[Registry-dev] Authorization model of the registry

Sanjiva Weerawarana sanjiva at wso2.com
Wed Jan 2 18:13:32 PST 2008 

The thing I like about this approach is that we've figured out a way to 
cleanly marry basic auth (which is critical for programmatic HTTP access) 
and auth via a form, which is important for nice UI access. Very cool.

Deepal- can you send a note to abdera-dev about the lack of HTTP session 
support and ask whether they have plans to implement it? Its really simple 
to do it .. so if they're not doing it we can do it and give a patch. 
Let's go ahead by implementing it with by sending the Authorization header 
each time, but that's expensive on the server side as we'll have to 
re-authenticate every single time.

Sanjiva.

Deepal Jayasinghe wrote:
> Hi all,
> 
> In our APP implementation does not have authorization  support and we
> need to implement that before the next release as well. So today we
> (Sanjiva , Chathura and I ) discussed about this can came up with the
> following general approach for the authorization.
> 
> Web app  (/web)
> ==============
>   - When we use this user is supposed to login in the registry and once
> the user login in the registry we create a secure registry. If the user
> does not login  in to the system then we treat the user as a the
> "anonymous" user. No matter what when we use the web application we will
> have the session object associate with the user and depending on the
> user role and role authorization  we can  control the user action. (For
> example if the user tries to perform an action which is not authorized
> to him then will throw an exception)
> 
> Accessing resource content (/resource/a/ab/c)
> ================================
>   - Here there are two approaches , first user tries to access a
> resource while he is having a valid session (meaning that he has login
> in the system using the web app). Then once he type the URL in the
> browser then if the user is authorized to access the resource then he
> will be able to access the resource , else he will get HTTP 401
>  - Second  when user try to browse the resource without login , then the
> content will be shown if the user is authorized to do so , else he will
> be giving a HTTP 401 with the challenge (asking to give the username and
> the password). If he does then at the server (servlet) will create a
> secure registry for that and handle the request.
>  
> APP (/atom)
> ============
> In this case if the user want to make the communication secure , (s)he
> can turn on the HTTPS in the serer side and provide the relevant data to
> the registry to send the user credential.
> 
> Second we can send the username and the password in the request as the
> authentication headers and retrieve that from the server side and 
> create a secure registry for the user. To implement this I looked in to
> abdera and found that we can send a header called "Authorization" and
> access that at the server side. However abdera does not have a way to
> give or retrieve the cookies, therefore we can not completely rely on
> abdera session management support. As a result of that we need to send
> this authorization header in each requests. I will implement the APP
> authorization support based on this approach and commit the code so that
> we can comment on that.
> 
> -Deepal
> 
> 
> _______________________________________________
> Registry-dev mailing list
> Registry-dev at wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/registry-dev
> 

-- 
Sanjiva Weerawarana, Ph.D.
Founder, Chairman & CEO; WSO2, Inc.; http://www.wso2.com/
email: sanjiva at wso2.com; cell: +1 650 265 8311 | +94 77 787 6880

"Oxygenating the Web Service Platform."

More information about the Registry-dev mailing list