directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oleksandr Bodriagov (Polystar)" <>
Subject Re: [Bulk] [Bulk] Apache Fortress REST API
Date Mon, 20 Apr 2015 15:15:57 GMT
Thank you very much Shawn for your fast feedback :)


On 20/4/2015 17:07 , "Shawn McKinney" <> wrote:

>> On Apr 20, 2015, at 9:57 AM, Oleksandr Bodriagov (Polystar)
>><> wrote:
>> Hi Shawn,
>> Thank you very much for your answer! I think I get it now more or less.
>> Please correct me if I am wrong.
>> 1) I make a POST request to URL =
>> "http://<server>:<port>/fortress-rest-1.0-RC40-SNAPSHOT/rbacCreate" with
>> "createSession.xml" that looks like
>> <FortRequest>
>>    <contextId>HOME</contextId>
>>    <entity xsi:type="user"
>> xmlns:xsi="">
>>    <userId>someuser</userId>
>>    <password>userpwd</password>
>>    </entity>
>>   </FortRequest>
>> As a response I get the session object document that describes a session
>> for the user defined in "createSession.xml" if and only if this user was
>> successfully authenticated.
>Correct.  Failure will return something like this:
>HTTP/1.1 200 OK
>Server: Apache-Coyote/1.1
>Date: Mon, 20 Apr 2015 14:53:40 GMT
>Content-Type: application/xml
>Content-Length: 435
><?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>   <FortResponse>
>      <errorCode>1005</errorCode>
>      <errorMessage>getUser userId [jutsuser1] not found, Fortress
>      <entity xmlns:xsi=""
>      <isAuthorized xmlns:xsi=""
>      <session xmlns:xsi=""
>   </FortResponse
>> On Apr 20, 2015, at 9:57 AM, Oleksandr Bodriagov (Polystar)
>><> wrote:
>> 2) Using the session object document, I make another POST request to
>>URL =
>> "http://<server>:<port>/fortress-rest-1.0-RC40-SNAPSHOT/rbacPerms" and
>> back a document describing all permissions for the user.
>> After getting all permissions for the user from Fortress, OAuth2.0 token
>> provider creates a self-contained digitally signed JSON Web token that
>> describes all user's permissions and that is valid for some period of
>> time. This token is returned to the client, and client can use it (until
>> it expires) to access different resource servers.
>> I think, in this case, we do not really have troubles with throughput
>> because the client will ask for a new token only after the current token
>> expires. It would be different if we were doing steps (1)+(2) every
>>time a
>> client requested some resource from a resource server. By the way, how
>> many (1)+(2) requests can Fortress handle at the same time?
>Theoretically unlimited but in practice you will be bound by the HTTP
>server¹s (tomcat) ability to process concurrent threads, and of course
>the server¹s ability to do the xml serialization/deserialization.  I
>doubt we will come close to maxing the ldap server.  What is the max
>number of concurrent connections to Tomcat?  I¹d think that number quite
>It would be a good idea to benchmark this.  I have the jmeter test cases,
>just need to run them.  I¹ll try to get around that in the next week or
>> On Apr 20, 2015, at 9:57 AM, Oleksandr Bodriagov (Polystar)
>><> wrote:
>> Is it possible to have definitions of users&groups on one LDAP server
>> definition of roles/permissions/objects on another LDAP server?
>Today, no.  Tomorrow anything is possible.  This isn¹t the first time I
>have been asked a question like this so it is worth considering adding as
>future enhancement.

View raw message