably not so > complicated to be implemented. > > Actually Syncope is still too much far away to act as complete Access Manager > but, for certain scenarios, what you described above cold be sufficient. > For example, I was thinking to a web resource protected by something like an > agent that interact with Syncope to allow or deny access to its contents. > > I agree with you, I'd like to extend the roadmap by adding this kind of AM > features.
Colm (and Fabio), this sounds like a very nice idea: nowadays the boundaries between pure IdM and pure AM don't have much sense anymore. Why don't we empower something we have "in house" like as Apache Shiro as a starting base for providing upcoming Syncope AM features? Regards. -- Francesco Chicchiriccò Apache Cocoon PMC and Apache Syncope PPMC Member http://people.apache.org/~ilgrosso/
