Il giorno 17/apr/2012, alle ore 12.47, Colm O hEigeartaigh ha scritto: > Hi all, > >> you are suggesting to equip Syncope with some Access Management >> functionalities, right? > > Yep exactly. > >> Why don't we empower something we have "in house" like as Apache Shiro >> as a starting base for providing upcoming Syncope AM features? > > Sounds good to me.
Great! Would you like to update the roadmap wiki page? F. > Colm. > > 2012/4/17 Francesco Chicchiriccò <[email protected]>: >> On 17/04/2012 12:28, Fabio Martelli wrote: >>> Il giorno 17/apr/2012, alle ore 11.58, Colm O hEigeartaigh ha scritto: >>> >>>> Hi all, >>>> >>>> A "resource" in Syncope is a remote directory of some sort where you >>>> can propagate/synchronize attributes to/from. >>>> >>>> I'd like to consider an alternative definition of a "resource" in the >>>> context of web services and if it's feasible or desirable to support >>>> it. >>>> >>>> One can currently use Syncope to authenticate a web service request >>>> (e.g. is the client's username/password valid) or for authorization, >>>> where you can retrieve the authenticated client's roles, and check to >>>> see whether one of these roles is allowed access the local "resource" >>>> the client is attempting to access. >>>> >>>> In other words, the application server must maintain a map of role >>>> names to resources, where the resource could be a combination of WSDL >>>> target namespace, service name and operation, or a URI. There may also >>>> be a permission associated with this mapping such as "read", "write" >>>> or "execute", etc. Many IDM solutions can accept a resource as a >>>> String or URI, so the question is whether this is something we should >>>> add to the roadmap for Syncope or not? >>>> >>>> The advantage of adding this kind of functionality to Syncope is that >>>> all identity and access management is done with the same product, >>>> instead of having to use Syncope for authentication/retrieving-roles, >>>> and use something else to find out whether the authenticated user has >>>> the correct permissions to access the local resource. >>>> >>>> Thoughts? How would this kind of functionality work with Syncope? >>> Hi Colm, if I well understood, you are suggesting to equip Syncope with >>> some Access Management functionalities, right? >>> IMO this is a good idea and, looking at your proposal, probably not so >>> complicated to be implemented. >>> >>> Actually Syncope is still too much far away to act as complete Access >>> Manager but, for certain scenarios, what you described above cold be >>> sufficient. >>> For example, I was thinking to a web resource protected by something like >>> an agent that interact with Syncope to allow or deny access to its contents. >>> >>> I agree with you, I'd like to extend the roadmap by adding this kind of AM >>> features. >> >> Colm (and Fabio), >> this sounds like a very nice idea: nowadays the boundaries between pure >> IdM and pure AM don't have much sense anymore. >> >> Why don't we empower something we have "in house" like as Apache Shiro >> as a starting base for providing upcoming Syncope AM features? >> >> Regards. >> >> -- >> Francesco Chicchiriccò >> >> Apache Cocoon PMC and Apache Syncope PPMC Member >> http://people.apache.org/~ilgrosso/ >> > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com
