directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oleksandr Bodriagov (Polystar)" <oleksandr.bodria...@polystar.com>
Subject Re: [Bulk] Apache Fortress REST API
Date Mon, 20 Apr 2015 14:57:02 GMT
Hi Shawn,

Thank you very much for your answer! I think I get it now more or less.
Please correct me if I am wrong.
1) I make a POST request to URL =
"http://<server>:<port>/fortress-rest-1.0-RC40-SNAPSHOT/rbacCreate" with
"createSession.xml" that looks like
<FortRequest>
    <contextId>HOME</contextId>
    <entity xsi:type="user"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <userId>someuser</userId>
    <password>userpwd</password>
    </entity>
   </FortRequest>

As a response I get the session object document that describes a session
for the user defined in "createSession.xml" if and only if this user was
successfully authenticated.

2) Using the session object document, I make another POST request to URL =
"http://<server>:<port>/fortress-rest-1.0-RC40-SNAPSHOT/rbacPerms" and get
back a document describing all permissions for the user.

After getting all permissions for the user from Fortress, OAuth2.0 token
provider creates a self-contained digitally signed JSON Web token that
describes all user's permissions and that is valid for some period of
time. This token is returned to the client, and client can use it (until
it expires) to access different resource servers.

I think, in this case, we do not really have troubles with throughput
because the client will ask for a new token only after the current token
expires. It would be different if we were doing steps (1)+(2) every time a
client requested some resource from a resource server. By the way, how
many (1)+(2) requests can Fortress handle at the same time?

Is it possible to have definitions of users&groups on one LDAP server and
definition of roles/permissions/objects on another LDAP server?

/Oleksandr








On 20/4/2015 16:03 , "Shawn McKinney" <smckinney@apache.org> wrote:

>
>> On Apr 20, 2015, at 8:01 AM, Oleksandr Bodriagov (Polystar)
>><oleksandr.bodriagov@polystar.com> wrote:
>> 
>> I have a question concerning Fortress' REST API . The only example I
>>have
>> found is "EmTest.java" in directory-fortress-enmasse.
>> Our use case is as follows. We have a few RESTful web services to which
>>we
>> would like to control access using Fortress + LDAP with users/groups and
>> our own OAuth2.0 token provider/access control server. Our permissions
>>in
>> this case would be something like:
>>  - read data from https://server1.com/whateever
>>  - modify report at https://server2.com/profile/whatever
>>  - read report at https://server2.com/profile/whatever
>> 
>> So, we have operations {read, modify, delete, Š} and objects
>> {https://server1.com/whateever, https://server2.com/profile/whatever,
>>Š}.
>> Our token provider receives a request for the OAuth token that
>>represents
>> permissions of the requesting user. To answer this question, the token
>> provider, using a fortress-rest-user account, should authenticate the
>> requesting user (using this user's username/password) against Fortress
>>and
>> then get user permissions from Fortress using REST API.
>> How can it be done? I have found HttpIds.PERM_READ, HttpIds.USER_READ?
>>Am
>> I on the right track?
>> AccessMgrRestImpl seems to be doing what we need, but how do
>>corresponding
>> HTTP requests look like?
>> I would be really grateful for any help.
>
>Hello Oleksandr,
>
>To get all permissions for a particular user call sessionPermissions.
>This returns a collection of all permissions for the user's activated
>role set.
>
>To check a single permission for a particular user call checkAccess.
>This simply returns true or false.
>
>Both require sending the session object document that was returned on
>createSession.  
>
>I can anticipate the need to enhance this interaction by allowing the
>rest server to hold onto the user's rbac session for a configurable
>amount of time.  This would make things easier on the client at the
>expense of requiring the server to be stateful.  Will speed things up on
>throughput while making the server-side heavier with memory.  WDYT?
>
>Shawn
>smckinney@apache.org
>


Mime
View raw message