Hi Javier,
You'll get your certificate by Monday, sorry for the delay.
I'll first reply to the 2nd question:
Technically, you can use the same certificate for all proxies. This is fine at least for demo/prototyping. From a security perspective in a real-world scenario, I would much recommend to use different keys (and therefore different certificates), especially if the proxies are on different hosts/platforms, for various reasons: lower risk/impact if one key is compromised, more fine-grained and reliable identification/authorization/accounting, etc.
For the 1st question (I will give you the "domainId" to be replaced in URL paths below when I give you the signed certificate later):
· Example for first solution using CURL:
POST /authzforce/domains/{domainId}/pdp
HTTP/1.1
Content-Type: application/xml; charset=UTF-8
Accept: application/xml
...(other common headers)...
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<Request xmlns='urn:oasis:names:tc:xacml:2.0:context:schema:os'>
<Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:thalesgroup:xacml:oauth:token" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnY3AiLCJhdWQiOiJodHRwczovL2FjbWUuY29tL215dGFyZ2V0c2VydmljZSIsImlhdCI6MTM2MzM0NDczOSwibmJmIjoxMzYzMzQ0Njc5LCJleHAiOjEzNjMzNzM1MzksImp0aSI6IjdiOWMzODlhLWQ2NDktNGY4ZC04MzQzLTg3ZDJlNDZmYWNiMSIsImh0dHA6Ly9nY3AudGVsZWtvbS5kZS9heHNjaGVtYS9nY3BpZCI6IjIwMTAxMDAwMDA5NTAxNTY3NTY5MTY3NjcxNzQiLCJodHRwOi8vZ2NwLnRlbGVrb20uZGUvYXhzY2hlbWEvZW1haWwiOiJjeXJpbC5kYW5nZXJ2aWxsZSsxQGdtYWlsLmNvbSIsImh0dHA6Ly9nY3AudGVsZWtvbS5kZS9heHNjaGVtYS9maXJzdG5hbWUiOiJDeXJpbCIsImh0dHA6Ly9nY3AudGVsZWtvbS5kZS9heHNjaGVtYS9sYXN0bmFtZSI6IkRhbmdlcnZpbGxlIE9uZSJ9._GHiRmq1g7vp8MgetsjHWRfUOPJfW47-K_QZCiGzKbw</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:resource:resource-id' DataType='http://www.w3.org/2001/XMLSchema#string'>
<AttributeValue>http://mymagnificentapp/new_issue/</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:action:action-id' DataType='http://www.w3.org/2001/XMLSchema#string'>
<AttributeValue>POST</AttributeValue>
</Attribute>
</Action>
<Environment />
</Request>
· Example for second solution using CURL (the 'subject-id' attribute is not required but may be useful information for accounting purposes on the PDP side):
POST /authzforce/domains/{domainId}/pdp
HTTP/1.1
Content-Type: application/xml; charset=UTF-8
Accept: application/xml
...(other common headers)...
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<Request xmlns='urn:oasis:names:tc:xacml:2.0:context:schema:os'>
<Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:subject:subject-id' DataType='http://www.w3.org/2001/XMLSchema#string'>
<AttributeValue>joe</AttributeValue>
</Attribute>
<Attribute AttributeId='urn:oasis:names:tc:xacml:2.0:subject:role' DataType='http://www.w3.org/2001/XMLSchema#string'>
<AttributeValue>TicketIssuer</AttributeValue>
<AttributeValue>TeamManager</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:resource:resource-id' DataType='http://www.w3.org/2001/XMLSchema#string'>
<AttributeValue>http://mymagnificentapp/new_issue/</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:action:action-id' DataType='http://www.w3.org/2001/XMLSchema#string'>
<AttributeValue>POST</AttributeValue>
</Attribute>
</Action>
<Environment />
</Request>
--
Cyril DANGERVILLE, Thales Services
FI-WARE WP8 Security Chapter
Access Control GE Owner
Thales R&T
Campus Polytechnique
1, avenue Augustin Fresnel
91767 Palaiseau cedex
France
Office: +33 (0)1 69 41 59 66
Fax: +33 (0)1 69 41 55 63
De : fiware-api-cross-bounces at lists.fi-ware.eu<mailto:fiware-api-cross-bounces at lists.fi-ware.eu> [mailto:fiware-api-cross-bounces at lists.fi-ware.eu] De la part de javier cerviño
Envoyé : mercredi 24 juillet 2013 13:13
À : Fiware-api-cross at lists.fi-ware.eu<mailto:Fiware-api-cross at lists.fi-ware.eu>
Objet : [Fiware-api-cross] Question about
Hi Cyril,
As I told you in a separate email we're finishing the development of the security Proxy at UPM. The last step is to make requests to the Access Control GE, but we've some questions:
- Regarding Juanjo's email, we can develop two different solutions. In the first one we can send you the OAuth token and you'll validate it against the IDM and then check the corresponding permissions. In the second one we can validate the oauth token against IDM and then send the user info (mainly roles) to the Access Control GE. Can you send us examples of both types of request? (one sends OAuth token and the other user roles).
- The other question is related to the certificates we have to use. We are implementing a centralized proxy that makes requests to the Access Control GE, but we're concerned with scalability so we're thinking of installing one proxy per application. Could we use the same certificate for all proxies we will use? If not, the best solution would be to use the centralized proxy.
Thank you!
Cheers,
Javier.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.fiware.org/private/fiware-api-cross/attachments/20130726/b9836a31/attachment.html>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy