Dear all,

the Authentication and Authorization (A&A) infrastructure, as described 
here:
http://opentox.org/data/documents/development/Authentication%20and%20Authorization
is now completely integrated with Plone user management (i.e. users and 
groups are available in OpenSSO).

As indicated in the documentation, (a) authentication against OpenSSO 
should be done by the client application, while (b) authorization tasks 
against OpenSSO for ressource and action combinations are done by the 
server.
Consequently, we would need API extensions to support these operations.

For (a), we need to transmit user credentials and obtain a token, while 
part (b) requires
1. client authorization request to the webservice,
2. authorization request confirmation from webservice to OpenSSO.

Operations (a) and (b2) are easily integrated based on the existing 
documentation (see above), while existing API methods must be extended 
by a token field in the query string to support (b1), and corresponding 
return code to the client (i.e. "Access Denied" if authorization failed).
Call for proposals: any ideas from the other developers how this could 
be implemented by extending the API?

Once a proposal is agreed upon, we could test-drive the 
OpenSSO/Plone-based installation. This should include
- management of policies via the documented REST interface
- a complete workflow, e.g. for restricted datasets in the ToxCreate / 
ToxPredict prototypes.

Currently not handled are privileges, i.e. who is allowed to create, 
modify, and delete policies. The most generic approach would be to 
re-use the existing Plone users and groups for this, but I would like to 
postpone this until after testing.

Best regards
Andreas