[Registry-dev] Authorization model of the registry

Paul Fremantle paul at wso2.com
Wed Jan 2 04:01:37 PST 2008 

Deepal

Do we have a simple way of configuring whether the registry is available 
on HTTP and HTTPS or just HTTPS?

Paul

Deepal Jayasinghe wrote:
> Hi all,
> 
> In our APP implementation does not have authorization  support and we
> need to implement that before the next release as well. So today we
> (Sanjiva , Chathura and I ) discussed about this can came up with the
> following general approach for the authorization.
> 
> Web app  (/web)
> ==============
>   - When we use this user is supposed to login in the registry and once
> the user login in the registry we create a secure registry. If the user
> does not login  in to the system then we treat the user as a the
> "anonymous" user. No matter what when we use the web application we will
> have the session object associate with the user and depending on the
> user role and role authorization  we can  control the user action. (For
> example if the user tries to perform an action which is not authorized
> to him then will throw an exception)
> 
> Accessing resource content (/resource/a/ab/c)
> ================================
>   - Here there are two approaches , first user tries to access a
> resource while he is having a valid session (meaning that he has login
> in the system using the web app). Then once he type the URL in the
> browser then if the user is authorized to access the resource then he
> will be able to access the resource , else he will get HTTP 401
>  - Second  when user try to browse the resource without login , then the
> content will be shown if the user is authorized to do so , else he will
> be giving a HTTP 401 with the challenge (asking to give the username and
> the password). If he does then at the server (servlet) will create a
> secure registry for that and handle the request.
>  
> APP (/atom)
> ============
> In this case if the user want to make the communication secure , (s)he
> can turn on the HTTPS in the serer side and provide the relevant data to
> the registry to send the user credential.
> 
> Second we can send the username and the password in the request as the
> authentication headers and retrieve that from the server side and 
> create a secure registry for the user. To implement this I looked in to
> abdera and found that we can send a header called "Authorization" and
> access that at the server side. However abdera does not have a way to
> give or retrieve the cookies, therefore we can not completely rely on
> abdera session management support. As a result of that we need to send
> this authorization header in each requests. I will implement the APP
> authorization support based on this approach and commit the code so that
> we can comment on that.
> 
> -Deepal
> 
> 
> _______________________________________________
> Registry-dev mailing list
> Registry-dev at wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/registry-dev
> 

-- 
Paul Fremantle
Co-Founder and VP of Technical Sales, WSO2
OASIS WS-RX TC Co-chair

Office: +1 646 290 8050
Cell: +44 798 447 4618

blog: http://pzf.fremantle.org
paul at wso2.com

"Oxygenating the Web Service Platform", www.wso2.com

More information about the Registry-dev mailing list