[Fiware-api-cross] Question about

javier cerviño jcervino at dit.upm.es
Fri Jul 26 14:35:45 CEST 2013
Previous message: [Fiware-api-cross] Question about
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
That's great! Thank you for the detailed info!


On 26 July 2013 14:27, DANGERVILLE Cyril
<cyril.dangerville at thalesgroup.com>wrote:

> Hi Javier,****
>
> You’ll get your certificate by Monday, sorry for the delay.****
>
> ** **
>
> I’ll first reply to the 2nd question:****
>
> Technically, you can use the same certificate for all proxies. This is
> fine at least for demo/prototyping. From a security perspective in a
> real-world scenario, I would much recommend to use different keys (and
> therefore different certificates), especially if the proxies are on
> different hosts/platforms, for various reasons: lower risk/impact if one
> key is compromised, more fine-grained and reliable
> identification/authorization/accounting, etc.****
>
> ** **
>
> For the 1st question (I will give you the “domainId” to be replaced in
> URL paths below when I give you the signed certificate later):****
>
> **·         **Example for first solution using CURL: ****
>
> ** **
>
> POST /authzforce/domains/{domainId}/pdp****
>
> HTTP/1.1****
>
> Content-Type: application/xml; charset=UTF-8****
>
> Accept: application/xml ****
>
> …(other common headers)…****
>
> <?xml version='1.0' encoding='UTF-8' standalone='yes'?>****
>
> <Request xmlns='urn:oasis:names:tc:xacml:2.0:context:schema:os'>****
>
>   <Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">****
>
>         <Attribute AttributeId="urn:thalesgroup:xacml:oauth:token" DataType="http://www.w3.org/2001/XMLSchema#string">      <AttributeValue>eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnY3AiLCJhdWQiOiJodHRwczovL2FjbWUuY29tL215dGFyZ2V0c2VydmljZSIsImlhdCI6MTM2MzM0NDczOSwibmJmIjoxMzYzMzQ0Njc5LCJleHAiOjEzNjMzNzM1MzksImp0aSI6IjdiOWMzODlhLWQ2NDktNGY4ZC04MzQzLTg3ZDJlNDZmYWNiMSIsImh0dHA6Ly9nY3AudGVsZWtvbS5kZS9heHNjaGVtYS9nY3BpZCI6IjIwMTAxMDAwMDA5NTAxNTY3NTY5MTY3NjcxNzQiLCJodHRwOi8vZ2NwLnRlbGVrb20uZGUvYXhzY2hlbWEvZW1haWwiOiJjeXJpbC5kYW5nZXJ2aWxsZSsxQGdtYWlsLmNvbSIsImh0dHA6Ly9nY3AudGVsZWtvbS5kZS9heHNjaGVtYS9maXJzdG5hbWUiOiJDeXJpbCIsImh0dHA6Ly9nY3AudGVsZWtvbS5kZS9heHNjaGVtYS9sYXN0bmFtZSI6IkRhbmdlcnZpbGxlIE9uZSJ9._GHiRmq1g7vp8MgetsjHWRfUOPJfW47-K_QZCiGzKbw</AttributeValue>****
>
>         </Attribute>****
>
>   </Subject>****
>
>     <Resource>****
>
>         <Attribute
> AttributeId='urn:oasis:names:tc:xacml:1.0:resource:resource-id' DataType='
> http://www.w3.org/2001/XMLSchema#string'>****
>
>             <AttributeValue>http://mymagnificentapp/new_issue/
> </AttributeValue>****
>
>         </Attribute>****
>
>     </Resource>****
>
>     <Action>****
>
>         <Attribute
> AttributeId='urn:oasis:names:tc:xacml:1.0:action:action-id' DataType='
> http://www.w3.org/2001/XMLSchema#string'>****
>
>             <AttributeValue>POST</AttributeValue>****
>
>         </Attribute>****
>
>     </Action>****
>
>     <Environment />****
>
> </Request>****
>
> ** **
>
> **·         **Example for second solution using CURL (the ‘subject-id’
> attribute is not required but may be useful information for accounting
> purposes on the PDP side):****
>
> ** **
>
> POST /authzforce/domains/{domainId}/pdp****
>
> HTTP/1.1****
>
> Content-Type: application/xml; charset=UTF-8****
>
> Accept: application/xml ****
>
> …(other common headers)…****
>
> <?xml version='1.0' encoding='UTF-8' standalone='yes'?>****
>
> <Request xmlns='urn:oasis:names:tc:xacml:2.0:context:schema:os'>****
>
>     <Subject
> SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
> ****
>
>         <Attribute
> AttributeId='urn:oasis:names:tc:xacml:1.0:subject:subject-id' DataType='
> http://www.w3.org/2001/XMLSchema#string'>****
>
>             <AttributeValue>joe</AttributeValue>****
>
>         </Attribute>****
>
>         <Attribute AttributeId='urn:oasis:names:tc:xacml:2.0:subject:role'
> DataType='http://www.w3.org/2001/XMLSchema#string'>****
>
>             <AttributeValue>TicketIssuer</AttributeValue>****
>
>              <AttributeValue>TeamManager</AttributeValue>****
>
>         </Attribute>****
>
>     </Subject>****
>
>     <Resource>****
>
>         <Attribute
> AttributeId='urn:oasis:names:tc:xacml:1.0:resource:resource-id' DataType='
> http://www.w3.org/2001/XMLSchema#string'>****
>
>             <AttributeValue>http://mymagnificentapp/new_issue/
> </AttributeValue>****
>
>         </Attribute>****
>
>     </Resource>****
>
>     <Action>****
>
>         <Attribute
> AttributeId='urn:oasis:names:tc:xacml:1.0:action:action-id' DataType='
> http://www.w3.org/2001/XMLSchema#string'>****
>
>             <AttributeValue>POST</AttributeValue>****
>
>         </Attribute>****
>
>     </Action>****
>
>     <Environment />****
>
> </Request>****
>
> ** **
>
> --****
>
> Cyril DANGERVILLE, Thales Services****
>
> FI-WARE WP8 Security Chapter ****
>
> Access Control GE Owner****
>
> ** **
>
> Thales R&T****
>
> Campus Polytechnique****
>
> 1, avenue Augustin Fresnel****
>
> 91767 Palaiseau cedex****
>
> France****
>
> Office:     +33 (0)1 69 41 59 66****
>
> Fax:        +33 (0)1 69 41 55 63****
>
> ** **
>
> *De :* fiware-api-cross-bounces at lists.fi-ware.eu [
> mailto:fiware-api-cross-bounces at lists.fi-ware.eu<fiware-api-cross-bounces at lists.fi-ware.eu>]
> *De la part de* javier cerviño
> *Envoyé :* mercredi 24 juillet 2013 13:13
> *À :* Fiware-api-cross at lists.fi-ware.eu
> *Objet :* [Fiware-api-cross] Question about****
>
> ** **
>
> Hi Cyril,****
>
> ** **
>
> As I told you in a separate email we're finishing the development of the
> security Proxy at UPM. The last step is to make requests to the Access
> Control GE, but we've some questions:****
>
> ** **
>
> - Regarding Juanjo's email, we can develop two different solutions. In the
> first one we can send you the OAuth token and you'll validate it against
> the IDM and then check the corresponding permissions. In the second one we
> can validate the oauth token against IDM and then send the user info
> (mainly roles) to the Access Control GE. Can you send us examples of both
> types of request? (one sends OAuth token and the other user roles).****
>
> ** **
>
> - The other question is related to the certificates we have to use. We are
> implementing a centralized proxy that makes requests to the Access Control
> GE, but we're concerned with scalability so we're thinking of installing
> one proxy per application. Could we use the same certificate for all
> proxies we will use? If not, the best solution would be to use the
> centralized proxy.****
>
> ** **
>
> Thank you!****
>
> ** **
>
> Cheers,****
>
> Javier.****
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.fiware.org/private/fiware-api-cross/attachments/20130726/bc5bbfa7/attachment.html>
Previous message: [Fiware-api-cross] Question about
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Fiware-api-cross mailing list
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy