[Registry-dev] Authorization model of the registry

Sanjiva Weerawarana sanjiva at wso2.com
Wed Jan 2 18:16:40 PST 2008 

We do have one other choice- we can force the login form to be done over 
HTTPS. However, I don't think we should do that .. as that'll mean people 
can't try the reg simply by dropping it into a stock tomcat (right?).

For the remote API- we just need to document saying if you want your 
password to be encrypted on the wire (who wouldn't?) then you must talk to 
the registry over HTTPS.

We need to spend some time on designing the docs structure for the registry.

Sanjiva.

Paul Fremantle wrote:
> I understand.
> 
> We need to start a documentation page or wiki about security, where we 
> explain to users that they MUST configure use HTTPS to make this secure.
> 
> Paul
> 
> Deepal Jayasinghe wrote:
>>> Deepal
>>>
>>> Do we have a simple way of configuring whether the registry is
>>> available on HTTP and HTTPS or just HTTPS?
>>>
>> Nope , however if you enable HTTPS in the application server then you
>> will automatically get the HTTPS support. Not only that I do not see a
>> way to configure the HTTPS inside the registry .
>>
>> -Deepal
>>> Paul
>>>
>>> Deepal Jayasinghe wrote:
>>>> Hi all,
>>>>
>>>> In our APP implementation does not have authorization  support and we
>>>> need to implement that before the next release as well. So today we
>>>> (Sanjiva , Chathura and I ) discussed about this can came up with the
>>>> following general approach for the authorization.
>>>>
>>>> Web app  (/web)
>>>> ==============
>>>>   - When we use this user is supposed to login in the registry and once
>>>> the user login in the registry we create a secure registry. If the user
>>>> does not login  in to the system then we treat the user as a the
>>>> "anonymous" user. No matter what when we use the web application we 
>>>> will
>>>> have the session object associate with the user and depending on the
>>>> user role and role authorization  we can  control the user action. (For
>>>> example if the user tries to perform an action which is not authorized
>>>> to him then will throw an exception)
>>>>
>>>> Accessing resource content (/resource/a/ab/c)
>>>> ================================
>>>>   - Here there are two approaches , first user tries to access a
>>>> resource while he is having a valid session (meaning that he has login
>>>> in the system using the web app). Then once he type the URL in the
>>>> browser then if the user is authorized to access the resource then he
>>>> will be able to access the resource , else he will get HTTP 401
>>>>  - Second  when user try to browse the resource without login , then 
>>>> the
>>>> content will be shown if the user is authorized to do so , else he will
>>>> be giving a HTTP 401 with the challenge (asking to give the username 
>>>> and
>>>> the password). If he does then at the server (servlet) will create a
>>>> secure registry for that and handle the request.
>>>>  
>>>> APP (/atom)
>>>> ============
>>>> In this case if the user want to make the communication secure , (s)he
>>>> can turn on the HTTPS in the serer side and provide the relevant 
>>>> data to
>>>> the registry to send the user credential.
>>>>
>>>> Second we can send the username and the password in the request as the
>>>> authentication headers and retrieve that from the server side and
>>>> create a secure registry for the user. To implement this I looked in to
>>>> abdera and found that we can send a header called "Authorization" and
>>>> access that at the server side. However abdera does not have a way to
>>>> give or retrieve the cookies, therefore we can not completely rely on
>>>> abdera session management support. As a result of that we need to send
>>>> this authorization header in each requests. I will implement the APP
>>>> authorization support based on this approach and commit the code so 
>>>> that
>>>> we can comment on that.
>>>>
>>>> -Deepal
>>>>
>>>>
>>>> _______________________________________________
>>>> Registry-dev mailing list
>>>> Registry-dev at wso2.org
>>>> http://wso2.org/cgi-bin/mailman/listinfo/registry-dev
>>>>
>>
>>
>>
>> _______________________________________________
>> Registry-dev mailing list
>> Registry-dev at wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/registry-dev
>>
> 

-- 
Sanjiva Weerawarana, Ph.D.
Founder, Chairman & CEO; WSO2, Inc.; http://www.wso2.com/
email: sanjiva at wso2.com; cell: +1 650 265 8311 | +94 77 787 6880

"Oxygenating the Web Service Platform."

More information about the Registry-dev mailing list