[Pki-devel] [PATCH]136 - initial framework for restful interfaces for managing profiles
Ade Lee
alee at redhat.com
Mon Jul 22 15:12:01 UTC 2013
Great find on the Session variable.
Agreed on all of the below. I will fix in separate subsequent patches.
Pushing the current patch to master now.
Ade
On Mon, 2013-07-22 at 08:30 -0500, Endi Sukma Dewata wrote:
> On 7/19/2013 8:44 AM, Ade Lee wrote:
> > GET /profiles and then in the method itself determine whether or not I
> > have already logged in (I will have a principal) and return different
> > results accordingly.
> >
> > Right now, that is not working. The only way that I can guarantee that
> > client auth takes place and the credential is provided is by putting in
> > a security constraint that requires /profiles/* to use client
> > authentication. But then, I cannot do GET /profiles without
> > authentication. It seems clientAuth=want is not working.
>
> Some comments:
>
> 1. It looks like the current clientAuth setting is fine, but the SSL
> authenticator needs to be configured to use session. See the
> alwaysUseSession parameter in this page:
> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html. I posted
> patch #278 to add this parameter.
>
> Then the security constraint can be configured without <auth-constraint>
> to allow anonymous access:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Profiles</web-resource-name>
> <url-pattern>/rest/profiles/*</url-pattern>
> </web-resource-collection>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> I've tested this with profile-find, it will return different number of
> results depending on the authentication. This way we won't need to use
> separate agent/admin interface.
>
> 2. For the profile-find output, I think it would be useful to show some
> basic info such as profile name and description in addition to the ID
> and URL.
>
> 3. The profile-show command stores the entire profile into an output
> file, it doesn't show anything to the screen. I think it would be useful
> and more consistent to show the profile summary such as id, name,
> description, input and output attribute names, URL. Then people can
> optionally specify --output download the entire file.
>
> 4. Does the profile subsystem support renaming a profile? The
> profile-mod may need to take 2 parameters: the old profile name and an
> input file containing the new profile name and the new attributes.
>
> 5. Some methods in ProfileService would catch and swallow the exception.
> It might be better for now to throw a generic exception or just don't
> catch at all. This way the client will know if there's an error. In the
> future we can revisit the code to throw more specific errors.
>
More information about the Pki-devel
mailing list