[Pki-devel] [PATCH]136 - initial framework for restful interfaces for managing profiles

[Ade Lee]

Great find on the Session variable.

Agreed on all of the below.  I will fix in separate subsequent patches.
Pushing the current patch to master now.

Ade
On Mon, 2013-07-22 at 08:30 -0500, Endi Sukma Dewata wrote:
> On 7/19/2013 8:44 AM, Ade Lee wrote:
> > GET /profiles and then in the method itself determine whether or not I
> > have already logged in (I will have a principal) and return different
> > results accordingly.
> >
> > Right now, that is not working.  The only way that I can guarantee that
> > client auth takes place and the credential is provided is by putting in
> > a security constraint that requires /profiles/* to use client
> > authentication.  But then, I cannot do GET /profiles without
> > authentication.  It seems clientAuth=want is not working.
> 
> Some comments:
> 
> 1. It looks like the current clientAuth setting is fine, but the SSL 
> authenticator needs to be configured to use session. See the 
> alwaysUseSession parameter in this page: 
> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html. I posted 
> patch #278 to add this parameter.
> 
> Then the security constraint can be configured without <auth-constraint> 
> to allow anonymous access:
> 
>      <security-constraint>
>          <web-resource-collection>
>              <web-resource-name>Profiles</web-resource-name>
>              <url-pattern>/rest/profiles/*</url-pattern>
>          </web-resource-collection>
>          <user-data-constraint>
>              <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>          </user-data-constraint>
>      </security-constraint>
> 
> I've tested this with profile-find, it will return different number of 
> results depending on the authentication. This way we won't need to use 
> separate agent/admin interface.
> 
> 2. For the profile-find output, I think it would be useful to show some 
> basic info such as profile name and description in addition to the ID 
> and URL.
> 
> 3. The profile-show command stores the entire profile into an output 
> file, it doesn't show anything to the screen. I think it would be useful 
> and more consistent to show the profile summary such as id, name, 
> description, input and output attribute names, URL. Then people can 
> optionally specify --output download the entire file.
> 
> 4. Does the profile subsystem support renaming a profile? The 
> profile-mod may need to take 2 parameters: the old profile name and an 
> input file containing the new profile name and the new attributes.
> 
> 5. Some methods in ProfileService would catch and swallow the exception. 
> It might be better for now to throw a generic exception or just don't 
> catch at all. This way the client will know if there's an error. In the 
> future we can revisit the code to throw more specific errors.
>