directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn McKinney <smckin...@apache.org>
Subject Re: [Bulk] Apache Fortress REST API
Date Mon, 20 Apr 2015 14:03:29 GMT

> On Apr 20, 2015, at 8:01 AM, Oleksandr Bodriagov (Polystar) <oleksandr.bodriagov@polystar.com>
wrote:
> 
> I have a question concerning Fortress' REST API . The only example I have
> found is "EmTest.java" in directory-fortress-enmasse.
> Our use case is as follows. We have a few RESTful web services to which we
> would like to control access using Fortress + LDAP with users/groups and
> our own OAuth2.0 token provider/access control server. Our permissions in
> this case would be something like:
>  - read data from https://server1.com/whateever
>  - modify report at https://server2.com/profile/whatever
>  - read report at https://server2.com/profile/whatever
> 
> So, we have operations {read, modify, delete, Š} and objects
> {https://server1.com/whateever, https://server2.com/profile/whatever, Š}.
> Our token provider receives a request for the OAuth token that represents
> permissions of the requesting user. To answer this question, the token
> provider, using a fortress-rest-user account, should authenticate the
> requesting user (using this user's username/password) against Fortress and
> then get user permissions from Fortress using REST API.
> How can it be done? I have found HttpIds.PERM_READ, HttpIds.USER_READ? Am
> I on the right track?
> AccessMgrRestImpl seems to be doing what we need, but how do corresponding
> HTTP requests look like?
> I would be really grateful for any help.

Hello Oleksandr,

To get all permissions for a particular user call sessionPermissions.  This returns a collection
of all permissions for the user’s activated role set.

To check a single permission for a particular user call checkAccess.  This simply returns
true or false.

Both require sending the session object document that was returned on createSession.  

I can anticipate the need to enhance this interaction by allowing the rest server to hold
onto the user’s rbac session for a configurable amount of time.  This would make things
easier on the client at the expense of requiring the server to be stateful.  Will speed things
up on throughput while making the server-side heavier with memory.  WDYT?

Shawn
smckinney@apache.org


Mime
View raw message