[OTDev] AA

Nina Jeliazkova nina at acad.bg
Thu Jun 17 16:59:18 CEST 2010 

Hi All,

chung wrote:
> Sorry, I wasn't precise enough! I meant an OpenTox service. Nina had
> sent a file where the token was included in the URL like
> http://someserver.com/resource?tokenid=sglkglfnetc.... 
>
>   
Actually in current version of this file, the token is supported as both
URI parameter and a header parameter.   Form parameter is of course
another option, but then not all OpenTox API calls use web forms to post
data.

The query/form parameter advantage is it is easy for testing, but on the
other hand it is impossible to provide for e.g. HTTP Delete operation
(at least in Restlet) . 

My preferences are for having both header and URI parameters, with
header parameter having a priority. 

Regards,
Nina

> @Andreas:
> In the documentation of AA services at
> http://opentox.org/dev/apis/api-1.1/AA it says about authorization that
> if the user is granted to perform the action the openSSO server replies
> with a status code 200 and a boolean (I guess true), otherwise the
> status code is 401 and the boolean should be false. So we have only two
> options:
>
> 200  + "boolean=true"
>
> or 
>
> 401 + "boolean=false"
>
> I have created the following policy:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <Policies>
>     <Policy name="bibTexAllPolicy_1"
> createdby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net"
> lastmodifiedby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net"
> creationdate="1276785457819" lastmodifieddate="1276785457819"
> referralPolicy="false" active="true">
>         <Rule name="rule1">
>             <ServiceName name="iPlanetAMWebAgentService"/>
>             <ResourceName name="http://opentox.ntua.gr:3000/bibtex"/>
>             <AttributeValuePair>
>                 <Attribute name="POST"/>
>                 <Value>deny</Value>
>             </AttributeValuePair>
>             <AttributeValuePair>
>                 <Attribute name="GET"/>
>                 <Value>allow</Value>
>             </AttributeValuePair>
>             <AttributeValuePair>
>                 <Attribute name="DELETE"/>
>                 <Value>deny</Value>
>             </AttributeValuePair>
>             <AttributeValuePair>
>                 <Attribute name="PUT"/>
>                 <Value>deny</Value>
>             </AttributeValuePair>
>         </Rule>
>         <Subjects name="mySubjects" description="">
>             <Subject name="YAQPservice" type="LDAPUsers"
> includeType="inclusive">
>                 <AttributeValuePair>
>                     <Attribute name="Values"/>
>                     <Value>uid=YAQPservice, ou=groups,
> dc=opentox,dc=org</Value>
>                 </AttributeValuePair>
>             </Subject>
>             <Subject name="Sopasakis" type="LDAPUsers"
> includeType="inclusive">
>                 <AttributeValuePair>
>                     <Attribute name="Values"/>
>                     <Value>uid=Sopasakis, ou=groups,
> dc=opentox,dc=org</Value>
>                 </AttributeValuePair>
>             </Subject>
>         </Subjects>
>     </Policy>
> </Policies>
>
> and tried the following request:
>
> curl -i -d "uri=http://opentox.ntua.gr:3000/bibtex" -d "action=GET" -d
> "subjectid=AQIC5wM2LY4Sfcyf2W48%2FUFKeDRvZ2aEpCcaeK9bBI0NrpE%3D%
> 40AAJTSQACMDE%3D%23"
> http://opensso.in-silico.ch/opensso/identity/authorize
>
> which should return 200+true but instead I get 200+false (?). What is
> this supposed to mean?
>
> Best regards,
> Pantelis
>
> On Thu, 2010-06-17 at 17:02 +0300, Luchesar V. ILIEV wrote:
>   
>> Sorry to interfere, but what service are we talking about?
>>
>> If we're talking about OT services (as opposed to the OpenSSO/Policy
>> services), then probably it's up to the service developers to decide.
>> And when we talk about uploading of data or requesting computations
>> that create new data, then, besides the token, we also need to provide
>> the desired policies to the service -- as we discussed on Friday.
>> Frankly, I'm not quite sure what would be the best approach to send
>> this information...
>>
>> L.
>>
>>
>> On Thu, Jun 17, 2010 at 16:54, Andreas Maunz <andreas at maunz.de> wrote:
>>     
>>> chung wrote on 06/17/2010 03:50 PM:
>>>       
>>>> Hi Andreas,
>>>>  How is the token supposed to be provided to a service: as a Header or a
>>>> form parameter?
>>>>         
>>> It works only in the combination of form parameter/POST.
>>>
>>> Andreas
>>> _______________________________________________
>>> Development mailing list
>>> Development at opentox.org
>>> http://www.opentox.org/mailman/listinfo/development
>>>
>>>       
>
>
> _______________________________________________
> Development mailing list
> Development at opentox.org
> http://www.opentox.org/mailman/listinfo/development
>

More information about the Development mailing list